A vulnerability, which was classified as critical, was found in Hindu Matrimonial Script. This affects an unknown part of the file /admin/reports.php. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2017-20081

A vulnerability was found in Hindu Matrimonial Script. It has been classified as critical. This affects an unknown part of the file /admin/payment.php. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2017-20075

A vulnerability was found in Hindu Matrimonial Script. It has been declared as critical. This vulnerability affects unknown code of the file /admin/searchview.php. The manipulation leads to improper privilege management. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2017-20076

A vulnerability classified as critical was found in Hindu Matrimonial Script. This vulnerability affects unknown code of the file /admin/communitymanagement.php. The manipulation leads to improper privilege management. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2017-20070

Microweber versions 1.2.17 and prior are vulnerable to cross-site scripting. A patch is available on the `dev laravel9-php8` branch of the repository.

**Cross-site Scripting in Microweber**

Moderate severity GitHub Reviewed Published Jun 21, 2022 • Updated Jun 21, 2022

GHSA-27g3-58v4-fg9w: Cross-site Scripting in Microweber

### Impact A plugin public script can be used to read content of system files. ### Patches Upgrade to version 1.0.2. ### Workarounds `b/deploy/index.php` file can be deleted if deploy feature is not used.

**Unauthenticated Local File Inclusion**

**Package**

glpiinventory (glpi)

**Affected versions**

<= 1.0.1

**Description**

**Impact**

A plugin public script can be used to read content of system files.

**Patches**

Upgrade to version 1.0.2.

**Workarounds**

b/deploy/index.php file can be deleted if deploy feature is not used.

CVE-2022-31062

While we have heard less about web skimming attacks, attacks are still going on, but more quietly than before.
The post Client-side Magecart attacks still around, but more covert appeared first on Malwarebytes Labs.

_This blog post was authored by Jérôme Segura_

We have seen and heard less buzz about ‘Magecart’ during the past several months. While some companies continue to rehash the same breaches of yesteryear, we have been wondering if some changes took place in the threat landscape.

One thing we know is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight. This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it.

We followed the trail on two recent reports that proved to be worthwhile. It allowed us to make a connection to a previous campaign and identify new pieces of a pretty wide infrastructure.

For now we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don’t make them more robust.

**Newly reported domains linked with ‘anti-VM’ skimmer**

On June 12, @rootprivilege tweeted about a hacked stored injected with the host js.staticounter\[.\]net that looked highly suspicious. When originally captured, the JavaScript appeared to be clean but it was confirmed to be malicious by @AffableKraut who posted a screenshot of the skimmer code.

A few days before @rootprivilege posted about this skimmer, @Sansec tweeted about another new skimmer domain at scanalytic\[.\]org. Comparing the two which are both on the same ASN (AS29182), we concluded that they are related.

We were able to connect these 2 domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines. However, both of them are now devoid of VM detection code. It’s unclear why the threat actors removed it, unless perhaps it caused more issues than benefits.

There are other differences with the newest skimmer sample from @rootsecdev such as different naming schemes for important input fields. As you can see, in the former case these are explicitly referenced (i.e. CcNumber) while in the later iteration the names are generic web terms, making them less obvious.

**Additional infrastructure**

Using the urlscan.io service, we were able to discover additional infrastructure related to this ongoing campaign. We started our search with any recent submissions that made contact with an IP address belonging to AS29182.

The table below shows hostnames, their IP address and the date they were first seen on urlscan.io. Most of those were previously unknown to us until we recently started this investigation. You can click on the hyperlinks to load the corresponding sandbox pages, but note that a majority of them do not contain the actual skimmer code. This is most likely because the malicious infrastructure detected that urlscan.io’s sandbox was not using genuine residential IP addresses.

**Hostname**

**IP address**

**First seen**

app\[.\]nomalert\[.\]org

185.253.32.64

Nov 30, 2021

cdn\[.\]base-code\[.\]org

185.253.32.59

Jan 30, 2022

web\[.\]dwin-co\[.\]jp

185.253.32.44

Feb 3, 2022

dwin1\[.\]org

185.253.33.40

Feb 22, 2022

trustedport\[.\]org

185.253.32.50

March 4, 2022

h\[.\]lookmind\[.\]net

185.253.32.42

March 17, 2022

web\[.\]speedstester\[.\]com

185.253.33.191

March 25, 2022

search\[.\]global-search\[.\]net

185.253.33.188

April 13, 2022

static\[.\]clarlity\[.\]com

185.253.33.179

April 20, 2022

static\[.\]newrelc\[.\]net

185.63.190.207

April 22, 2022

static\[.\]druapps\[.\]org

185.63.190.183

May 26, 2022

js\[.\]imagero\[.\]org

185.63.190.144

May 27, 2022

common\[.\]quatserve\[.\]com

185.63.190.118

May 30, 2022

static\[.\]lookmetric\[.\]com

185.63.190.163

June 3, 2022

cdn\[.\]boxsearch\[.\]org

185.63.190.205

June 11, 2022

**Validating skimmer activity**

For the domains that are still responding, we can use information collected by urlscan.io and replay the attack using a genuine residential IP address and mimicking a real shopper’s experience. The image below shows the difference between a crawler session via VPN and one done manually with real network settings.

This allows us to confirm beyond doubt that the domains are indeed malicious, although their ASN should already be enough to proactively block them.

**Connection with previous skimmer activity**

Based on one hash, we can connect these skimmers to past activity going back to at least May 2020. One of the hostnames from our previous blog on the anti-vm skimmer, con\[.\]digital-speed\[.\]net, was loading this resource as well.

We can see 3 different themes used by the threat actor to hide their skimmer, named after JavaScript libraries:

*   hal-data\[.\]org/gre/code.js (Angular JS)
*   hal-data\[.\]org/data/ (Logger)
*   js.g-livestatic\[.\]com/theme/main.js (Modernizr)

**Less skimmer activity or simply more covert?**

There are likely many more skimmer domains on the infrastructure we detailed above, and it is a good idea to keep a close eye on it. Having said that, we have generally seen less skimming attacks during the past several months. Perhaps we have been too focused on the Magento CMS, or our crawlers and sandboxes are being detected because of various checks including at the network level.

As Ben Martin over at Sucuri showed, WordPress with the WooCommerce plugin is outpacing Magento in terms of attacks. In addition, we (as several other companies) can only observe client-side attacks and as such we are oblivious to what happens server-side. Only a handful of researchers who do website cleanups have the visibility into PHP-based skimmers.

While stealing credit cards is still a good business, there are other types of data considerably more worth it. Crypto wallets and similar digital assets are extremely valuable and there is no doubt that clever schemes to rob those are in place beyond phishing for them. For an example of a client-side attack via JavaScript draining crypto assets, check out this blog from Eliya Stein over at Confiant.

Malwarebytes customers are protected against this campaign.

**Indicators of Compromise**

**Skimmer domains**

abtasty\[.\]net  
accdn\[.\]lpsnmedia\[.\]org  
amplify\[.\]outbrains\[.\]net  
apis\[.\]murdoog\[.\]org  
app\[.\]iofrontcloud\[.\]com  
app\[.\]nomalert\[.\]org  
app\[.\]purechat\[.\]org  
app\[.\]rolfinder\[.\]com  
cdn\[.\]accutics\[.\]org  
cdn\[.\]alexametrics\[.\]net  
cdn\[.\]alligaturetrack\[.\]com  
cdn\[.\]base-code\[.\]org  
cdn\[.\]boxsearch\[.\]org  
cdn\[.\]cookieslaw\[.\]org  
cdn\[.\]getambassador\[.\]net  
cdn\[.\]hs-analytics\[.\]org  
cdn\[.\]jsdelivr\[.\]biz  
cdn\[.\]nosto\[.\]org  
cdn\[.\]pinnaclecart\[.\]io  
cdn\[.\]speedcurve\[.\]org  
cdn\[.\]tomafood\[.\]org  
clickcease\[.\]biz  
common\[.\]quatserve\[.\]com  
con\[.\]digital-speed\[.\]net  
content\[.\]digital-metric\[.\]org

css\[.\]tevidon\[.\]com  
demo-metrics\[.\]net  
dev\[.\]crisconnect\[.\]net  
dwin1\[.\]org  
epos\[.\]bayforall\[.\]biz  
feedaty\[.\]org  
graph\[.\]cloud-chart\[.\]net  
h\[.\]lookmind\[.\]net  
hal-data\[.\]org  
img\[.\]etakeawaymax\[.\]biz  
js\[.\]artesfut\[.\]com  
js\[.\]g-livestatic\[.\]com  
js\[.\]imagero\[.\]org  
js\[.\]librarysetr\[.\]com  
libsconnect\[.\]net  
listrakbi\[.\]io  
lp\[.\]celebrosnlp\[.\]org  
m\[.\]brands-watch\[.\]com  
m\[.\]sleeknote\[.\]org  
marklibs\[.\]com  
nypi\[.\]dc-storm\[.\]org  
opendwin\[.\]com  
pepperjams\[.\]org  
px\[.\]owneriq\[.\]org

r\[.\]klarnacdn\[.\]org  
rawgit\[.\]net  
rolfinder\[.\]com  
s1\[.\]listrakbi\[.\]org  
sdk\[.\]moonflare\[.\]org  
search\[.\]global-search\[.\]net  
shopvisible\[.\]org  
sjsmartcontent\[.\]org  
snapengage\[.\]io  
st\[.\]adsrvr\[.\]biz  
stage\[.\]sleefnote\[.\]com  
stat-analytics\[.\]org  
static\[.\]clarlity\[.\]com  
static\[.\]druapps\[.\]org  
static\[.\]lookmetric\[.\]com  
static\[.\]mantisadnetwork\[.\]org  
static\[.\]newrelc\[.\]net  
static\[.\]opendwin\[.\]com  
t\[.\]trackedlink\[.\]org  
troadster\[.\]com  
trustedport\[.\]org  
web\[.\]dwin-co\[.\]jp  
web\[.\]livechatsinc\[.\]net  
web\[.\]speedstester\[.\]com  
web\[.\]webflows\[.\]net

  
**Skimmer IPs**

185.253.32.174  
185.253.32.42  
185.253.32.44  
185.253.32.50  
185.253.32.59  
185.253.32.64  
185.253.33.179  
185.253.33.188  
185.253.33.191  
185.253.33.40  
185.63.188.59  
185.63.188.70  
185.63.188.71  
185.63.188.79  
185.63.188.85  
185.63.190.118

185.63.190.144  
185.63.190.163  
185.63.190.183  
185.63.190.205  
185.63.190.207  
185.63.190.212  
194.87.217.195  
194.87.217.197  
194.87.217.91  
212.109.222.225  
77.246.157.133  
80.78.249.78  
82.146.50.89  
82.146.50.132  
82.202.160.10  
82.202.160.119

82.202.160.123  
82.202.160.137  
82.202.160.29  
82.202.160.54  
82.202.160.8  
82.202.160.9  
82.202.161.77  
89.108.109.14  
89.108.109.167  
89.108.109.169  
89.108.116.123  
89.108.116.48  
89.108.123.168  
89.108.123.169  
89.108.123.28  
89.108.126.50  
89.108.127.16

Client-side Magecart attacks still around, but more covert

Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.

SEC Consult Vulnerability Lab Security Advisory < 20220615-0 >  
=======================================================================  
               title: Hardcoded Backdoor User and Outdated Software Components  
             product: Nexans FTTO GigaSwitch industrial/office switches HW version 5  
  vulnerable version: See "Vulnerable / tested versions"  
       fixed version: V6.02N, V7.02  
          CVE number: CVE-2022-32985  
              impact: High  
            homepage: https://www.nexans.com/  
               found: 2020-05-25  
                  by: T. Weber (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"As a global player in the cable industry, Nexans is behind the scenes  
delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions  
of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they  
face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the  
most complex cable applications in the most demanding environments."

Source: https://www.nexans.com/company/What-we-do.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Outdated Vulnerable Software Components  
A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that  
are used in the devices' firmware. Four of them were verified by using the  
MEDUSA scalable firmware runtime.

2) Hardcoded Backdoor User (CVE-2022-32985)  
A hardcoded root user was found in "/etc/passwd". In combination with the  
invoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port  
50201 and 50200 to login on a system shell.

Proof of concept:  
-----------------  
1) Outdated Vulnerable Software Components  
Based on an automated scan with the IoT Inspector (ONEKEY) the following third party  
software packages were found to be outdated:

Firmware version 6.02L:  
BusyBox       1.20.2  
Dropbear SSH  2012.55  
GNU glibc     2.17  
lighttpd      1.4.48  
OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

* CVE-2015-9261 (Unzip)  
The crafted ZIP archive "x_6170921383890712452.bin" was taken from:  
https://www.openwall.com/lists/oss-security/2015/10/25/3  
Execution inside the firmware emulation:

bash-4.2# unzip x_6170921383890712452.bin  
Archive:  x_6170921383890712452.bin  
   inflating: ]3j½r«IK-%Ix  
do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc  
epc = 0044bb28 in busybox[400000+99000]  
ra  = 0044b968 in busybox[400000+99000]  
Segmentation fault

* CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)

PoC code was taken from:  
https://gist.github.com/dweinstein/66e6a088191ac0e8105c

* CVE-2015-7547 (getaddrinfo buffer overflow)

PoC code was taken from:  
https://github.com/fjserna/CVE-2015-7547

-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &  
[1] 259  
-bash-4.4# chroot /medusa_rootfs/ bin/bash  
bash-4.2# cd /medusa_exploits/  
bash-4.2# ./cve-2015-7547_glibc_getaddrinfo  
[UDP] Total Data len recv 36  
[UDP] Total Data len recv 36  
Connected with 127.0.0.1:34356  
[TCP] Total Data len recv 76  
[TCP] Request1 len recv 36  
[TCP] Request2 len recv 36  
Segmentation fault

* CVE-2017-16544 (shell autocompletion vulnerability)

A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the  
vulnerability.  
-------------------------------------------------------------------------------  
# ls "pressing <TAB>"  
test  
]55;test.txt  
#  
-------------------------------------------------------------------------------

2) Hardcoded Backdoor User (CVE-2022-32985)  
The hardcoded system user, reachable via the dropbear SSH daemon was found due  
to multiple indications on the system. The undocumented root user itself was  
contained in the "passwd" file:

Content of the file "/etc/passwd".  
-------------------------------------------------------------------------------  
root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh  
[...]  
-------------------------------------------------------------------------------

A suspicious port for the SSH daemon was chosen in the config file of dropbear:

Content of the file "/etc/init.d/dropbear":  
-------------------------------------------------------------------------------  
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  
DAEMON=/usr/sbin/dropbear  
NAME=dropbear  
DESC="Dropbear SSH server"  
PIDFILE=/var/run/dropbear.pid

DROPBEAR_PORT="50200 -p 50201"  
[...]  
-------------------------------------------------------------------------------

This is invoked from "/usr/lib/libnx_apl.so.0.0.0", which can be seen in the  
following pseudo-code:  
-------------------------------------------------------------------------------  
void dropbear_server_init(char param_1)

{  
   __pid_t __pid;  
   char *pcVar1;  
   int aiStack16 [2];

   __pid = fork();  
   if (__pid == 0) {  
     __pid = fork();  
     if (__pid != 0) {  
                     /* WARNING: Subroutine does not return */  
       exit(0);  
     }  
     if (param_1 == '\0') {  
       pcVar1 = "/etc/init.d/dropbear stop";  
     }  
     else {  
       pcVar1 = "/etc/init.d/dropbear start";                               <---  
     }  
     execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);  
   }  
   else {  
     waitpid(__pid,aiStack16,0);  
   }  
   return;  
}  
-------------------------------------------------------------------------------

This function is called if a specific command is issued in the CLI interface:  
-------------------------------------------------------------------------------  
[...]  
   iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);  
   if (iVar6 != 0) {  
     if (param_2 < 4) {  
       netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");  
       iVar6 = shared_mem_get_addr(&var_shm);  
       iVar7 = shared_mem_get_addr(&var_shm);  
       uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);  
       shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\x01');                                        <---  
       netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\0');                                          <---  
       netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");  
       return;  
     }  
     netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");  
     return;  
[...]  
-------------------------------------------------------------------------------  
The mentioned library is used in the CLI program that is running on the device.

Vulnerable / tested versions:  
-----------------------------  
The following firmware versions have been tested:

* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L  
* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

Vendor contact timeline:  
------------------------  
2020-05-28: Contacting the vendor's PSIRT under the following link:  
             http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail  
      No answer.  
2020-06-08: Contacting vendor again via support.ans@nexans.com. Extended  
             deadline by 11 days.  
2020-06-16: Telephone call with Nexans representative. Security advisory was  
             received. It will be reviewed to confirm the found issues.  
2020-06-26: Telephone call with Nexans representative. Nexans is working on the  
             reported issues and will remove the dropbear daemon as first  
             measure.  
2020-08-04: Vendor stated that a fix for the outdated software components will  
             be available in November.  
2020-11-12: Asked for status update.  
2020-11-16: Contact stated, that firmware test will need more time. Updates are  
             estimated to be ready in Q1 of 2020.  
2020-11-20: Vendor confirmed Q1 as estimated disclosure date.  
2021-01-21: Asked for status update; Vendor stated that the release with all  
             fixes is aimed to be published end of Q1.  
2021-03-09: Asked for status update.  
2021-03-17: Vendor stated that the firmware is in testing stage. The fixed  
             firmware will be released in May.  
2021-06-10: Asked for status update.  
2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and  
             homeschooling. The fixed firmware will be released end of August.  
2021-08-31: Asked for status update.  
2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.  
2022-05-23: Informed vendor that the advisory will be released mid of June 2022.  
2022-05-24: Firmware V7.02 is available for download which fixes most outdated  
             components issues.  
2022-06-15: Release of security advisory.

Solution:  
---------  
The vendor provides an updated firmware here:  
https://www.nexans-ans.de/support/firmware/

Firmware version V6.02N has the backdoor removed and was already published a while ago.  
Version V7.02 also has the backdoor removed and most of the outdated software issues.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2022

Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor

In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check.

**Mahara: Invalid Parameter**

A required parameter is missing or malformed

The 'id' parameter is not an integer

CVE-2022-33913: Mahara ePortfolio System

An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username (user), password (pw), and file-name (file) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands.

**Summary**

On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.

The vulnerability is caused due to a lack of user input validation in two PHP scripts, which are normally included post-authentication. As no include-guards are in-place, an attacker is able to trigger the script without prior authentication by calling it directly.

**Impact**

An attacker is able to take control over the appliance as if they were logged in directly via a secure shell. If exploited, the attacker obtains limited user privileges on the machine as the “www-data” user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative “root” user of the system.

Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.

The following screenshot shows how NCC Group’s Fox-IT was able to gain remote code execution on the appliance using a custom-built Metasploit\[1\] module:

Figure 1 – Obtaining a Meterpreter\[2\] shell using a custom-built Metasploit module

**Details**

During a recent penetration test at one of NCC Group’s Fox-IT’s clients, a full review was performed of the backup process, as well as any appliances used, as to ensure the company has full system backups in the event of a ransomware breakout. One of the appliances in question was the FUJITSU CentricStor Control Center. Fox-IT requested read-only access to the appliance in order to assess the security of the product.

The web-application used to manage the backups was inspected, which lead NCC Group’s Fox-IT to discover the existence of two scripts, which are accessible by any user on the network and which pass user input directly to the “shell\_exec” and “system” functions.

The two files in questions are as follows:

*   /srv/www/htdocs/custom/library/system/grel.php
*   /srv/www/htdocs/custom/library/system/hw_view.php

**Command injection in grel.php (grelFileInfo)**

The first vulnerability resides in the “grel\_finfo” function in grel.php. An attacker is able to influence the username (“user”), password (“pw”), and file-name (“file”) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshots show this in more detail:

Figure 2 – The grel\_finfo function is defined and passes the $pw and $user variables directly to the system function call

Figure 3 – The grel\_finfo function is called without any prior authentication

**Command injection in hw\_view.php**

The second vulnerability resides in the "requestTempFile" function in hw_view.php. An attacker is able to influence the “unitName” POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshot shows this in more detail:

Figure 4 – The $unitName POST variable is passed directly to the shell\_exec function without prior authentication

**Recommendation**

Upgrade the product to versions v8.1A SP02 P04 or v8.0A SP01. Unfortunately, a dedicated Fujitsu customer request is required to do this due the software distribution model. For more information please contact Fujitsu through their ServiceNow Portal or Support Assistant.

Lastly, block any inbound traffic to port 80 and 443 through the use of a network firewall. Traffic should be selectively allowed only to other instances of the appliance, and only made directly accessible through a management LAN. This ensures attackers are not able to reach the machine without gaining access to this network segment first.

Another temporary measure to secure the application for the time being could be to force the web-interface to bind to the local loopback interface (127.0.0.1) and using a reverse SSH forward to access the service that way. This ensures no attackers are able to reach the web-interface before authenticating over SSH first. Please note that this might void your warranty, as such it is not recommended.

**Vendor Notice**

*   Fujitsu-PSIRT-PSS-IS-2022-050316-Security-Notice-SF.pdf

**Footnotes**

1\. https://en.wikipedia.org/wiki/Metasploit\_Project

2\. https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

3\. https://www.php.net/manual/en/function.escapeshellarg.php

**Published** May 27, 2022June 9, 2022

**Post navigation**

Tag

#php