Unraid 6.8.0 allows authentication bypass.

**Le laboratoire Sysdream**

Le laboratoire de Sysdream concentre les activités de Recherche et Développement en sécurité informatique, dans lesquelles interviennent nos consultants. Ceux-ci travaillent sur des problématiques fortes, inspirées de notre expérience terrain et de nos observations, afin d'apporter leurs compétences au service de l'innovation technique et de la sécurité informatique en général.

La recherche effectuée au sein de notre laboratoire cible tout particulièrement l'identification de vulnérabilités, mais aussi l'étude des différentes solutions aux problèmes d'actualités, comme la sécurité des terminaux mobiles ou encore l'évolution des technologies du Web (de par leurs contraintes fortes dans la protection des données confidentielles et privées). Ces recherches que nous menons aboutissent dans certains cas à la mise en conformité des solutions en production, ainsi qu'à la publication de livres blancs explicitant la ou les problématiques et les solutions identifiées. Nos recherches sont aussi exposées dans les magazines (Hackin9, MISC, ...) ou lors d'événements spécialisés comme le SSTIC, Hack in paris, ou encore la Nuit du hack.

Nous espérons ainsi pouvoir mettre à la disposition de tout un chacun les outils, études et analyses menées au sein de notre laboratoire et d'assurer une veille permanente dans le domaine de la sécurité.

 

14 Dec 2020

**\[CVE-2020-16842\] CSRF protection bypass in iTop**

iTop (ITSM & CMDB) is a complete open source, ITIL, web based service management tool including a fully customizable CMDB, a helpdesk system and a document management tool. It is developed by Combodo and hosted on GitHub

We found a bypass to the CSRF function, which could be used to create a new administrator account or execute code remotely through a variation of the `CVE-2018-10642` vulnerability (when an administrator account is targeted).

Lire la suite

 

21 Sep 2020

**\[CVE-2020-24389\] Remote Code Execution on Drag and Drop Multiple File Upload – Contact Form 7**

Drag and Drop Multiple File Uploader is a simple, straightforward WordPress plugin extension for Contact Form7, which allows the user to upload multiple files using the drag-and-drop feature or the common browse-file of your webform.

We discovered a remote code execution vulnerability in this plugin, because the validation of dangerous file extensions fails.

Lire la suite

 

12 Aug 2020

**\[CVE-2020-17364\] USVN stored XSS**

User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories.

We found a stored XSS vulnerability inside the commit module, that could allow an attacker to execute JavaScript into the client application and take over user web browsers.

Lire la suite

 

12 Aug 2020

**\[CVE-2020-17363\] USVN Remote code execution**

User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories.

We could execute code remotely, through an OS command injection inside the _Timeline_ module. It can be used by an authenticated user to execute arbitrary command against the operating system.

Lire la suite

 

05 Aug 2020

**\[CVE-2020-9036\] Jeedom XSS leading to Remote Code Execution**

Jeedom is a home automation solution used in IoT.

We discovered an XSS (cross-site-scripting) injection that can lead to a remote code execution.

Lire la suite

 

09 Jun 2020

**\[CVE-2020-13404\] Remote system command injection in Atos-Magento module**

A system command injection vulnerability has been introduced in the Atos-Magento module version 3.0.0. This module manage the remote ATOS payment solution for Magento 1.x (1.7+) e-commerce websites.

Lire la suite

 

25 May 2020

**Abusing PackageKit on Fedora/CentOS for fun & profit (from wheel to root).**

This article describes an exploitation path of PackageKit settings in Fedora/CentOS, to achieve local privilege escalation to root without any user interaction.

The scenario uses vulnerabilities in both the default configuration of PackageKit and some packages.

Lire la suite

 

25 May 2020

**\[CVE-2020-10936\] SYMPA Privileges escalation to root**

We found a way to escalate our privileges to root, exploiting a vulnerability in the way that a setsuid binary can be abused to load malicious Perl libraries.

Lire la suite

 

25 May 2020

**\[CVE-2020-12050\] Fedora/Red Hat/CentOS local privilege escalation through a race condition in the sqliteODBC installer script**

A vulnerability has been introduced in the package that installs sqliteODBC in Red Hat / CentOS / Fedora distributions.

It is a race condition that allows local users to escalate their privileges to root permissions.

Lire la suite

 

22 May 2020

**Ligolo : Reverse Tunneling made easy for pentesters, by pentesters**

Ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection in complete safety (TLS certificate with elliptical curve).

It is comparable to Meterpreter with Autoroute + Socks4a, but more stable and faster.

Lire la suite

CVE-2020-5849: Sysdream, Le lab'

An issue was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress. There is SQL injection via the rm_analytics_show_form rm_form_id parameter.

CVE-2020-8435

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

CVE-2020-9402

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

CVE-2020-9757: craft-seomatic/CHANGELOG.md at v3 · nystudio107/craft-seomatic

A UNIX Symbolic Link (Symlink) Following vulnerability in the mysql-systemd-helper of the mariadb packaging of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allows local attackers to change the permissions of arbitrary files to 0640. This issue affects: SUSE Linux Enterprise Server 12 mariadb versions prior to 10.2.31-3.25.1. SUSE Linux Enterprise Server 15 mariadb versions prior to 10.2.31-3.26.1.

'1160895?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2019-18901: Invalid Bug ID

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

@pioto As OSS projects usually go, when it is ready. Unfortunately there has been steady stream of individual classes to block, and since I do not want to spend time releasing micro-patches every week I have tried to wait for couple of days to have a break. So far there are 12 issues resolved, and none open (although waiting for CVE ids for 2).  
But I think I will release 2.9.10.4 by next weekend, regardless.

CVE-2020-9548: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548) · Issue #2634 · FasterXML/jackson-databind

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing a maliciously crafted image may lead to arbitrary code execution.

Released May 20, 2020

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9789: Wenchao Li of VARAS@IIE

CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3878: Samuel Groß of Google Project Zero

**SQLite**

Available for: Windows 7 and later

Impact: A malicious application may cause a denial of service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9794

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9805: an anonymous researcher

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9802: Samuel Groß of Google Project Zero

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9806: Wen Xu of SSLab at Georgia Tech

CVE-2020-9807: Wen Xu of SSLab at Georgia Tech

**WebKit**

Available for: Windows 7 and later

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9850: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9843: Ryan Pickren (ryanpickren.com)

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9803: Wen Xu of SSLab at Georgia Tech

CVE-2020-3878: About the security content of iTunes 12.10.7 for Windows

An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

**Summary**

An exploitable improper access control vulnerability exists in the iw\_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

**Tested Versions**

Moxa AWK-3131A Firmware version 1.13

**Product URLs**

http://www.moxa.com/product/AWK-3131A.htm

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-284: Improper Access Control

**Details**

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

Included with the web-based interface is the ability to add, delete, and edit user accounts to interact with the various exposed services. When a new account is added, various checks are performed to ensure that the account being added conforms with the expected format. If the new account passes all applied checks, the details are passed into a function that creates a new user account on the system. When this account is created it is given root permissions, but configured to only use the iw\_console restricted terminal as its default login shell for telnet and ssh access.

By default the device comes with 42 default user accounts, most of which are service accounts that cannot be used to login due to either a non-existent password or a nologin default shell. These can be seen below:

    root:$1$$1ZudtN1wlcCPXkNu2w6vT/:0:0:root:/:/etc/nologin.sh
    daccli:$1$$oCLuEVgI1iAqOA8pwkzAg1:0:0:root:/:/usr/sbin/daccli
    bin:x:1:1:bin:/bin:/etc/nologin.sh
    daemon:x:2:2:daemon:/sbin:/etc/nologin.sh
    adm:x:3:4:adm:/var/adm:/etc/nologin.sh
    lp:x:4:7:lp:/var/spool/lpd:/etc/nologin.sh
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/spool/mail:/etc/nologin.sh
    news:x:9:13:news:/etc/news:
    uucp:x:10:14:uucp:/var/spool/uucp:/etc/nologin.sh
    operator:x:11:0:operator:/root:/etc/nologin.sh
    games:x:12:100:games:/usr/games:/etc/nologin.sh
    gopher:x:13:30:gopher:/var/gopher:/etc/nologin.sh
    ftp:x:14:50:FTP User:/var/ftp:/etc/nologin.sh
    nobody:x:99:99:Nobody:/:/etc/nologin.sh
    rpm:x:37:37::/var/lib/rpm:/etc/nologin.sh
    dbus:x:81:81:System message bus:/:/etc/nologin.sh
    avahi:x:70:70:Avahi daemon:/:/etc/nologin.sh
    rpc:x:32:32:Portmapper RPC user:/:/etc/nologin.sh
    mailnull:x:47:47::/var/spool/mqueue:/etc/nologin.sh
    smmsp:x:51:51::/var/spool/mqueue:/etc/nologin.sh
    nscd:x:28:28:NSCD Daemon:/:/etc/nologin.sh
    vcsa:x:69:69:virtual console memory owner:/dev:/etc/nologin.sh
    haldaemon:x:68:68:HAL daemon:/:/etc/nologin.sh
    rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/etc/nologin.sh
    nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/etc/nologin.sh
    sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/etc/nologin.sh
    netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
    pcap:x:77:77::/var/arpwatch:/etc/nologin.sh
    xfs:x:43:43:X Font Server:/etc/X11/fs:/etc/nologin.sh
    distcache:x:94:94:Distcache:/:/etc/nologin.sh
    ntp:x:38:38::/etc/ntp:/etc/nologin.sh
    apache:x:48:48:Apache:/var/www:/etc/nologin.sh
    mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
    webalizer:x:67:67:Webalizer:/var/www/usage:/etc/nologin.sh
    squid:x:23:23::/var/spool/squid:/etc/nologin.sh
    hsqldb:x:96:96::/var/lib/hsqldb:/etc/nologin.sh
    gdm:x:42:42::/var/gdm:/etc/nologin.sh
    admin:$1$lz3.QJLe$3HSiCnSdmi2T4j94apL25.:0:0:root:/:/usr/sbin/iw_console
    art::0:0:art calibration:/:/etc/art_shell.sh
    

By using the web-based account management platform it is possible to “create” a new user account that has the same name as any of the existing accounts, at which time that account password can be changed. When this is used against the “news” account, it is possible to gain access to a system shell from which root access can be obtained via the su command with a new user.

**Exploit Proof of Concept**

*   Navigate to ‘Main Menu -> Maintenance -> Account Settings’ in the web portal
*   Add the user ‘news’ with the password ‘moxa’
*   Add the user ‘newroot’ with the password ‘moxa’
*   Click to confirm the changes and reboot the device

You can then login as follows:

    user@machine:~# telnet 192.168.127.253
    Trying 192.168.127.253...
    Connected to 192.168.127.253.
    Escape character is '^]'.
    
    AWK-3131A_50:E8:6A login: news
    Password: 
    login: can't chdir to home directory '/etc/news'
    / $ whoami
    news
    / $ su -s /bin/sh newroot
    Password: 
    ~ # whoami
    root
    ~ # exit
    / $ exit
    Connection closed by foreign host.
    user@machine:~#
    

**Timeline**

2019-11-04 - Vendor Disclosure  
2020-02-24 - Public Release

Discovered by Jared Rittle of Cisco Talos.

CVE-2019-5162: TALOS-2019-0955 || Cisco Talos Intelligence Group

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

Tag

#sql